DISPATCHES
SSL VPNs provide The Sports Authority, and a growing number of enterprises, with cheaper secure remote connectivity. Will they eventually slam dunk IPSec?
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE] [IMAGE] Tale of the Tape
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
The following are general characteristics of both SSL and IPSec VPNs. Various implementations will differ by vendor.
[IMAGE]
[IMAGE]
[IMAGE] [IMAGE] [IMAGE] [IMAGE]
[IMAGE]
[IMAGE]
Secure remote connectivity hasn't always been a slam dunk at The Sports Authority.
Following its 2003 merger with the U.S.'s second largest sporting goods retailer, Gart Sports Company, the chain grew to 386 stores in 45 states. Providing its remote sales staff and buyers with secure access to the corporate network was as difficult as beating a full-court press.
"Our corporate portal was getting larger and larger, and we needed to distill more information to sales people, for example," says group Unix manager Joseph Girodo. "As we built up the portal solution, the need for access increased."
Girodo resolved a host of connectivity woes by deploying F5 Networks' FirePass 4100 SSL VPN. Gone are dropped Telnet connections, system timeouts and dangling files on the server.
"IPSec was never a consideration for me," Girodo says. "We went straight to SSL. I didn't want to put a client on every PC and maintain and update it. SSL allowed us to customize access and...
To continue reading for free, register below or login
To read more you must become a member of SearchSecurity.com
menus for individual and group needs."
It's an increasingly common scouting report. SSL VPNs are rapidly gaining ground on their older, heavier IPSec cousins. Enterprises are turning to SSL VPNs to resolve their application-layer remote connectivity issues, improve security and lower overhead. Security vendors are responding to these demands by improving the implementation of SSL VPNs and adding complementary functions, such as endpoint security checks.
With SSL VPNs on the offense, will IPSec VPNs eventually be benched?
Reversal of Fortune
Maturity is on IPSec's side, meaning that very little innovation is happening in the technology. That's not the case with budding SSL VPN; its market is expected to reach $300 million this year.
"We are in a transition phase," says Forrester Research analyst Rob Whiteley. "We are going to see more SSL deployments until IPSec becomes the niche technology, which is the reverse of today."
IPSec VPN is a layer 3 technology that provides a secure tunnel between a remote location and the corporate network. It requires host-based clients and expensive hardware at a central location; ongoing configuration maintenance and account administration are heavy burdens. Users have full office functionality using IPSec VPNs, but there's very little granularity in access control; access is generally permit-or-deny with most shared network resources available to any user.
SSL VPNs work on the application layer (layer 7) and don't require a client download; remote connections are made via a Web browser or through a downloadable Java or ActiveX agent. Security managers can assign role-based access for each user and application, and client administration is eliminated.
"We have much greater security now [with SSL]; individuals and groups have access to specific re-sources and cannot go anywhere else on the network," says The Sports Authority's Girodo. "Everything else is locked down."
Secure remote connectivity is paramount for The Sports Authority's employees, executives and vendor partners. Sales execs in the field need access to e-mail and file servers, while upper management requires access to sales information. Partners need portal extranet access to data and applications, but shouldn't have the free reign on The Sports Authority network that IPSec would enable.
Maintaining the IPSec client software licenses would have been a significant financial burden for The Sports Authority, whose tech support would have been responsible for the arduous task of installing and configuring the software on remote machines.
"Administration of the SSL VPN takes less time and can be customized and secured per user. And, most updates or patches only have to be done in one place," Girodo says.
The Sports Authority's old private dial-up network was a security nightmare, he adds. Thick clients were installed on remote PCs and laptops, and they gave everyone--employees, partners and third-party vendors--the same network access. All levels of files and messages stored on a particular server were fair game for wandering eyes.
SSL's ability to get granular with access controls sets it apart. While IPSec deployments are generally geared toward power users--employees who need broad network access from remote locations--SSL VPNs, which were originally designed to provide access to e-mail or ERP and CRM apps, offer a similar open door to the network via a Java or ActiveX agent. Thus, SSL VPNs remain the preferred choice for granting telecommuters e-mail access or partners' extranet portal access.
"Security was a major consideration. Going to one specific IP address was a major win for us," Girodo says.
|
