Cisco SSL VPN features in the pipeline

Cisco Systems is understood to be launching the latest version of its flagship VPN 3000 Series Concentrator product, which...

Cisco Systems is understood to be launching the latest version of its flagship VPN 3000 Series Concentrator product, which includes Secure Sockets Layer VPN features, next week.

Industry analysts claimed that Cisco will include an SSL VPN (virtual private network), called "WebVPN", with existing IPsec (IP Security Protocol) VPN features at no extra cost. Cisco did not respond to requests for comment.

SSL VPNs are an increasingly popular technology for providing remote users with access to network resources such as e-mail, software applications and network file servers, according to Dave Kosiur, a senior analyst at The Burton Group.

As opposed to VPNs that use IPsec, SSL VPNs are typically "clientless", meaning that they do not require a separate software application to be installed on the remote user's machine.

They also rely on the SSL protocol, which is a part of most common web servers and web browsers and widely used to secure e-commerce transactions, Kosiur said.

Companies using SSL VPN pass connections through port 443, to which most firewalls automatically allow traffic. In contrast, IPsec requires multiple ports to be opened on firewalls to handle different elements of the IPsec VPN exchange such as message authentication headers and IKE (Internet Key Exchange) traffic, he said.

Because they use clients, IPsec VPNs can be more difficult to manage for large numbers of users. Business travellers who rely on IPsec VPNs often find that internet providers such as hotels have not modified their firewalls to allow IPsec connections, denying them VPN access to their company network from the road, Kosiur said.

IPsec suppliers have made progress in resolving such integration problems, but left a window open that SSL VPN vendors have used to grab market share, Kosiur said.

Cisco will offer 3000 Concentrator customers basic, clientless SSL VPN features which will enable users to access e-mail, file sharing servers and web applications.

The 3000 Concentrator will support a limited thin client mode, in which a Java web browser plug-in can be downloaded and used to handle operations such as port forwarding for static communications ports, according to Kosiur, who was briefed on the new features by Cisco.

The latest SSL VPN features will take advantage of existing VPN 3000 IPsec capabilities such as load-balancing and high availability features, according to information obtained.

The product will not, initially, support products which do more sophisticated port switching, such as Citrix Systems' terminal emulation products or IBM's Lotus Sametime instant messaging application, Kosiur said.

That will put them somewhat behind dedicated SSL VPN suppliers such as Aventail.

"Cisco is providing what Aventail or Neoteris were offering nine months ago, so they will need to do some catch-up in terms of offering additional functionality," Kosiur said.

Nevertheless, the features Cisco is rolling into the 3000 Concentrator should cover around 80% of what companies use VPN for, he said.

For companies that have already invested in the 3000 Concentrator product or other Cisco hardware, that may be enough to convince IT purchasers to stay with the company for VPN as well, according to Zeus Kerravala, vice president of enterprise infrastructure at The Yankee Group.

Cisco scored at the top of a recent Yankee Group poll which asked network managers which SSL VPN supplier they would consider in the next 12 months, even though the company had not even announced its SSL VPN product when the poll was conducted, he said.

In addition, IPsec is still a widely accepted VPN technology, and even preferable for so-called "power users" who need remote access to more complicated network applications and legacy systems, Kosiur said.

Cisco's move to add both SSL VPN and IPsec on one device, at no extra cost, will put pressure on other VPN suppliers to do the same, he said.

Paul Roberts writes for IDG News Service

Read more on IT strategy