SSL VPNs won't save the world

By Joel Snyder
Network World, 06/09/03

Original Article on Network World Web Site

Recently, a newcomer joined the world of VPN buzzwords: Secure Sockets Layer VPN. In April at NetWorld+Interop and at the Network World security tour I moderated last month, attendees had many questions about this new kind of VPN. Some would like to set up a competition, with IP Security and SSL VPNs squaring off in some 21st century version of World Wrestling Entertainment.

Reality is a lot less interesting; there is no competition between SSL and IPSec. The truth is that SSL VPNs have emerged because there's a clear need, one which IPSec has never been able to meet.

I've been involved with VPNs for a long time, and despite the slideware and happy promises of every IPSec vendor in the world, it's clear that IPSec has one very weak spot: remote access, specifically in the area of extranet applications. Multivendor interoperability in IPSec always has been difficult, but in remote-access and extranet applications, about the best that can be said is that IPSec works well only in tightly controlled, single-vendor environments. IPSec remote access can be difficult to deploy for large numbers of users. Where multiple gateways and corporations are involved, such as in an extranet environment, IPSec remote access has had more failures than successes.

I'm excited about SSL technology because it is strong where IPSec is weak. All the difficulties in extranet deployment, multivendor interoperability and general aggravation of multiplatform clients go away. With SSL VPNs, all you need is a Web browser, the universal client. It's great to see a new technology and so many good products come to market to solve a problem that hasn't been addressed well in the past. This is not like ATM to the desk, a solution looking for a problem. SSL can solve real business problems, and at lower cost and aggravation level than IPSec.

This also is why network managers have become excited: They're tired of the hassles and problems involved in extranet remote access, and the simple model presented in SSL VPN products looks not only pretty secure but also easily manageable. SSL isn't as secure as IPSec, but it's close enough to solve the extranet and Web-based remote-access needs of many organizations. And it's about a billion times simpler to deploy and manage.

Of course, it's not going to be that simple. SSL vendors aren't going to be content to work where IPSec is weak; they're going to try to apply their own magic to the general problem of remote network access, which they're not very good at, either. So be prepared for a lot of confusion, claims, misinformation and disinformation.

The real value of SSL VPNs is in their sweet spot: extranets and Web-based remote applications. Focus there, and you can do things that have been impossible with traditional IPSec tools.