A growing number of organizations looking for a fast, secure way to link remote users and business partners are turning away from traditional IP Security-based VPNs and toward products and services based on Secure Sockets Layer technology.
The reasons are many: Browser-based SSL alternatives require little or no software on remote PCs, and in most cases any PC with a browser can be used to make the secure connection, as long as the user can authenticate to a central server. And SSL firewall ports that the traffic uses are generally left open, so firewall reconfiguring is usually unnecessary. The idea is that SSL's simplicity translates into an easier installation and long-term cost savings because of simpler ongoing support.
Yo.net and Aventail are among the growing number of vendors delivering VPNs without using the collection of well-known IPSec protocols.
Conversely, Internet-based IPSec remote access VPNs require software on each remote PC that has to be installed, configured and updated for the VPN to work properly. Firewalls also must be configured in tandem with the IPSec devices to let IPSec traffic pass.
Early last year Toronto specialty clothing maker Accolade Group realized it needed a simple, secure Internet connection so employees in a sales office could reach servers in the main office. The company chose Yo.net because it could set up the link quickly.
Yo.net shipped a pair of servers, one for inside and one for outside Accolade's firewall, along with client software for the remote users' PCs, and Accolade was off and running. "This fits our needs, the price is right, we move on," says Harvey Ngo, Accolade's IT director.
When Rhode Island health consortium Lifespan needed to give hundreds of doctors access to patient files while complying with federal privacy rules, it chose service provider Aventail to set up its network.
"This is probably about as compliant as it's going to get right now," says David Hemendinger, CTO of Lifespan, about the privacy the service offers via SSL cryptography.
Simplicity was key at Alexander Randolph. The application hosting vendor needed to automate customer access to its human resources application, so it chose remote access equipment from Netilla because it required no modification of Alexander Randolph's customers' equipment.
"We can take people on and off this system very quickly. It's as easy as changing their name and password," says Walter Hill, a senior partner at Alexander Randolph.
While users seek these alternatives for the benefits they offer, they also do so to avoid the complexities of setting up and maintaining IPSec VPNs.
"[Aventail's Extranet service] gets me through most firewalls without requiring reconfiguration," says Ralph Rodriguez, CIO of eXcelon, a consultancy in Burlington, Mass. That's important because eXcelon's consultants work from their customers' sites and rely on their customers' networks to tap servers at eXcelon's headquarters.
Despite the ease of configuring the technology, the security offered by these SSL-related VPNs can meet even stringent military standards. The Surgeon General's office for the Air Force uses such equipment from provider uRoam to enable remote-control access to PCs in its Virginia headquarters.
While the security is good, SSL-based remote connections don't fit all needs, says Kent Dallas, principal in Dalliesin, a VPN consultancy in Alpharetta, Ga. "If you are just using e-mail and want to secure it, buy an SSL card for an Apache server," he says. But, for example, gear from vendor Neoteris won't support file-sharing applications, so an IPSec VPN might be the better way to go if you need to share files.
And SSL services don't work with applications that are not Web-enabled, hence the need for Lifespan to buy a second Aventail service based on IPSec. About 20 percent of Lifespan's users need the IPSec option for legacy applications, Hemendinger says.
Users should be wary of the authentication methods they use for granting access to these SSL VPN alternatives, Dallas says. "Most SSL requires a password only, so you need strong, nonguessable passwords. Most SSL implementations do not do client [digital] certificates. Most IPSec implementations use digital certificates," he says.
And because users don't control all the gear that runs the remote access network, they must be prepared for failures beyond their control, Dallas says. "If they have problems, would users still be able to connect? You need to look at what you do if the provider fails and how long it would take you to get back up, either with them or via some backup," he says.
These IPSec alternatives are not cheap. Yo.net equipment costs US$3,500 per site plus $150 per client. Some VPN products cost less, but users say cost was not the major factor in their decision.
"We looked at is as a cost of doing business," Hill says. "We simply had to automate [our client interactions]."
"I really need developers in the field to access our intellectual property," Rodriguez says. "It would be worth it to use Aventail even if it did cost more [than an IPSec alternative]."