Secure Sockets Layer (SSL) for remote access is based on a simple concept: use the encryption and authentication capabilities built into every Web browser to provide secure remote access to corporate applications.

By combining SSL-enabled Web brow- sers with a secure gateway to terminate connections and provide policy enforcement and access control, so-called SSL VPNs provide access to Web-based, legacy client/server, and terminal applications from anywhere-home PCs, hotel business centers, Internet cafes, or a business partner's LAN-without an IPSec VPN client. It's one of those ideas that make you say "Why didn't I think of that?"

The companies that did think of it are now working very hard to turn that idea into market share. Regardless of which brand wins the biggest piece of the pie graph, here's why the idea is a good one:

First and foremost, SSL is everywhere there's a Web browser. The result is millions and millions of preinstalled clients ready for use. This introduces remote access to a broader user population than is typically feasible with IPSec VPNs.

"Smaller companies don't have the resources to support IPSec clients," says Jason Matlof, vice president of marketing and business development at Neoteris, maker of an SSL remote access appliance. "Larger companies have the budgets to support 10 or 20 percent of elite users with IPSec."

"The real catalyst in this market is addressing constituencies that haven't been addressable," he says. "Eighty to 90 percent of users and business partners can get controlled access to certain resources without compromising security."

Second, SSL isn't a brand new technology that must win over skeptics. Its public key encryption system has been poked and prodded by security experts. Banks, governments, and major retailers entrust billions of dollars in transactions to it. Invented by Netscape, SSL has graduated into an IETF standard under the moniker of Transport Layer Security (TLS). Thus, the move to remote access is merely a new application of a well-established technology, not a new technology seeking a useful application.

Third, SSL remote access enjoys the supreme advantage that all new products have: the ability to attack an incumbent's weaknesses. In this case, the incumbent is the IPSec VPN, and SSL marketing literature invariably aims its spear at IPSec's jugular-the client.

CLIENTS? WE DON'T NEED NO STINKING CLIENTS

The IPSec VPN client has three strikes against it. First, the client restricts users to a single machine, which isn't as flexible as browser-based remote access. "You can go from mobile phone to a Wi-Fi connection to your corporate broadband connection very easily with SSL," says Jude O'Reilley, senior product marketing manager at Aventail, an SSL remote access vendor.

"With IPSec, each one of those networks requires work from the IT staff," says O'Reilley. "Every new network causes pain for IPSec managers."

Second, the IPSec client software can be difficult to manage. "IPSec clients modify the network drivers and the network stack, and if you don't have tight control over the OS on those machines, it's going to get complex," says David Thompson, senior research analyst for technology research services at the META Group (www.metagroup.com). "IPSec works well on company laptops, but for home machines there are conflicts and support calls, and that's universal for all the IPSec vendors."

Thompson says those conflicts and support calls mean added costs for IPSec remote access. "The main cost difference between SSL and IPSec is the support of the client software required for IPSec connections," he says.

Peter Ridgley, principal network engineer for information management solutions provider Iron Mountain (www.ironmountain.com), supports both an SSL remote access solution from Neoteris and an IPSec VPN. He says the Neoteris product has been easier to manage.

"Neoteris doesn't need much babysitting, just occasional code upgrades and compliance reviews. We use Nortel Contivity for IPSec remote access and it's stable, but it requires more maintenance." That maintenance includes help desk costs, software upgrades, and new user adds, he notes.

The third strike is end-user complexity. "SSL is fabulous from a corporate standpoint because you don't have to teach people a new procedure," says Yankee Group (www.yankeegroup.com) analyst Eric Ogren. "Everybody knows how to use a browser."

DOWNSIDES OF THE BROWSER

An irony of SSL VPNs is that their greatest asset-browser-based access-is also their most problematic feature. The freedom and mobility of the browser means that your users can run applications and access network resources from just about anywhere-a partner site, an airport kiosk, an Internet cafe, even a friend's house.

While that freedom may boost productivity, it also exposes your network to an unlimited number of computers whose security state is unknown (and in some cases unknowable). Your network may experience increased risk from viruses, Trojans, and other malicious code, such as keystroke loggers.

Browser-based access has other complications as well. Default user authentication is limited to a username and password, which is notoriously insecure. In addition, most SSL solutions also require an ActiveX or Java download to provide the most complete access, but remote machines may not allow those applets to run, thus denying access. Finally, browsers may cache documents or screens at the remote machine, potentially exposing sensitive information. Users who forget to log out of browser sessions also present the same risk.

Savvy vendors are addressing these issues, but their methods complicate the original simplicity of the solution. These complications don't invalidate SSL remote access-even with extras such as tokens or digital certificates, SSL may still be easier and less costly than IPSec VPNs. (For a comparison of SSL and IPSec, see the table.) However, it's important to know that nothing is as simple as marketing literature would have you believe. Thus, we've detailed the top four concerns regarding SSL here:

1. Users will access corporate resourc-es from untrusted (and untrustworthy) computers. IT administrators know it's difficult enough securing the PCs under their control. Machines outside their control should be treated with suspicion. In August 2003, for example, The New York Times reported a story about a man who had installed keystroke logging software on Internet terminals at Kinko's copy stores around New York City. According to the report, the man harvested personal information on 450 people who had used the kiosks. The crime was only uncovered when one of the victims actually saw his computer being controlled by a remote user.

   IPSec VPNs don't suffer from this level of exposure because it's common practice to install anti-virus signatures, personal firewalls, and policy enforcement programs from companies such as Zone Labs, Sygate, and InfoExpress along with the client. Not so for SSL remote access.

   "It's a bit of a nightmare from a security perspective," says META's Thompson. "SSL vendors are struggling with authorization with different endpoints. You may trust the user but not the computer, and it's hard to figure that out if you don't have a client."

   Several SSL vendors, such as Aventail, Neoteris, and Netilla, support personal firewalls. This is a good step, but there's no guarantee that users will be coming from a machine that has a firewall or anti-virus software installed. In such cases, many vendors will limit application access.

   "We can detect a personal firewall and make a policy decision based on that," says Aventail's O'Reilley. Aventail also plans to roll out a security feature it calls Desktop Watermarking, in which a specific machine, such as an employee's home PC with anti-virus software and a personal firewall, is identified and registered by the SSL remote access server.

   "A watermark is a combination of factors," says O'Reilley. "It will combine an encrypted cookie with an MD5 checksum done on a section of the hard drive that's unlikely to change, and maybe a digital certificate."

   The idea is that watermarked PCs will be given deeper access to network resources than other machines. "We'll provide control to let an IT person say if a user comes from a corporate laptop, he gets everything," says O'Reilley. "When he's accessing from an airport kiosk, he gets an internal home page. You can tailor access based on the environment and what you've done to protect that environment."

   Other vendors are also devising methods for restricting access based on the condition of the remote machine. Many support digital certificates that identify a trusted computer; others will scan the computer. For instance, Nokia's Secure Access System, an SSL remote access appliance, employs a client integrity scan. This scan checks the user's device for anti-virus software, a personal firewall, and open ports that may indicate the presence of a Trojan. Once the appliance establishes a trust level, it adjusts access privileges accordingly.

2. Strong user authentication requires add-ons. If you're investigating SSL remote access as a low-cost alternative to IPSec VPNs, be aware that while the sticker price for such a solution may be agreeable, add-ons are going to up your costs.

   A case in point is user authentication. The default method is via a username and password, but while this might be adequate for remote e-mail, experts say it's not enough for other resources.

   "If you offer SSL access into deep-end applications, a higher form of authentication is called for," says Yankee's Ogren. "A token is the obvious first choice, and a biometric is the obvious last choice," he notes.

   SSL vendors also agree that in many cases, usernames and passwords aren't sufficient. "Most of our customers require some form of two-factor authentication," says Reggie Best, president and CEO of Netilla. "Generally it's tokens, but some are using smart-card solutions."

   These solutions will add to both your equipment and support costs, and should be considered carefully. Dual-factor authentication also puts more of a burden on end users, who have to be trained to use the token or the smart card and then remember to keep it with them (along with any additional devices, such as a USB-connectable card reader).

   While other SSL vendors support dual-factor authentication, Rainbow Technologies (www.rainbow.com) goes a step further by offering authentication hardware as part of its remote access package. Rainbow's NetSwift iGate appliance, which provides SSL-based access to Web and client/server applications, also includes 100 USB keys and management software in its starting price.

3. Remote machines may block applets required for sophisticated SSL remote access. While it's true that browser-based remote access is "clientless" in the sense that the browser (the de facto client) is preinstalled, many SSL VPNs rely on downloadable applets to provide access to sophisticated applications.

   For instance, Neoteris, Aventail, and Netilla, among others, offer a form of SSL "tunneling" that mimics an IPSec VPN and lets users run "fat client" applications such as ACT and Microsoft Outlook. However, the tunneling feature requires an applet, usually ActiveX, to be downloaded to the remote machine.

   The catch is that many of the systems employed for remote access (such as airport kiosks) may not allow those applets to install, thus locking out the user.

   Craig Lockwood, CIO and corporate client manager at Fujitsu, uses Aventail's SSL VPN service for 4,000 employees. He says his users have experienced just this problem with SSL remote access, particularly when Fujitsu consultants go to customer sites.

   "Very few clients allow us to download the tunneling applet," he says. "It shuts you out of access to file servers." However, he does note that client customers haven't had a problem with Fujitsu consultants using SSL remote access for e-mail and Oracle applications. "Most do allow you to come in through the browser where there's nothing installed," he says.

   Vendors admit that the tunneling feature begins to move away from SSL's main benefit of anywhere access from any machine.

   "This is for a corporate-supplied PC," says Netilla's Best. "Most organizations wouldn't allow tunneling from a kiosk."

4. Sensitive information may remain on the remote machine. When it comes to SSL, the caching function employed by browsers to improve performance can also become a potential breach of security or confidentiality, especially if users are working with sensitive applications and documents at publicly accessible terminals. A simple click of the "back" arrow may reveal information-e-mails, application screen shots, and so on-that corporations would rather keep to themselves.

   "That's a very real issue," says Aventail's O'Reilley. "The dark side of Web-based access is you never know where that user is. There could be inadvertent disclosure of information."

   Both Aventail and Neoteris address this issue through an administrator-defined option to render content in a non-cacheable format, in effect turning off the caching function at the endpoint. "We also block auto-completion, such as asking a user to save a password on the machine," says O'Reilley.

   Neoteris and Whale Communications (www.whalecommunications.com) go even further. Their platforms include file scrubbers, which are executable applets that are downloaded to a remote machine to wipe out temporary files stored by the browser.

   Again, however, this function is at the mercy of the remote machine. "If the end-user machine has a lock on executable code, this scrubber won't work," says Neoteris's Matlof. "Every vendor has this problem." However, he notes that the platform can be configured to kill a user's session if the executable isn't allowed to run.

   Netilla also plans to offer a solution to cached files, but as of press time, the company couldn't provide significant details.

   Forgetful users may also expose information by not logging off at the end of a work session, leaving a live connection into your application for the next person who comes along.

   Vendors such as Neoteris and SafeWeb (www.safewebinc.com) have addressed this issue by allowing administrators to time out idle sessions. Whale also lets administrators force users to periodically reauthenticate, ensuring that the person at the remote machine is a legitimate user.

LEADERS: TODAY AND TOMORROW

As of August 2003, 17 vendors were offering some form of SSL remote access. That's a ridiculous number for a new market that has yet to generate significant revenues. A report from market analyst In-Stat (www.instat.com) pegs the entire SSL remote access market at just $21 million for 2002.

And yet, both little-known start-ups and brand-name vendors are aiming for a slice of that revenue pie. That's because the SSL VPN market is demonstrating startling growth. According to In-Stat, SafeWeb shipped 13 units in the first half of 2002, but nearly quadrupled that figure in the second half of the year, shipping 51 units. Neoteris boasts even more impressive figures: 270 units shipped in the second half of 2002, compared to 73 for the first half.

With so many vendors competing for your business, how do you choose? Conventional wisdom dictates picking a name you've heard of. In this case, however, that's no guarantee of a good choice. That's because despite the presence of some heavyweight players, the current SSL VPN market leaders are young guns Neoteris and Aventail.

Each company offers strong access capabilities for a full range of applications, including Web-enabled, client/server, and terminal applications. Aventail was the first to market the concept of SSL VPNs in 1996, which it offered as a managed service. Aventail now also sells standalone SSL appliances, and the company expects the majority of its revenue to come from the appliances rather than the service offering.

Neoteris has made strong headway with its own SSL appliance, the Instant Virtual Extranet (IVE). Neoteris's strong points include an excellent range of application access, good remote user security, and ease of use. "In half an hour, we were up and running with Neoteris," says Iron Mountain's Ridgley. He purchased an IVE for day extenders and telecommuters.

Two other start-ups, Netilla and SafeWeb, are hot on the heels of the leaders. Both companies offer SSL VPN appliances with a full range of application access and important features for endpoint security. However, they'll have to work hard to distinguish themselves from the top guns, whether through innovation, partnerships, or pricing.

SafeWeb is working hard in this direction. In 2002, it joined NetScreen Technologies's Global Security Alliance, which means NetScreen will recommend the SafeWeb product to customers looking for an SSL VPN solution. SafeWeb also touts its use of regular expressions in its management console, which allows for very granular access control.

Then there are incumbents Nortel Networks and Check Point. Surprisingly, analysts aren't bullish on their offerings. "Nortel and Check Point have announced product, but it's weak," says META's Thompson. He cites a lack of advanced access features, particularly for non-Web-enabled applications, as the main drawback. But as the market heats up, you can expect more competitive offerings from these players.

Other established vendors have also moved into the market. In June 2003, Nokia launched the Secure Access System SSL VPN. The product's range of application access isn't quite as deep as the current market leaders, but the appliance has a strong focus on access control and remote device security. Nokia also combines high brand awareness with a global sales channel that the start-ups can only envy.

F5 Networks (www.f5.com), best known for its load balancing solutions, entered the running with its acquisition of uRoam, a start-up that produces the FirePass appliance. Though an established company with a good reputation, F5 isn't known as a security player. "They say it's an evolution of their focus on security," says Thompson. Now the job is to convince customers.

Last but not least is Cisco Systems. The 900-pound gorilla of the networking and security industry plans to offer SSL remote access on its Catalyst 3000, allowing administrators to provision and manage both browser-based and IPSec remote access from one platform.

"Our role is to be technology-agnostic," says Pete Davis, product line manager for VPNs at Cisco. "SSL grows the market for remote access. Companies that never looked at remote access are looking into it."

As of press time, Cisco declined to share significant details, but the company expects to make a product announcement in early October 2003. Even without details, the effect of Cisco entering the market is sure to be felt in at least one area, warns Thompson. "It will be difficult to get late-round funding after Cisco makes its move," he says.

Other vendors of note include Whale and OpenReach. As noted, Whale's product, the e-Gap Remote Access Appliance, includes very strong features for endpoint security. Whale's appliance architecture also features the unique "air gap." The product consists of an external Internet-facing server and an internal LAN-facing server. These servers are bridged by a solid-state switch that can only connect to one server at a time, making it impossible for a remote attacker to access the internal server.

OpenReach is a VPN service provider. Primarily known for IPSec and Multiprotocol Label Switching (MPLS) VPNs, the company now offers SSL remote access as well. It's a sensible move that should satisfy present customers who want increased access options, but it remains to be seen how much market share the company will gain in a tightly contested market.

Just how tightly contested the market is was first made known this summer 2003, when a company called Aspelle became the first casualty of the SSL VPN market. Aspelle, which offered a software-based product that featured strong integration with Microsoft, gave every impression of being a strong competitor. However, the company closed its doors in late August after it was unable to secure new funding. Analysts expect that the market will be further whittled by closures and acquisitions.

SSL AND IPSEC: PEACEFUL COEXISTENCE?

However the SSL VPN market shapes out, don't expect it to obliterate IPSec remote access.

"There's a core area where IPSec makes sense: the dedicated telecommuter, the road warrior," says META's Thompson. "Most large organizations aren't going to displace IPSec anytime soon. If you've got the client out there, you've done the hard work."

Others agree. "IPSec VPN is the connectivity method of choice for high-value desktops where you want to authenticate the machine as well as the person," says Yankee's Ogren. "These smaller numbers are a little more manageable."

SSL VPNs are generally expected to be deployed to users who can benefit from remote access, but wouldn't necessarily have been issued an IPSec VPN. "If you have a highly mobile workforce without laptops, SSL makes sense," says Thompson. "If people need to traverse a firewall, SSL makes sense."

The upshot is that SSL and IPSec are going to coexist, and it will be up to network professionals to manage the tradeoffs.

Andrew Conry-Murray, contributing editor, can be reached at aconrymurray@yahoo.com.

---

Resources

Most of the SSL remote access vendors have white papers available that provide a good overview of SSL remote access. In particular, the following vendors offer insightful papers:

• Aventail, www.aventail.com

• Neoteris, www.neoteris.com

• Nortel Networks, www.nortel.com

• Whale Communications, www.whalecommunications.com

(However, keep in mind that the vendor materials will stress their own strengths while downplaying the drawbacks of their solutions.)

PC Magazine ran lab tests of several top hardware-based SSL VPNs in August 2003. You can find the reviews online. Go to www.pcmag.com and enter SSL VPN in the search box to read the reviews.