IPSec vs SSL

Tyler Durden camera_lumina at hotmail.com
Tue Aug 5 09:38:38 PDT 2003 

Continued proliferation of commercialized technologies. I also saw an add in 
Business week for a Blacberry-enabled Palm Phone. Mobile security and 
"Triple DES" were explicitly mentioned.
No doubt 'permissionless' approaches ocasionally yield useful fruit, but the 
IP-->VC$$$-->Startup route is at least as important.

-TD


AUGUST 04, 2003
PREVIOUS NEWS ANALYSIS

SSL Players Get Feature-Happy

--------------------------------------------------------------------------------

Aventail Corp. and Neoteris Inc. are upgrading security gear to keep pace 
with virtual private networking (VPN) rivals that have focused on IPSec 
technology.

Today, the companies made separate announcements regarding new features to 
their clientless Secure Socket Layer (SSL) VPN solutions (see Neoteris 
Expands SSL Access and Aventail Upgrades VPN Kit ). In an effort to build 
products that can eventually replace IPSec VPNs, they've each added broader 
application support, a key issue for SSL VPNs.

The move is important because SSL gear risks becoming somewhat generic; more 
features will be needed to keep pace with technologies such as IPSec.

For Aventail and Netoeris to succeed they need to become a full replacement 
for IPsec, says Michael Suby, senior research analyst with Stratecast 
Partners. Theyve got to prove that SSL holds more value, is just as 
secure, costs less, and is easier to manage than IPSec.

IT managers today have two choices when it comes to secure remote access. 
They can deploy IPSec clients on individual laptops, desktops, and mobile 
devices, or they can use an SSL solution, which utilizes encryption 
capabilities built into browsers and does not require a client-side software 
installation other than the browser.

Each solution has its pros and cons. Its a tradeoff between the simplicity 
of SSL VPNs and the security of IPSec VPNs. Emerging SSL VPN technologies 
generally deliver secure access to more places at a lower total cost of 
ownership, because they include less administrative overhead. But these 
benefits typically come at the cost of important features already available 
in IPSec solutions, like strong desktop security and broad application 
support. As a result, most companies use a combination of the technologies, 
depending on the application.

Some IPSec vendors are starting to add SSL technology. To combat this trend, 
Aventail and Neoteris are taking SSL VPNs to the next level with enhanced 
support for additional applications.

Neoteris has added a new product it calls Network Connect. Instead of 
creating a secure tunnel for a particular application, Network Connect 
creates a tunnel for a network connection. Just like an IPSec network 
tunnel, this allows users access to the entire network, including complex 
applications like streaming media and voice over IP. But unlike IPSec, the 
company asserts that a full-fledged client is not required on end-users 
devices, making it easier to manage and deploy.

The company also announced that it has developed application programming 
interfaces for integration with security products from other companies like 
InfoExpress, Network Associates Inc. (NYSE: NET - message board), Sygate 
Technologies Inc., and Zone Labs. And it has fully integrated features from 
Network Associates and Fortinet Inc. to provide anti-virus support on its 
appliances.

Aventail has also added new capabilities to its OnDemand 3.0 product that 
will expand the type of applications it can support. For example, it will 
now support dynamic traffic redirection, which allows it to identify and 
secure traffic by domain, IP range, or subnet. This eliminates the need for 
making unnecessary changes to IT infrastructure like the domain name 
servers, desktops, or applications. OnDemand 3.0 also now includes support 
for dynamic port assignments. This allows it to support applications that 
use a complex, changing range of ports, like those from SAP AG 
(NYSE/Frankfurt: SAP - message board) and Siebel Systems Inc. (Nasdaq: SEBL 
- message board).

But the competition from incumbent equipment providers is heating up. Nortel 
Networks Corp. (NYSE/Toronto: NT - message board), which also sells an IPSec 
solution in its Contivity product line, has continued to add new SSL VPN 
features to its Alteon Web switch (see Nortel Expands Security Portfolio ). 
Nokia Corp. (NYSE: NOK - message board), a leader in mobile/wireless 
devices, announced SSL VPN support this summer (see Nokia Sweetens SSL ). 
Cisco Systems Inc. (Nasdaq: CSCO - message board) is also expected to make 
an SSL announcement soon. NetScreen Technologies Inc. (Nasdaq: NSCN - 
message board) is supposedly shopping for a startup to buy (see NetScreen 
SSL Move Likely ). And Check Point Software Technologies Ltd. (Nasdaq: CHKP 
- message board) is likely to evolve its current SSL solution.

When you have Cisco, Check Point, Nokia, and Nortel all with something in 
this market and all with channel distributors, its tough competition for a 
small private company, says Stratecast's Suby. You can be a niche player 
for SSL, but these small private companies are going to have to tie their 
wagons to a large IPSec vendor or some other kind of vendor.

Consolidation has already started happening. F5 Networks Inc. (Nasdaq: FFIV 
- message board), a load balancing appliance vendor, announced two weeks ago 
that it was acquiring SSL startup uRoam (see F5 Buys Into SSL VPNs ).

There is still a long list of SSL VPN suppliers out there including:

Array Networks Inc.,
Aspelle Ltd.,
Netilla Networks Inc.,
NetScaler Inc.,
SafeWeb Inc., and
Whale Communications Ltd.

 Marguerite Reardon, Senior Editor, Light Reading

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*  
http://join.msn.com/?page=features/junkmail

More information about the cypherpunks-legacy mailing list