Security without the sweat

[InfoSec News <isn () c4i org>]

http://www.fcw.com/fcw/articles/2003/0721/spec-security-07-21-03.asp

By Paul Korzeniowski 
July 21, 2003

For several years, federal agencies have used virtual private networks
(VPNs) to reliably secure online information exchanges with remote
workers and trading partners. Yet, deploying systems based on the IP
Security (IPSec) protocol - the main method until now - is not always
as easy or flexible as agencies would like.

In the past year, an alternative has emerged that is taking the market
by storm: VPNs based on the Secure Sockets Layer (SSL) protocol.  
Boasting several attractive features - such as simpler installation,
more device flexibility and lower maintenance costs - SSL VPN products
are quickly reaching government information technology shops that want
to expand the user base for e-government applications without breaking
the bank.

In fact, market research firms Gartner Inc. and META Group Inc. both
expect SSL VPNs to be the primary way to connect remote users to
enterprise networks as soon as next year.

As the SSL VPN market mushrooms, the supplier base also has
diversified. Initially, start-ups Aventail Corp., Neoteris Inc.,
NetSilica Inc. and SafeWeb Inc. dominated the space. Not wanting to
miss the action, networking heavyweight Nortel Networks Ltd. has begun
promoting its Alteon 2424-SSL, while Cisco Systems Inc. plans to
unveil its SSL VPN wares by year's end. In all, about two-dozen
vendors now offer the products.

To understand the surging interest in SSL VPNs, it's important to
grasp how the approach differs from IPSec VPNs. Both techniques share
a goal: Encrypt transactions to ensure data is secure as it passes
over Internet connections. They achieve this in different ways (see
"How it works," below). As a result, each option has strengths and
weaknesses.

IPSec has become popular because it rides on top of the standard
TCP/IP stack, whereas previous security mechanisms relied on
proprietary network protocols. Although IPSec makes it simple to
connect two computers, it poses installation and maintenance
challenges.

For one, agency officials have to ensure that their end-user devices
use the same encryption technique as their central servers. This
typically involves installing IPSec software on PCs. "In a large
[organization] with thousands of employees at various remote
locations, it can become quite cumbersome to maintain the IPSec
software," said Sarah Daniels, Aventail's vice president of product
management and marketing.

Typically, users can't install the software themselves, so the IT
department is responsible for deploying and testing the security
functions. If an agency upgrades its IPSec software, it often has to
make the changes on all end-user devices.

By comparison, with SSL VPNs, a device only needs a generic Web
browser that has SSL functionality, something found in almost every
case. So the initial installation requires minimal manpower. To
upgrade an SSL connection, a company usually only has to change its
server software.

"Because there is so much less administrative [work] required,
organizations can realize dramatic manpower savings by moving to an
SSL VPN," said Jason Matlof, Neoteris' vice president of marketing and
business development.

Easier maintenance appeals to the U.S. Naval Medical Information
Management Center in Bethesda, Md. In early 2002, officials explored
ways to provide its 55,000 users with secure access to medical data
via its IP-based intranet.

After evaluating its options, they selected SafeWeb's secure extranet
appliance Tsunami SSL VPN system to give its users access to health
industry information, such as medical benefits, newsletters, reservist
duties and e-mail.

"The client security functions have been quite simple to install and
easy to manage," said Ariel Echano, a network security engineer at the
naval center.

Because IPSec requires both ends of a connection to use compatible
software - almost always from a single vendor - it may not be a viable
option for all applications, such as those involving outside
organizations.

"IPSec has never been a fit choice with extranet applications, because
it can be difficult to set up and maintain connections to a large
number of trading partners," said Jim Slaby, a senior network analyst
at Forrester Research Inc., a market research firm.

IPSec's requirement of special client software can also create
problems for nomadic employees. "With IPSec, employees can't use a
kiosk, a terminal at a customer's site or a handheld device to access
a corporate network, because they lack the appropriate client
software," said Anthony Daley, senior vice president and general
manager at Westcon Inc., a computer and network products distributor.

Also, IPSec VPNs can run into problems with firewalls, which operate
at the same network level as the encryption software. For example, if
a government employee is at a contractor's site and tries to download
data from his or her agency's enterprise application, the firewall
likely will block the transaction because the request comes from
outside the organization. Firewalls typically ignore SSL connections
because they know security functions operate at another level.

The Case Against SSL VPNs

Although SSL VPNs include enticing features, they are not a cure-all.  
Because they require Web browsers, most SSL VPN solutions only provide
access to Web-based applications. Vendors have to add special software
so their systems are compatible with mainframes, client/ server
applications, file transfer systems and terminal server applications.

"When they first came out, the SSL solutions supported only a couple
of applications," such as e-mail, said Jim Jones, chief technology
officer at systems integrator Science Applications International Corp.

Cost is another area where SSL VPNs can come up short. "The initial
price for installing an SSL VPN can be three times higher than that of
an IPSec VPN," said Kyle Klassen, a product marketing manager at
Nortel. SSL software is more complicated than IPSec software and the
SSL products are at an earlier stage of development, so vendors have
been unable to reduce costs yet via volume shipments.

Typically, management functions are one of the last components added
to a nascent technology, and that has been the case with SSL products.  
Vendors are focusing on improving their systems' graphical user
interfaces and widening the range of management information their
products can collect.

Initially, the IPSec and SSL VPNs were positioned as an either/or
scenario. "SSL vendors started out talking about their products as
IPSec replacements, but there has been a growing realization that
neither option is perfect for every application" so vendors now view
the technology as complementary to IPSec VPNs, Westcon's Daley said.

Korzeniowski is a freelance writer in Sudbury, Mass., specializing in
technology issues. He can be reached at paulkorzen () aol com.


***


How it works

To secure information, an agency must encrypt data as it moves from
the sender to the receiver. IP Security (IPSec) virtual private
networks (VPNs) operate and encrypt information at the network layer —
Layer 3 of the seven-layer network model, to be precise. This protocol
does not pay attention to what type of information (e-mail message,
file transfer) may be moving from place to place. It is more concerned
about locking down the network transport (e.g., TCP/IP).

Secure Sockets Layer (SSL) VPNs function at the application layer, the
top layer of the seven-layer model. This technique does not take the
network layer into account but instead focuses on the application
layer. In most cases, an SSL session assumes the person is connecting
to a Web service, although special vendor add-ons make it possible for
users to work with other systems, such as mainframe and client/server
systems.

***

By the Numbers: Ideal for mobile users

If you have a small (say, half a dozen), stable set of locations that
you want to connect securely, chances are that a Secure Sockets Layer
(SSL) virtual private network (VPN) may not be the best option. The
initial hardware can cost $25,000 to $50,000, significantly more than
IP Security (IPSec) VPN switches, which are priced in the $15,000 to
$25,000 range.

However, because an SSL VPN requires little setup - only a standard
Web browser - on the end user's computer, it typically costs about
half as much to manage those connections as it would with IPSec, which
requires that special software be loaded and maintained on all client
computers. Therefore, SSL usually makes the most sense when a company
has a large number of mobile employees who work from different
locations and use a wide variety of devices (hotel computers,
handhelds, customer systems, etc.) to connect to an enterprise
network.
 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.