With today's enterprise employees frequently working from remote offices, on the road and from home, VPNs have
become essential tools, enabling distant employees to securely access server-based information. But now there are two kinds of VPN available. Which one is best? The answer appears to be both.
Internet Protocol security (IPsec) VPNs have been dominant for a number of years. The technology works at OSI Layer 3 to create a "tunnel" into the network, so that as devices log on, they act as if they are physically attached to the LAN.
Newer Secure Socket Layer (SSL) VPNs work at Layer 4, the application layer. Users access individual applications via a Web browser. Administrators can determine access by application, rather than providing access to the entire network.
The IPsec VPN gateway and firewall market raked in more than $2 billion in 2003, according to San Antonio-based research firm Frost &Sullivan. In 2003, the newer SSL VPN market was a much smaller $89.7 million.
But according to Robert Whiteley, an analyst with Cambridge, Mass.-based Forrester Research Inc., those numbers are likely to change over the next five years. By 2008, Whiteley expects that most companies will use SSL VPNs for remote access.
"IPsec will be deployed for niche applications or in companies that are resistant to change," Whiteley said.
Not all analysts are as bullish on SSL VPNs, but most see a growing need for the technology. And analysts said that most companies will end up deploying both IP Sec and SSL VPNs.
SSL on the rise
Even today -- in the early stages of SSL VPN adoption -- a sizable number of companies are taking up the technology.
According to a recent survey by Framingham, Mass.-based research firm International Data Corp., 44.1% of the 305 companies surveyed that use remote access technologies use IPsec VPNs alone. But 28.8% use both SSL and IPsec VPNs.
One of the reasons behind the increasing adoption of SSL VPNs is that the required client management for IPsec VPNs can be cumbersome, said Steven Harris, research manager with IDC.
Problems with client management is what drew Catholic Health System, a health care provider based in Buffalo, N.Y., to reconsider its VPN approach.
The 8,000-employee company, which has 1,000 physicians in 40 locations, first deployed an IPsec VPN to a small group of doctors to use to view X-rays. Because the doctors needed to use home computers, the IT department sent out CDs with the VPN software on it.
Of the nine doctors who received the CD, only one was able to properly install the client and make it work, said Doug Torre, Catholic Health System's director of networking and technical services.
Rather than send IT staff to each doctor's home to battle with old operating systems, Torre bought each doctor a new PC, provisioned with the client and sent them out to doctors.
He thought he had found a solid solution, until the next VPN request came in -- for 500 new users. "That was going to be very difficult to do on the model we developed," Torre said. "So we set out to find a better way."
Torre came across SSL VPN technology, which allows users to call up a Web page, plug in a password and access the application they need. The IT department does not need to deploy or manage clients; a thin client is downloaded onto the user's computer when he or she logs on for access via the Web link.
"It's great from the user perspective," Torre said. "Our applications are supported by the Web browser."
Catholic Health System has gone from an all IPsec VPN organization to one that has now deployed SSL VPNs to between 200 and 300 users. It uses only 20 IPsec VPNs for site-to-site connectivity.
So long, IPsec? Not so fast
Most organizations are likely to hang onto IPsec VPNs for such intra-office connections, Whiteley said. In addition, he said IPsec VPNs make sense for IT administrators and others that need remote access to a large array of network resources.
Customers are beginning to find more SSL VPN vendor choices as well. Whiteley said there are 25 vendors that offer some form of SSL VPN access. While that market will likely shake out, the biggest vendors see a strong future in SSL VPNs.
Juniper Networks Inc., a top-five vendor of IPsec VPNs, which also acquired market-leading SSL VPN vendor NetScreen Technologies earlier this year, sees a growing role for SSL VPNs and a continuing need for IPsec VPNs as well.
While the IPsec site-to-site market is much larger than the remote user market, it is a segment that's maturing, said Johnnie Konstantas, a senior product manager with Sunnyvale, Calif.-based Juniper. The smaller remote user market has great potential for growth.
"That is great news for us because we offer both solutions," she said.