VPN Technology: Cisco Bets on Both
Upcoming VPNs from Cisco give both SSL and IPSec a place, even as they hide the difference from users.
Cisco has been in the VPN market for more than a decade, at first focusing on IPsec (define)-based VPNs and, in more recent years, advancing SSL VPNs. Though VPNs are considered a mature technology, there is still room for innovation.
Innovations for both large-scale VPN deployments and remote access are in the works at Cisco. One will help bridge the gap between SSL VPNs, and IPsec is expected to roll out in the first half of 2007.
IPsec VPNs traditionally require some form of client application to access network assets. By contrast, SSL VPNs typically utilize a Web browser in order to facilitate access, though end-user clients are also common.
Bob Berlin, director of product marketing at Cisco, said Cisco has likely shipped more IPsec VPNs than all other companies combined, numbering in the tens of millions of IPsec client deployments.
IPsec, though cheaper to deploy than an SSL VPN, has typically involved more deployment and management complexity. Cisco's upcoming VPN software release version 7.3 in 2007 will make the actual technology behind the VPN, whether SSL-VPN or IPsec, more transparent to users.
"The end user won't know or care if they are connecting to IPsec or [an SSL VPN]," Berlin told internetnews.com. "That's the goal ultimately from a user point of view: Why should you care? You are just trying to connect to somewhere."
"From an IT management perspective you care very much because the level of service and the nature of the secure connection will be dictated by the different technologies," Berlin added.
Berlin said that some of Cisco's competitors who don't necessarily have a strong IPsec offering have jumped on the SSL VPN bandwagon and go out of their way to say that you should only deal with SSL VPNs.
At the beginning of this year, a Gartner report concluded that SSL VPNs will be the primary remote-access method by 2008. Cisco was then and is now of the opinion that both IPsec and SSL VPNs are viable and their deployment depends on the nature of the application and what sort of access an enterprise is seeking to provide.
Cisco's Network Access Control (NAC) technology is also playing a role in VPN. "On the remote-access side, NAC is part of every remote-access opportunity we see," Berlin said.
Next year's new VPN release from Cisco will further add to its existing access-control capability. "We have integrated a posture-assessment capability into our SSL VPN ASA offering that will be available in our upcoming 7.3 release," Berlin noted. "It is the same posture assessment that is available in our NAC offering.
Cisco is also improving its IPsec VPN technology for large-scale deployments. The networking company recently introduced a new technology called Group Encrypted Transport (GET).
Dee Dee Pare, product marketing manager at Cisco, explained that the idea behind GET is to remove the need to set up thousand of separate VPN tunnels in a large deployment.
With GET, an IPsec VPN can be deployed to thousands of users over a private network, such as an MPLS (define), and it does not force users to trade off the benefits of MPLS such as instantaneous any-to-any connectivity and quality of service.
"In many cases when you set up an IPsec tunnel or thousands of tunnels, you would have to give up some benefits and give up some latency," Pare explained to internetnews.com.
Also with GET, a trusted group is set up with a key server that has all the security policies. Group members register with the key server and they become part of the trusted group.
"Then it's just a matter of sending the encrypted data over the regular routed network," Pare said. "That way it doesn't lose any MPLS benefits."
Pare noted that the need for GET and VPNs is being driven by the regulatory environment that forces business to look toward encryption to ensure compliance.
According to Berlin, VPNs aren't just for remote access anymore; they can also solve other control and security problems. The VPN market is massive and is pegged in a recent Infonetics research report as being worth $29 billion by 2009. In 2005 the VPN marketplace was worth $23 billion.
In the report Infonetics analyst Jeff Wilson forecast that IPSec revenue would decline every year through 2009, while SSL VPN and MPLS (Multi-Protocol Layer Switching) and MPLS/IPSec revenues would rise.
Article courtesy of internetnews.com