Innovations for both large-scale VPN deployments and remote access are in the works at Cisco. One will help bridge the gap between SSL-VPN, and IPsec is expected to roll out inside of the first half of 2007.
IPsec VPNs traditionally require some form of client application at the user end in order to access network assets. By contrast, SSL-VPNs typically utilize a Web browser in order to facilitate access, though end-user clients are also common.
Bob Berlin, director of product marketing at Cisco, said Cisco has likely shipped more IPsec VPNs than all other companies combined, numbering in the tens of millions of IPsec client deployments.
IPsec, though cheaper to deploy than SSL-VPN, has typically involved more deployment and management complexity. Cisco's upcoming VPN software release version 7.3 in 2007 will make the actual technology behind the VPN, whether SSL-VPN or IPsec, more transparent to users.
"The end user won't know or care if they are connecting to IPsec or SSL-VPN," Berlin told internetnews.com. "That's the goal ultimately from a user point of view: Why should you care? You are just trying to connect to somewhere."
"From an IT management perspective you care very much because the level of service and the nature of the secure connection will be dictated by the different technologies," Berlin added.
Berlin said that some of Cisco's competitors who don't necessarily have a strong IPsec offering have jumped on the SSL-VPN bandwagon and go out of their way to say that you should only deal with SSL-VPNs.
At the beginning of this year, a Gartner report concluded that SSL-VPNs will be the primary remote-access method by 2008. Cisco was then and is now of the opinion that both IPsec and SSL-VPNs are viable and their deployment depends on the nature of the application and what sort of access an enterprise is seeking to provide.
Cisco's Network Access Control (NAC) technology is also playing a role in VPN. "On the remote-access side, NAC is part of every remote-access opportunity we see," Berlin said.
Next year's new VPN release from Cisco will further add to its existing access-control capability. "We have integrated a posture-assessment capability into our SSL-VPN ASA offering that will be available in our upcoming 7.3 release," Berlin noted. "It is the same posture assessment that is available in our NAC offering.
Cisco is also improving its IPsec VPN technology for large-scale deployments. The networking giant recently introduced a new technology called Group Encrypted Transport (GET).
Dee Dee Pare, product marketing manager at Cisco, explained that the idea behind GET is to remove the need to set up thousand of separate VPN tunnels in a large deployment.
With GET, an IPsec VPN can be deployed to thousands of users over a private network, such as an MPLS (define), and it does not force users to trade off the benefits of MPLS such as instantaneous any-to-any connectivity and quality of service.
"In many cases when you set up an IPsec tunnel or thousands of tunnels, you would have to give up some benefits and give up some latency," Pare explained to internetnews.com.
Also with GET, a trusted group is set up with a key server that has all the security policies. Group members register with the key server and they become part of the trusted group.
"Then it's just a matter of sending the encrypted data over the regular routed network," Pare said. "That way it doesn't lose any MPLS benefits."