Browser security takes off in VPNs

Corporations are embracing a simpler, cheaper way of connecting remote workers to their networks, opening up new opportunities--and competition--for network security vendors.

At stake are gateways allowing secure access to corporate networks based on a browser security technology known as Secure Sockets Layer (SSL) encryption. Analysts and makers of SSL-based networking equipment say that large numbers of corporate users are starting to implement virtual private networks (VPNs) using SSL technology.

Network managers point to SSL as a significant step forward in VPN ease-of-use that is quickly gaining market share as an alternative to the popular but less flexible Internet Protocol security (IPSec)--a trend that in turn is fueling new demand among companies and employees for remote network access.

According to a report last year sponsored by AT&T, better access to networks from remote locations was cited as the number one factor driving increased demand in remote working.

"Six months ago people were on the fence about SSL VPNs," said Jason Matlof, a vice president of marketing for secure access products at NetScreen Technologies. "But the pendulum has totally swung in the other direction, and people are saying they won't do remote access without SSL."

SSL's rising fortunes have drawn industry giants to the technology, forcing a shakeout for the small start-ups that dominated the market only a year ago. Today, SSL products are offered by most of the big names in security and switching, including Cisco Systems, Check Point Software, F5 Networks, Nokia, NetScreen, Nortel Networks and Symantec.

Some of these companies--F5 Networks, NetScreen and Symantec--have acquired start-ups for their technology; others, such as Cisco, Nokia and Nortel, have developed the technology in-house.

"To date most of the SSL VPN vendors have been small and couldn't address the broader market," said Erik Suppiger, an analyst with Pacific Growth Equities. "With larger companies providing distribution, there's more awareness in the market, and I think that's helping drive demand."

SSL has been around
SSL technology is nothing new. It's been embedded in most standard Web browsers for years, allowing e-commerce vendors such as Amazon.com and E-trade to provide secure Internet transactions.

Even though SSL seems like an obvious technology choice for accessing a VPN, it's taken awhile for the market to gain momentum. Start-ups Neoteris, (which was recently bought by NetScreen) and Aventail first started building products about three years ago. But only recently business really started to pick up.

"I'd say the market turned the corner in the second half of 2003," said Sarah Daniels, vice president of marketing and product management for Aventail. "We've increased sales, lead generation and the number of resellers talking to us about our product."

Nortel, which has been selling its product for a little more than a year, says it has seen a spike in sales in the past three or four months.

"Customers have moved from the experimental phase where they're only deploying the technology in small pockets to deploying it in live networks," said Kyle Klassen, director of security solutions and marketing for Nortel.

Because SSL VPNs enable access from virtually any Web browser, they're a natural fit for remote access and extranet applications. For most Web-based applications, users don't have to use a client, making it much easier to give any employee or partner access to the network.

By contrast, IPSec VPNs require the installation and configuration of special software on all clients and can be clunky when it comes to remote access. It often has interoperability issues that can leave many road warriors frustrated and stranded without access to critical network information.

"What we found is that IPSec VPNs are fantastic for site-to-site or branch office connectivity," said Doug Torre, director of networking and telecommunications for Catholic Health System in Buffalo, N.Y. Torre has been using NetScreen's SSL VPN solution for almost two years.

"But when you use IPsec for remote access, it's just too cumbersome. The doctors in our group just wanted to pull up a browser and start accessing the network just like they would if they were buying something on Amazon or trading stocks on the Internet," he said.

SSL's ease of use often translates into big savings for companies using the technology for remote access. Frost & Sullivan, a market research firm, estimates the average cost per user drops to between $60 and $220 when using an SSL remote access VPNs versus $150 to $300 per user when using an IPSec VPN.

"The total cost of ownership is much lower for SSL VPNS, because you don't have to pre-configure every PC," said Jason Wright, an analyst with Frost & Sullivan. "You also don't have all of the support issues to deal with."

Torre agrees. He said that the SSL VPNs are so easy to use, the company's support issues disappeared literally overnight when they started using SSL VPNs. Consequently, the SSL VPN hardware paid for itself in a matter of months.

"We still use Cisco (Systems' networking products) for site-to-site IPSec VPNs," he said. "But it's really a no-brainer to use SSL for remote access."

SSL's bright future
Financial and industry analysts are already projecting high growth in this market during the next year. Last week, Erik Suppiger, an analyst at Pacific Growth Equities, raised his earnings estimate for NetScreen, which completed its acquisition of SSL networking company Neoteris in November.

This week, he increased his expectations for networking gear maker F5 Networks, which announced its acquisition of SSL VPN company uRoam in July.

Industry analysts are also bullish on SSL VPN technology. According to Frost & Sullivan, the market for the technology grew 360 percent last year, with sales jumping from $20 million in 2002 to $90 million.

The market research firm expects that 2003 figure to more than double to $202 million this year. And by 2006, it expects sales to exceed $500 million.

But to put this growth into perspective, IPsec VPNs still outpace SSL VPNs in terms of revenue. Frost & Sullivan estimates that worldwide sales for IPsec VPN products reached $1.8 billion in 2002 and will likely total $2.4 billion in 2003.

The birth of SSL VPNs does not imply the death of IPsec for remote networking. Most experts agree that the technologies are complementary. NetScreen, which had a strong IPsec VPN and firewall business prior to its acquisition of Neoteris, plans to continue to sell those products separately.

It also looks likely to continue to generate the vast majority of its typical $80 million quarterly revenue from IPsec VPN and firewall appliance sales. For their part, Cisco and Nortel each expect to integrate SSL and IPsec technologies onto one VPN device, which would give customers both sets of functionality.

Though SSL virtual private networking offers many benefits, the networking technology is not without its downside. One important element is end-point security.

Because a SSL VPN allows people to enter corporate networks via any Web browser, companies need to make sure that it has strong authentication to verify that its users are authorized. It also needs strong policy management to ensure that people only access applications for which they have approval.

SSL VPNs can also expose companies to malicious code. Because people can use any Web-enabled device for access, viruses from those machines can be transmitted to the corporate network. Unlike IPsec VPNs, SSL VPNs don't connect at the network level.

On the one hand this is good, because a network-based connection could easily allow viruses to pass through the network. But SSL VPNs can also let damaging code in via applications such as e-mail.

"SSL gateways don't provide any sort of filtering," said Dave Kosiur, a senior analyst with the Burton Group. "So if there is a virus attached to an e-mail, it will still end up on the e-mail server."

Some SSL VPN providers are already working on ways to protect customers. For example, Nokia has developed the Nokia Secure Access System. The software, which is loaded on a Nokia appliance, not only authenticates employees, but also exchanges digital certificates with the machine being used and performs a client integrity scan.

This scan checks for vulnerabilities on the device. Basing its response on this scan and the user's profile, it automatically adjusts the customer's privileges.

Aventail, NetScreen and Nortel are also adding security features to their products.

In time, analysts say, every SSL VPN vendor will include some security. Most companies will likely look for partners in the security market. Aventail recently announced a deal with Fortinet, a supplier of antivirus and firewall products.

"There is no one product in this world that can solve every problem," NetScreen's Matlof said. "It requires all of us in the SSL VPN market to interoperate with other security devices and develop strong relationships with those companies."

Even with vendors beefing up security, buyers will still need to shoulder some of the burden for protecting their own networks.

"For us, security is paramount," Torre said. "We have strong regulations we must follow regarding privacy of medical records. We wouldn't deploy any remote access technology without strong two-tier authentication."