With its SSL site-to-site VPN gear, Array Networks is making it possible to rachet down controls on network access between business partners and to simplify the infrastructure of corporate VPNs.
Array's new Site2Site software for its existing SSL appliances will support SSL VPN connections over the Internet between LANs in separate buildings. To date, SSL VPNs have been restricted to remote-access connections between single computers and VPN gateways.
Gateway-to-gateway VPN links were the sole province of IPSec VPNs, and customers could use either IPSec or SSL VPNs for remote access.
Insurance broker Hub International in New York City chose IPSec for site-to-site access and SSL for remote access because SSL has certain advantages over IPSec, says Tarron Weir, vice president and CSO for the firm.
SSL requires only a Web browser on remote machines to make a VPN connection to Web applications. With SSL, client software or a software agent can be downloaded on the fly to give remote machines full network-layer access equal to that of IPSec. IPSec remote access, on the other hand, involves installing client software and setting up tunnels ahead of time.
Hub uses Cisco IPSec gear as a backup to its frame relay network; if the frame network goes down, the IPSec equipment connects company offices to headquarters over the Internet, Weir says.
He says he will phase in Array's site-to-site features over the next two months to save on VPN administration time. "You have no idea how much time it takes to administer IPSec tunnels to business partners and vendors," he says.
With SSL, these connections can be made through standard SSL ports in firewalls. In addition, IPSec creates network-layer access, opening up all a business's resources to the remote-access user unless the business takes extra steps to isolate specific resources, says Michael Suby, an analyst with Stratecast Partners. SSL can restrict users per application via its application-layer connectivity, Suby says.
For this reason, Weir says the site-to-site SSL VPN will make it simpler to restrict the access of business partners and vendors to Hub's network. "These are trusted partners, but I still don't want to give them total access," he says.
For some customers, phasing out IPSec gateways also will mean one less device to manage, although single IPSec/SSL gateways do exist. Customers can buy gateways that support both IPSec site-to-site and SSL remote access, for example, gear made by Caymas, Cisco and Nortel, says Rob Whiteley, an analyst with Forrester Research. "So any site-to-site connection can be set up using IPSec and still maintain all the benefits associated with SSL for remote access," he says.
Site-to-site SSL gear probably will be adopted by businesses that don't have site-to-site VPN connections or by businesses that have these connections but choose to phase in SSL as they add sites, Suby says. Even Array says it doesn't expect customers to rip out site-to-site IPSec gateways to replace them with SSL.
The software can be installed on Linux devices, letting them talk directly via VPN to other machines. For instance, a PC used for sales in a retail store could act as a gateway to headquarters for uploading sales information, Array says. Customers could configure the gateways to create point-to-point or mesh networks.
The Array software ships in early 2007; pricing for it will be set in two weeks, the company says.