SSL Makes Comeback in VPNs

Long treated as the poor cousin of the encryption world, SSL is getting new attention as a protocol for simple, cost-effective VPNs.

In response to growing interest from IT managers, OpenReach Inc. and Aventail Corp. this week will announce virtual private network solutions that incorporate traditional IP Security and Secure Sockets Layer encryption.

The introduction of OpenReach AnyWhere represents a marked departure from the Woburn, Mass., companys longtime support of IPSec encryption as the best choice for VPNs. Company officials said customers have been asking for an SSL-based product for some time.

Since all major Web browsers include support for SSL, VPNs based on the protocol need no special client software. In addition, users can access corporate networks and applications from any machine with Web access.

AnyWhere enables administrators to provision users for SSL, IPSec or both. Remote workers using the SSL option have the same services available as IPSec users, including file sharing, access to e-mail and Web-enabled applications, and a single log-in for both SSL and IPSec access.

Server-side authentication is performed using digital certificates issued by either VeriSign Inc. or Entrust Inc. Client-side authentication goes through either a Remote Authentication Dial-In User Service server, an RSA Security Inc. SecurID token or the users local database.

The decision to include support for SSL was driven by customer demand for a more lightweight VPN, OpenReach executives said.

“For most users, SSL is fine. They dont need the client overhead,” said Mark Tuomenoksa, chairman and founder of OpenReach. “SSL is much faster than IPSec.”

AnyWhere, due late next month, will start at $10 per user, per month.

Seattle-based Aventail, one of the first developers to sell SSL-based VPNs, is now refining Aventail.Net Anywhere VPN and Secure Web Access offerings.

Version 5.0 of the VPN tool includes new functions that allow administrators to control how many networks remote users can be signed on to. This not only saves bandwidth costs but also can eliminate the problem of home users bringing viruses or other malicious code onto the corporate network.

Another new feature, dynamic application detection, can locate personal firewalls, anti-virus software and other applications that often interfere with VPNs. The new version of the Aventail.Net VPN can work in tandem with these products, so the administrator can then create a policy preventing users from using the VPN if they dont have firewall or anti-virus software installed.

Both products are available this week. They include updated directory integration supporting LDAP and Active Directory.

For Aventail customer Excelon Corp., of Burlington, Mass., the lure of SSL was anytime access to corporate data.

“The constraint for us was access to intellectual property,” said Rafael Rodriguez, CIO of Excelon, developer of database management software. “[SSL] is easier than IPSec, and it takes less work. And none of our client sites block SSL at the firewall.”

Related stories:

• SSL Keys Coming Up Short
• SSL Accelerator Handles Up to 10,000 TPS
• Managed Security Services Take Hold