SSL VPNs Provide Better Protection

SSL VPNs gaining in popularity because of easy logistics.

Instead of developing technologies for buttressing the shaky security in some of the most widely used applications, a small but growing group of companies is turning to a new type of VPN for added security.

Companies such as Neoteris Inc., Permeo Technologies Inc., Symantec Corp. and Cisco Systems Inc. are eschewing the use of traditional client software and developing new SSL (Secure Sockets Layer) VPN software in an effort to provide better security for their users.

One of the main reasons for the push, according to officials at these companies, is logistics. Whereas the more widely deployed and better-known IP Security VPNs require companies to install client software on all their employees machines and set up a VPN concentrator on the back end, SSL VPNs have no such requirements.

Instead, these systems enable users to log in via a standard Web browser, which typically connects to the enterprises back-end systems, giving users access to their corporate applications. The transmissions are encrypted via SSL rather than IPSec.

Neoteris, based in Sunnyvale, Calif., is one of the leaders of the growing SSL VPN market. The companys Neoteris Access appliances are among the more widely deployed in the industry and have attracted the attention of officials at NetScreen Inc., which last month agreed to acquire Neoteris.

NetScreen officials said the VPN product would be a good complement to NetScreens existing line of appliances. The boxes currently can include a variety of security functionality, such as firewall, IPSec VPN, denial-of-service protection and intrusion prevention. As part of the acquisition, all of Neoteris 160 employees will join NetScreen, and Krishna Kolluri, CEO of Neoteris, will become general manager of the SSL VPN business at NetScreen.

"I believe this move can help increase customer adoption of SSL VPNs," Kolluri said.

Neoteris also brings its application security gateway technology to the new company. The gateway includes access management features that enable secure, Web-based single sign-on.

Just days after NetScreen made its move into this arena, Symantec, based in Cupertino, Calif., followed suit. The company, best known for its consumer and enterprise anti-virus products, bought SafeWeb Inc. for $26 million. Like Neoteris, SafeWeb delivers its SSL VPN solution on appliances. Symantec plans to add this functionality to its Symantec Security Gateway product.

Even router and switch vendor Cisco is poised to get in on the act. Sources say the San Jose, Calif., company is set to introduce its own SSL VPN solution within the next few months in an effort to solidify its growing presence in the security market.

But some in the security industry say the move toward so-called clientless solutions is not always just about security; cost savings is also a factor.

"I think total cost of ownership is important, too, and so is ease of use," said Wei Lu, chief technology officer and co-founder of Permeo, based in Irving, Texas. "If you develop a client right, you can add a lot of value and security checks and sanitization. But most people dont do it right, so you constantly have to update the client software. Clientless is actually dangerous because youre using the worst client you have: the browser. Thats why we dont depend on [Microsoft Corp.] Internet Explorer anymore."

Permeos Application Security Gateway employs a novel strategy in which all the traffic between clients and the back end is transmitted over a private circuit that passes through the gateway appliance. The connection does not rely on the Internets IP infrastructure, so the application traffic goes through a preselected firewall port directly to the Application Security Gateway. The Permeo gateway then passes the request on to the application server.

The traffic between authenticated users and the gateway is encrypted via SSL. The gateway then decrypts the traffic before handing it off to the application server.

Permeos Lu said the company is developing a pure clientless VPN solution as well.