Hybrid VPN creates an SSL stir

Net6 claims it has managed to merge IPsec and SSL technologies, just as the two camps have agreed on a common message to the...

Net6 claims it has managed to merge IPsec and SSL technologies, just as the two camps have agreed on a common message to the market.

However, some competitors are doubting the wisdom of such a move and warn that users could end up with the worst of both worlds.

The company said that its Hybrid-VPN Gateway had the advantages of SSL and IPSec, but not their disadvantages.

Murli Thirumale, the company's chief executive officer, said, "IPsec intercepts traffic at the network level, and encrypts and transports it at the network level. It's network plumbing, bridging networks so you get connectivity, but firewalls can block it and worms can cross it. SSL VPNs intercept at the applications layer and also transport and encrypt at the application layer."

He added that while SSL is easier to implement and support, it needs clients for non web-enabled applications, whereas IPSec is application-transparent.

"Net6's approach is a mixture of the two, we intercept at the network layer which gives 100% application coverage and access, and also allows us to do voice, but we encrypt and transport at the application layer. That gives the full transparency of SSL, so it works everywhere," Thirumale said.

"What we see happening is the others are almost all adding SSL to IPSec or vice versa, as they've all realised that customers want the benefits of both. But for example, it means Cisco puts two devices in one box and the user has to figure out which mode to use."

Rival VPN developers argue that this is done for good reasons, as the two technologies have different uses.

"It has been an either/or debate, but now everyone agrees that each has its proper place," says David Aminzade, EMEA sales manager at Check Point Software. "The question is how you run and manage the two together.

"A combination could end up with the worst of both worlds. You need software on the client for strong authentication, and managing that is onerous. It could be done automatically, pushing the update down each time, but then you never know what versions are in use out there - someone might not have connected for ages."

"We see the SSL side maturing into something different from the IPSec side," agreed Tony Caine, Aventail's EMEA vice-president. "SSL is a secure application gateway for roving users and IPsec is for point-to-point links between trusted machines."

However, Thurimale argued that the pure SSL approach was not future-proof: "You could use pure SSL if you only had a few web apps to deploy, but it is a dead-end in terms of allowing you to support new apps in the future, and you can't webify voice."

He added that because Net6 is application-transparent like IPSec, it could support voice-over-IP, which SSL VPNs cannot.

Tony Caine acknowledged the voice problem, adding that Aventail was having to develop a new VPN architecture to support VoIP.

"We have two modes - a clientless kiosk and a client, but the client is URL-deployed and auto-updating," said Thurimale. "The nice thing is we're not app-chasing, whereas the SSL companies are always building connectors."

As if to confirm that, last week also saw SSL VPN pioneer Whale Communications add support for a number of Microsoft, Citrix Systems and PeopleSoft programs.

Now at version 4, Net6's Hybrid-VPN Gateway is based on technology originally developed to deploy applications to mobile devices such as PDAs and IP phones. Thirumale says that version 4 is the first to support PCs as clients, and costs from $150 (£82) to $15 per seat, depending on the size of box bought.

Bryan Betts writes for Techworld.com

Read more on IT strategy