Cisco offers tunnel-less VPN

Cisco is to offer a tunnel-less VPN, which could solve some of the challenges of securing WAN traffic.

Cisco is to offer a tunnel-less VPN, which could solve some of the challenges of securing WAN traffic.

At the moment many organizations use IPSec encryption to create secure tunnels between company sites. However, using IPSec makes it much harder to use route-optimizing protocols such as multiprotocol label switching (MPLS) and other WAN management tools.

Organizations using IPSec to encrypt company data currently need to set up a separate tunnel between each site and for each class of service.

Neil Rickard, vice president of research at analyst firm Gartner, said there was a lot of demand for MPLS VPNs, but added: "Existing tunnel-based encryption techniques make this difficult to do without sacrificing quality of service and meshing."

Cisco is trying to simplify the routing of encrypted traffic with its tunnel-less offering, which it calls Group Encrypted Transport, or GET VPN.

GET is a software upgrade to the company's increasingly popular Integrated Series Routers (ISR) family: 2 million ISRs have been sold globally. GET enables the ISR at the originating site to cache the packet header, encrypt the entire packet with IPSec and then re-insert the unencrypted header.

The header can then be used to route packets using MPLS, while the payload remains encoded. This process considerably reduces the number of VPN tunnels required, particularly for companies with a large number of sites.

Cisco has submitted the idea to the IETF, an international standards body.

But Gartner analyst Rickard said that this is not the first time Cisco has tried to solve the issue. "This is Cisco's second or third go at cracking the problem, but I'm very impressed with this offering," he said.

He added: "Now that you can encrypt on top of MPLS, you can preserve the header info, so you get quality of service still applied. I think that will be very useful."

The analyst added that there wasn't a comparable offering from another vendor, although he was keen to point out that Cisco has more than 90 percent share of the router market anyway.

The networking company has built several further features into its ISRs. The routers now work on cable networks, including that of NTL:Telewest, the U.K. operator. Application acceleration and SIP trunking are two major new features, while the ISRs now have the option of local breakout to the PSTN in the event of network failure.

GET VPN is available in ISR products, as well as in Cisco's 7301 and 7200 routers, from December. The price of the software upgrade varies according to customers' maintenance contracts.