SSL the Next Breed of VPN

It’s not an unusual situation. A doctor on vacation with her family suddenly remembers that she needs to review some test results for a patient. Often, this would mean finding someone at the hospital who could send a fax to a hotel office center?hardly a secure environment. If the doctor had her laptop along for the trip, maybe she could fire up her VPN client and connect to the home office for the info. But what if the laptop stayed home this time? If the doctor was affiliated with the Catholic Health System (CHS) of Buffalo, N.Y., it would not be a problem. She could simply access the records from any computer with a Web browser.

For a previous remote-access project, CHS doctors had to either be at the hospital to retrieve results or they could gain access from their home, laptop or office through a virtual private network. But in order to use the VPN, they needed to download VPN client software, an often cumbersome and time-consuming process. Now CHS is in the midst of rolling out a new application that takes advantage of “instant virtual network” from Mountain View, Calif.-based Neoteris, which provides access to targeted medical records for clinicians via Web browsers using SSL technology.

“There is still a place for the classic VPN when you need full connectivity,” says Doug Torre, director of networking and technical services for CHS. “But when you need to provide access to the nontechnical people, SSL VPNs are the way to go.”

Neoteris, which sells an SSL VPN appliance, is one of a growing number of vendors offering alternatives to traditional VPNs. So far, however, the vast majority of companies that need to provide remote access for employees or site-to-site connectivity are using VPNs based on the IPsec standard. With IPsec products IT departments usually need to download VPN client software on each laptop or home computer where a user might want to access a company network. But companies are increasingly experimenting with new VPN flavors, including SSL, or clientless, VPNs, as well as Internet gateway appliances, especially for employee remote access. Some are going even further afield by using remote control services such as GoToMyPC, from Santa Barbara, Calif.-based Expertcity.

In the past, companies created private networks by leasing hardwired?and often extremely expensive?connections between sites. An Internet-based VPN, by contrast, takes advantage of the public Internet to securely transmit data between corporate sites, thereby cutting costs. During the past five years, companies have adopted VPNs to provide remote access for mobile workers, connect telecommuters, replace the standard WAN between fixed offices and connect business partners. A VPN works by using the shared public infrastructure while maintaining privacy through “tunneling” protocols that encrypt data at the sending end and decrypt it at the receiving end.

Despite the cost advantages and greater flexibility for an increasingly mobile workforce, IT managers have found VPNs to be time-consuming because employees often need support when downloading software or maintaining their connections. “A lot of people are grappling with the clumsiness of VPNs,” says Edward Shapland, a former senior manager in the critical technologies group at Cap Gemini Ernst & Young in New York City. “The fact that you have to deploy software to the machine isn’t a big deal if you’re only talking about corporate laptops. But if you want to allow access from home computers, Internet kiosks and to business partners, it becomes complicated.”

The SSL Alternative

To get around the clumsiness, more and more vendors are offering what they call instant virtual extranets or networks, which provide access over a browser to Web-enabled data. Vendors such as Neoteris, Netilla and Rainbow Technologies sell SSL-based Web security appliances that sit on the server side of an enterprise, while Checkpoint, Nortel and OpenReach offer SSL in addition to traditional IPsec VPNs. Other vendors such as Positive Networks of Overland Park, Kan., offer an SSL VPN as a service so that companies can avoid installing software on their server or buying an appliance. Most of them use the same SSL technology, applied in different ways.

The main advantage of going with an SSL VPN is lower cost. “SSL VPNs may or may not be cheaper to buy, but they are cheaper to deploy,” says Eric Hemmendinger, an analyst at Aberdeen Group in Boston. Once customers install the appliance or software, an SSL VPN requires little support from the IT department. Employees can simply log on to the company network from their Web browser instead of wrestling software onto their home PCs.

SSL connections can also prove more stable. “Because an IPsec VPN is a network-level connection, it’s more prone to breaking,” says David Thompson, an analyst at Stamford, Conn.-based Meta Group.

Despite the ease of use, SSL VPNs do have limits to their usefulness. For employees who need to connect to applications that are not Web enabled, they will need a client/server version of a VPN. In addition, there may not be security built in to an SSL system, leaving the customer to purchase a tool separately. Companies may also find it cumbersome to purchase both an SSL VPN for remote access and an IPsec VPN for site-to-site connectivity, where SSLs are still extremely rare.

An Easier Way

The SSL portion of the remote access market is still small, but analysts expect that it will grow quickly over the next several years. By 2006, Meta Group predicts, 80 percent of companies will use SSL as one of their means of access. Early adopters of SSL?many in the health-care industry?have found that it has a place in their organization even if that doesn’t mean they will do away with their traditional VPN for staffers who need the full access.

At Catholic Health System, IT employees became interested in VPN technology early on. In one of their first experiments, they built a traditional VPN so that a group of eight radiologists could review images on their home PC. Initially, they distributed software to the physicians to download on their PC but found that most of them had their own networks and configurations that complicated the process. The doctors wanted IT staff to come to their home to do the reconfiguring, but that created a support bottleneck. “Our physicians didn’t really like this, and these are smart people,” says Torre. “We are still using this system, but it isn’t a model that we wanted to proliferate because of the expense and lower satisfaction.”

When Torre wanted to start a project that would provide remote access to 500 doctors, he started looking for an alternative. He chose Neoteris for its ease of use and its appropriateness for the health-care industry. Doctors now log in to the Neoteris box from a Web browser, using their user name, PIN and an additional code number generated by an RSA SecurID. The fact that Neoteris doesn’t allow access to every application is an advantage, Torre says, given that the hospital network wants to provide access only to certain information such as patient test results.

Just as doctors are gaining access with greater convenience, lawyers at Sonnenschein, Nath & Rosenthal in Chicago are now able to get into their network from their Web browser anywhere in the world. Sonnenschein, which had installed Citrix software to centralize applications, initially set up a traditional VPN for its globe-trotting lawyers and those that like to log on at home. While the system worked well for the company laptops, IT staffers ran into more problems with lawyers working at home who lacked a firewall at their residence. With Citrix Secure Gateway, another SSL appliance, the lawyers can now gain access via Web browser. According to Sonnenschein’s CIO, Andrew Jurczyk, the SSL system costs about half of what the VPN did. The one drawback, he says, is that lawyers occasionally can’t get past firewalls when visiting some large corporate clients.

Even Easier

If even an SSL VPN looks too complicated, there are other options. Some companies, for instance, may decide to outsource their remote access system. UMB Bank, a multibank holding company in Kansas City, Mo., is using an outsourced service from Positive Networks to provide both VPN and browser-based remote access for employees. Eric Foster, UMB’s director of security, says he chose an outsourced model based on cost and convenience, and he notes that Positive Networks has sent support staff to bank executives’ homes to help them get started.

CIOs who want to forgo all of the hassles involved with VPNs and even their SSL alternatives can also consider screen-sharing technology such as GoToMyPC. At Ventana Medical Systems, a medical device manufacturer in Tucson, Ariz., that uses a VPN for corporatewide connection outside of the company, 14 software developers use GoToMyPC for remote access. The service allows the software engineers to log on to their personal desktop from anywhere, using screen-sharing technology instead of networking.

Seeking Security

Some analysts call the GoToMyPC model a security risk because it requires that users leave their PC running when they are on the road. However, Anthony King, director of software systems at Ventana Medical Systems, says he would recommend the system to those who want to avoid the support hassles of VPNs but need full access to workstations when not in the office. King notes that his IT department was initially concerned about security before becoming convinced that it would be difficult for someone on the outside to gain network access.

Although most companies will likely opt for an SSL VPN rather than a remote control model such as GoToMyPC, many?like Ventana Medical Systems?will be combining VPNs and VPN alternatives over the next few years. When a company wants to connect a branch office or connect two networks together, the classic VPN is still the way to go. But for the growing hordes of employees demanding remote access, alternatives may fit the bill. Says Jurczyk of Sonnenschein: “Once an employee has been able to travel without a laptop, they’ll have a hard time going back.”