Is The End of IPsec Afoot?

Within the next two years, IPsec will no longer be the dominant remote access technology.

According to research firm Gartner, SSL-VPNs will be the primary remote access method by 2008 for greater than 90 percent of casual employee access, more than three-fourths of contractors and more than two-thirds of business telecommuting employees.

SSL-VPNs offer the promise of easier access since all it typically involves from the end-user standpoint is a Web browser to access a corporate network.

SSL is broadly used as the security method of choice for online banking and other security-sensitive Internet applications.

In contrast, IPsec is seen as being more complex and resource-intensive, as it typically requires the end user to install a client to access a corporate network.

The Gartner report sites a number of other advantages to SSL-VPNs, including the fact that a unique IP address is not necessarily required to authenticate, and sessions may “roam” across IP addresses.

According to the report, Cisco is a leader in IPSec and a visionary in SSL-VPN. And Juniper and Aventail are the only two firms in Gartner’s leader category for SSL-VPN.

Both Juniper and Cisco recently launched new SSL-VPN platforms for service providers.

Aventail said both legacy IPsec users and new remote-access users are moving to the new technology.

Lewis Carpenter, Aventail COO, explained that the primary barrier to SSL-VPN adoption is if a user already has a legacy implementation that’s good enough and that they can live with. Carpenter argues, however, that most find that SSL-VPN reduces help desk costs and provides better granular access control among other benefits.

One issue that has come up in the past is the price differential between Ipsec- and SSL-VPN-based solutions.

An October study conducted by SSL-VPN vendor SonicWall reported that 80 percent of respondents thought that current SSL-VPN solutions were too expensive.

Nearly 50 percent of respondents did, however, indicate that they believed SSL-VPN to be a desirable option to have.

“The price of an SSL-VPN solution if you just compared it independent of function to an IP-SEC solution is still higher,” Carpenter admitted.

“But when you look at the costs of implementation and support, in most cases our customer say they have achieved significant cost savings because of getting better access, better control and reducing help desk costs.”

Not everyone agrees entirely with Gartner’s findings, including Cisco systems.

“Cisco believes that both SSL-VPNs and IPSec-VPNs remain viable for VPN access, and the choice remains highly dependent on specific customer requirements,” Tom Russell, senior director of product marketing in the Cisco Security Technology Group, told

“However Cisco does agree with a general trend towards SSL-VPNs for their ease-of-deployment features.”

Aventail’s Carpenter said that he does think that IPsec is a great technology for connecting networks.

“So in a site-to-site-type implementation, I think it fits fine,” Carpenter said. “Where it really will continue to diminish, lose presence and eventually disappear is in the whole area of remote access and mobility.”

But Cisco doesn’t expect IPsec to disappear anytime soon.

“While SSL-VPNs are a viable replacement for IPSec VPNs under appropriate conditions, Cisco believes IPSec VPNs will remain a very important remote-access VPN technology for the foreseeable future,” Russell said.

News Around the Web