News Stay informed about the latest enterprise technology news and product updates.

Making the SSL VPN decision: What you should know and ask

A renewed interest in SSL VPNs prompted Forrester Research to pose three deployment-determining questions to prospective buyers before they plunk down any cash.

The interest in secure sockets layer (SSL) VPNs is back, and one research firm says its time to take a closer look at your deployment plan to figure out what kind of product suits your needs.

The first half of 2005 saw an early-adopter SSL VPN frenzy, but that petered out into a six-month lull. By the end of that year, Forrester Research estimates, 50% of large enterprises were actively using or considering an SSL VPN deployment.

But now, more companies are considering or deploying the technology, following in the early-adopter's footsteps, meaning there is a renewed interest in SSL VPNs. That surge prompted Cambridge, Mass.-based Forrester Research to identify three main questions companies should ask themselves before choosing an SSL VPN or a specific vendor.

In a recent report, "How To Choose An SSL VPN in Three Easy Steps," Forrester analyst, Robert Whiteley, outlines what type of deployments are right for certain companies, depending on their specific needs and uses, and what vendors make the product best catered to their needs.

An SSL VPN is essentially a VPN that does not require a company to install VPN client software on remote devices. Remote users can make secure connections from any laptop or PC through a browser.

Whiteley said SSL VPN adopters have two different mentalities: user-focused and application-focused. What type of focus is the first and most important thing firms must decide before proceeding.

The user-based approach gives remote users transparent, full network access, much like being on the LAN. VPNs for that type of deployment typically have both IPsec and SSL VPN termination in one appliance and strong endpoint security and network access control (NAC) technologies. Vendors in the user-focused space often offer SSL VPNs as an option in other networking tools like routers, Ethernet switches or all-in-one security appliances.

Vendors in the user-focused space include Cisco Systems Inc.'s VPN 3000 Series Concentrators, Juniper Networks' Secure Access appliances, Nortel Network's VPN Routers and products from AP Networks, Whiteley said.

With an application-based approach, the company wants to focus on the applications that need to be pushed out. Whiteley said application-focused SSL VPNs have a stronger emphasis on back-end application integration and provide better access in a pure clientless mode, such as through a Web browser.

Application-based SSL VPNs integrate endpoint security, but focus more on policy administration. They have more intuitive user interfaces than user-based SSL VPNs and strong management capabilities. Some leading vendors and products in the application-based SSL VPN market include Avenal's EX line, Citrix Systems' Access Gateways, F5 Networks' FirePass, Whale Communications' Intelligent Application Gateways and Permeo.

"Although these differences are subtle, firms should ask this question first to determine the basic direction of SSL VPN deployment," Whiteley said. "If the networking or WAN staff is driving the purchase decision, then start with user-focused devices. If your application group -- including those driven by lines of business -- remote access specialists, or enterprise mobility initiatives are driving the project, then start with application-focused devices."

Once the question of whether the deployment will be user- or application-focused is answered, companies must now ask how they want to deploy endpoint security mechanisms. Do they want them integrated or embedded?

Forrester breaks endpoint security into three major components:

  • A basic host checking capability, which scans the end devices to make sure software like antivirus, personal firewall and OS patch levels are installed and up-to-date.
  • A cache cleaner, which is used to wipe out the browser cache of downloaded files and cookies.
  • Session encryption, which typically uses Java to build a virtual "sandbox" so that all activity during the VPN session is isolated and encrypted, then removed once the user logs out.

According to Whiteley, most SSL VPNs include a basic host check for pre-authentication, but for more complex security like advanced cache cleaning and encrypted sandboxes, companies will need to integrate a third-party tool like those from Sygate, CheckPoint Software or Trust Digital. Integrated endpoint security offers a wide range of options, but requires manual configuration and opens itself up to potential policy missteps, which can translate to additional labor and costs.

"[Vendors say] we'll give you the hooks to integrate," he said, estimating that roughly 70% of companies use integrated endpoint security in their SSL VPNs.

Embedded endpoint security, on the other hand, is built into the appliance. Embedded tools often have streamlined policy configuration that gives full access control from a single administrative console. The downside, however, is a company that selects an embedded product is locked into what the vendor offers and must rely on that vendor to provide timely security enhancements. An embedded solution could also duplicate efforts if a company already has NAC in place from vendors like Cisco, McAfee and Symantec.

"Ultimately, a company needs to decide if it prefers best-of-breed security -- and subsequently pay a slight premium for it -- or if ease of use and simplicity is more important," Whiteley wrote. "Integrated and embedded endpoint security will address each of these priorities respectively."

Lastly, now that the SSL VPN's focus and the type of endpoint security are out of the way, the final question a company must ask is: How many employees need secure remote access?

Forrester classifies a low volume deployment to be 2,000 or fewer concurrent users. Whiteley warns that though SSL VPNs are advertised as supporting a larger number of users, the appliances should not be pushed to their limits. Forrester suggests, as a rule, enterprises should assume 10% of its staff will require concurrent access. Low volume deployments also should take projected staff growth into consideration to support future users.

High volume deployments, however, can handle 2,000 or more concurrent users with a single box. SSL VPNs for high volume deployments are often found in larger application acceleration boxes, such as F5's BIG-IP, which runs the FirePass SSL VPN.

"Mainstream folks don't typically have a large number of remote access users," Whiteley said.

Dig Deeper on Network Security

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.