F5 hails death of IPsec VPN remote access

By on

Internet traffic management vendor F5 Networks has been travelling Australia prophesying the death of IPsec VPN – but the response to its evangelical mission has so far been mixed.

Internet traffic management vendor F5 Networks has been travelling Australia prophesying the death of IPsec VPN – but the response to its evangelical mission has so far been mixed.

Hari Krishnan, the visiting global IP VPN product manager of US-based F5 Networks, said that the advent of SSL VPN meant the days of IPsec VPN in remote access networking were numbered.

'There are clearly things that IPsec just cannot do. You cannot use it very easily from a kiosk, for example. You cannot even get access at the application level. If you're really talking about giving access to partners or customers to specific applications, it's not very easy to do that across IPsec,' Krishnan said.

He said that products such as F5 Networks' SSL VPN box FirePass – the latest version of which is coming out in June – made it easier, cheaper and more efficient to manage remote access security for a more mobile workforce.

'End-users need access anywhere and to various types of applications to get their jobs done. You need to give access without increasing the risk to the enterprise, making sure that information doesn't get left on a third-party device, for example,' he said.

SSL VPN meant users did not need to cope with the numerous complications posed by IP addressing to set up an effective remote access security system, Krishnan said.

'Users are going to migrate to SSL-based access ... When you don't need to manage individual client software, there are 1000 less problems,' he said.

The happy chant from Krishnan reiterated the benefits of centralising patch management, security policies and policing of the security and behaviours of rogue access points such as third-party laptops, PDAs and mobile phones.

'You can keep the bad guys out. When you open up access to set up applications, there are some threats,' Krishnan said. 'You can have a kiosk policy that says you want to clean up your information on the client device. You can create this policy on FirePass [online].'

Louis Abdilla, product manager at security specialist distributor Content Security, said SSL VPN and IPsec VPN were both good product categories -- in their place. The death of IPsec VPN's usefulness to the market was a way off, he said.

'SSL VPN? It's good technology. It's awesome,' Abdilla said. 'It's really secure.'

He said Content Security had carried a NetScreen version of SSL VPN for about a year, and it was definitely proving popular with customers. However, IPsec was cheaper for many users and some did not need any further functionality.

'It all comes down to individual decisions at the moment. But everything's going to be about [remote access security] next year,' Abdilla said.

Tim Dickinson, regional sales manager for a vendor of IPsec VPN, SonicWall, has seen the light – and it's not SSL VPN.

SSL VPN was still application-specific, he pointed out, while IPsec VPN works at the network layer. 'You still need to have applications running that are web-based to have SSL VPN add any value. If you have to web-enable any applications, that adds to the complexity,' he said.

'Development costs can spiral out of control,' Dickinson added.

He conceded that SSL VPN didn't need client software loaded, which was a definite advantage. However, SonicWall's IPsec VPN offering, he said, could be delivered pre-configured, prior to the application being loaded on the desktop.

'So, basically, the administrator can pre-configure the client and download it on the machine. You don't actually have to be at that machine to load it,' Dickinson said. 'That's a huge difference and eliminates the key reason for having SSL VPN.'

Such features as centralised patch management for client devices could be done from SonicWall's global security client, he said. 'That really gives you the ability to extend security to the mobile desktop'

Users of SSL VPN would still need firewalling at the network level, Dickinson added.


Got a news tip for our journalists? Share it with us anonymously here.

Most Read Articles

Log In

  |  Forgot your password?