Cisco has been in the VPN market for more than a decade, at first focusing
on IPsec (define)-based VPNs and, in more recent years, advancing
SSL-VPN (define). Though VPNs are considered a mature
technology, there is still room for innovation.
Innovations for both large-scale VPN deployments and remote access
are in the works at Cisco. One will help bridge the gap
between SSL-VPN, and IPsec is expected to roll out inside of the first half
IPsec VPNs traditionally require some form of client application at the user
end in order to access network assets. By contrast, SSL-VPNs typically
utilize a Web browser in order to facilitate access, though end-user clients
are also common.
Bob Berlin, director of product marketing at Cisco, said Cisco
has likely shipped more IPsec VPNs than all other companies combined,
numbering in the tens of millions of IPsec client deployments.
IPsec, though cheaper to deploy than SSL-VPN, has typically involved more
deployment and management complexity. Cisco’s upcoming VPN software release
version 7.3 in 2007 will make the actual technology behind the VPN, whether
SSL-VPN or IPsec, more transparent to users.
“The end user won’t know or care if they are connecting to IPsec or
SSL-VPN,” Berlin told internetnews.com. “That’s the goal ultimately
from a user point of view: Why should you care? You are just trying to
connect to somewhere.”
“From an IT management perspective you care very much because the level of
service and the nature of the secure connection will be dictated by the
different technologies,” Berlin added.
Berlin said that some of Cisco’s competitors who don’t necessarily have a
strong IPsec offering have jumped on the SSL-VPN bandwagon and go out of
their way to say that you should only deal with SSL-VPNs.
At the beginning of this year, a Gartner report concluded that SSL-VPNs will be the primary remote-access method
by 2008. Cisco was then and is now of the opinion that both IPsec and
SSL-VPNs are viable and their deployment depends on the nature of the
application and what sort of access an enterprise is seeking to provide.
Cisco’s Network Access Control (NAC) technology is also playing a role in
VPN. “On the remote-access side, NAC is part of every remote-access opportunity we see,” Berlin said.
Next year’s new VPN release from Cisco will further add to its existing
access-control capability. “We have integrated a posture-assessment capability into our SSL-VPN ASA offering that will be available in our upcoming 7.3 release,” Berlin noted. “It is the same posture assessment that is available in our NAC offering.
Cisco is also improving its IPsec VPN technology for large-scale
deployments. The networking giant recently introduced a new technology called Group Encrypted Transport (GET).
Dee Dee Pare, product marketing manager at Cisco, explained that the idea behind GET is to remove the need to set up thousand of separate VPN tunnels in a large deployment.
With GET, an IPsec VPN can be deployed to thousands of users over a private
network, such as an MPLS (define), and it does not force users to trade
off the benefits of MPLS such as instantaneous any-to-any connectivity and
quality of service.
“In many cases when you set up an IPsec tunnel or thousands of tunnels, you
would have to give up some benefits and give up some latency,” Pare
explained to internetnews.com.
Also with GET, a trusted group is set up with a key server that has all the
security policies. Group members register with the key server and they
become part of the trusted group.
“Then it’s just a matter of sending the encrypted data over the regular
routed network,” Pare said. “That way it doesn’t lose any MPLS benefits.”