SSL-VPNs Making Headway Against IPsec

It is the thin-client download type of connectivity that makes SSL-VPNs very similar to its usually more expensive IPsec counterparts. In fact, Cisco’s Davis sees a lot of customers looking for SSL to almost become a tunnel-based connection like IPsec.

“We do see with SSL a lot of customers that are starting to understand that it can’t solve all their applications in its truest sense of being clientless,” Davis said. “In the true sense of clientless you can’t access things that are thick-client in nature at all. A lot of customers are saying it’s great that I can access my network from anywhere but not all of my applications are Webified.”

According to Forrester Research Senior Research Associate Robert Whiteley, CIO’s are not currently utilizing the full potential of SSL-VPNs even though they offer the same level of technology and security.

“SSL-VPNs can be deployed such that they are at the same level as IPsec remote-access VPNs,” Whiteley told “Most enterprises and CIOs are not currently using SSL-VPNs in this capacity although I believe that will change this year. This is true from both a technology and security perspective.”

Overtaking IPsec

Both Forrester Research and Meta Group believe that SSL-VPNs will, within the next two-to-four (Meta Group and Forrester respectively) years, be used for the majority of remote access VPNs.

“I do believe that SSL-VPN will overtake IPsec VPN in terms of market share, probably by 2006, but only for remote access implementations,” said Mark Bouchard, Meta Group senior program director. “In fact, I expect that approx 70% of all corporate users will use SSL-VPN as the means for secure remote access by 2006.”

Cisco doesn’t quite see it as SSL-VPN taking away market share from IPsec, rather they see it as an enlargement of the marketplace for remote access VPN as a whole.

“What we’re seeing is less of an overtaking and more of the fact that a lot of companies that perhaps didn’t consider remote access before or, perhaps, already have IPsec look to SSL to supplement access for certain types of users,” Davis said. “We haven’t seen a lot of cannibalization for IPsec deployments for SSL, that’s what we’re expecting to see in the long run, more the enlargement of the market and less of the taking away of one from the other.”

SSL-VPNs is a technology that should be considered by CIO’s for remote access, said Bouchard. Technologically speaking it offers the cost savings, ease-of-use and security. Vendors and analysts alike are recommending SSL-VPN for remote access though not to the ultimate exclusion of IPsec, which still has a place in IT infrastructures.

“Bottom line on SSL-VPN is that it is very flexible, easy to implement, and in many instances more secure than remote access VPNs using IPsec,” he said. “I’m telling CIOs that SSL-VPNs not only belong in their portfolio of network/security solutions, but should also be displacing IPsec over time, but only in its remote access capacity. IPsec that is used to connect offices (in place of things like Frame Relay) is not in jeopardy.”