x
Optical/IP

Nokia Sweetens SSL

Nokia Corp. (NYSE: NOK) is adding Secure Socket Layer (SSL) encryption features to its IP security platform. The company, which ranks second behind Cisco Systems Inc. (Nasdaq: CSCO) in the IP security appliance market, already offers a suite of appliances that provide virtual private network connectivity using IPSec. By adding tools for SSL, it's addressing another market in which corporations are looking to beef up VPNs using standard Internet software.

SSL offers an alternative to IPSec that avoids the headaches of deploying and managing client software. Unlike IPSec, which requires client software on each device in the VPN, SSL does not usually require a special client piece because it’s already embedded in standard Web browsers and Internet software.

The SSL market remains a niche, trailing the more dominant IPSec market, but some analysts see it picking up momentum.

“IPSec remains the dominant tunneling and encryption technology for VPLS,” said Jeff Wilson, executive director at Infonetics Research Inc. in a report published last week. “But MPLS and SSL are gaining steam.”

In its latest report, Infonetics says that VPN products, particularly SSL products, are growing in popularity. According to last week’s report, spending on VPN products and services will grow 42 percent from $25.3 billion to $35.8 billion between 2003 and 2007. By 2005, 74 percent of mobile workers are expected to use VPNs, up from 59 percent in 2003.

To beef up security for corporate users, Nokia has developed the Nokia Secure Access System. This software, which is loaded on a Nokia appliance, not only authenticates users to make sure that only authorized employees have access to the network, but it also exchanges digital certificates with the machine being used and performs a client integrity scan. This scan checks for vulnerabilities on the device. Based on this scan and the user’s profile, it automatically adjusts the user’s privileges. In the end, the worker at the Internet café may be restricted to email only, keeping other sensitive files and applications out of harms way.

Nokia, which has deployed 150,000 systems in the market over the past four years, has partnered with other security companies. For example, its firewall appliance uses software from Check Point Software Technologies Ltd. (Nasdaq: CHKP). But this latest product was built entirely by Nokia from the ground up, says Dan MacDonald, the firm's vice president of product marketing.

While Nokia claims to be the first company to introduce this integrity-scanning feature on an SSL appliance, it will likely face competition from the two entrenched companies in this market, Aventail Corp. and Neoteris. Nokia officials believe their product has an edge, because these small security companies specialize only in SSL appliances.

Nokia is offering the SSL software on its low-end IP platform for about $3,495. It will be generally available in the third quarter of this year.

— Marguerite Reardon, Senior Editor, Light Reading

excitedPhoton 12/4/2012 | 11:53:59 PM
re: Nokia Sweetens SSL So this isn't the box out of Kanata? I thought that project had been canceled. It sounds like it runs on the resurrected Ipsilon boxes that are now used for Checkpoint.

The article says:
"SSL offers an alternative to IPSec that avoids the headaches of deploying and managing client software. Unlike IPSec, which requires client software on each device in the VPN, SSL does not usually require a special client piece because itGÇÖs already embedded in standard Web browsers and Internet software."

You haven't done justice to the comparison between IPSec and SSL. I doubt that Nokia would have leaned so far in SSL's favor, given how much they earn on their VPN boxes. I'll err on the side of IPSec since you laud SSL so much.

IPSec in tunnel mode avoids having a special client in each box. SSL is end-to-end.

IPSec allows you to encrypt/authenticate multiple streams of traffic based on 5-tuple matches. SSL is per stream.

IPSec, even when used in transport mode, end-to-end, with special client software modules, is not application based. The easily available SSL module you talk of is embedded in the browser. You can't, for example, use it for mail. You need another module for mail (well, unless you use the browser's mail feature). SSL is application-based, to some extent.

IPSec is a little more involved from a config point of view. But IKE in aggressive mode, shared secret, is pretty trivial to set up.

On the other hand, SSL relies on certificates to authenticate the parties. Certs can be pretty hard to understand. Do you know what that cert that some site handed your browser is meant for?
In most cases, SSL is single-sided authentication. They don't authenticate you, you authenticate them, e.g., their Web server. Typically, by validating their cert was issued by a known cert issuing company like Verisign or Thawte. In many cases, these certs are self-signed root certs. You can go to your browser and check out all those options under certificate management. All these points just go to show that complexity of management isn't necessarily a barrier to use.

In SSL's favor, the browser is the most popular application next to mail and it is SSL-ized.

You can ssh into a *-ix box and do most stuff that way. Not so easy with Win* boxes, though.

But here's the most bizzarre statement in the piece:
GÇ£IPSec remains the dominant tunneling and encryption technology for VPLS,GÇ¥ said Jeff Wilson, executive director at Infonetics Research Inc. in a report published last week.

I'm sure Jeff didn't say that.

At first I thought:
TLS = Transport Layer Security (IETF's SSL)
TLS = Transparent LAN Services (IETF's VPLS)
Could there be a connection?

Or could it just be too much VPLS on the brain, eh, Maggie? You meant VPNs, right?

-eP

HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE