Nortel Takes Its Own VPN Route
The idea is to consolidate technology and speed the provisioning of security services. Instead of buying two separate boxes for remote access, customers can buy just one. It also makes sense given the fact that Nortel has gotten little traction with the Alteon SSL VPN offering. Meanwhile, its Contivity platform leads the market in managed IPSec VPN deployments.
The 3050 comes out of a reorganization of Nortel's security division, and it uses the SSL VPN technology developed for the Alteon Web switch family and the IPSec technology found in Contivity. The company plans to offer an SSL VPN blade to slot into existing Contivity boxes in the future.
“There are a lot of remote access users out there using Contivity,” says Joel Conover, principal analyst with Current Analysis. “The new product definitely provides an immediate transition for customers who want to add SSL VPN access.”
It’s little surprise that Nortel is beefing up its SSL offering, as these product categories are gaining momentum. Three startups in the SSL VPN market have been acquired by security companies in the past three months: NetScreen Technologies Inc. (Nasdaq: NSCN) bought Neoteris Inc. (see NetScreen Snags SSL Leader); Symantec Corp. (Nasdaq: SYMC) bought SafeWeb (see Symantec Acquires SafeWeb); and F5 Networks Inc. (Nasdaq: FFIV) bought uRoam (see F5 Buys Into SSL VPNs). While most of these products are geared toward the enterprise, service providers are also interested in deploying the gear as part of their managed services (see Service Providers See Green in SSL).
Nortel claims that IPSec and SSL VPNs are complementary technologies. Integrating them onto a single platform allows customers to centrally provision and manage policies for end-users using either access method. John Doyle, director of product marketing for security and routing at Nortel, says that IPSec will continue to be used for access to network-based applications, while SSL VPNs will be used for Web-based applications.
Nortel may be the first to integrate its SSL and IPSec on the same platform, but it won’t be the last. Cisco Systems Inc. (Nasdaq: CSCO) is also expected to announce the addition of SSL VPN functionality on the 3000 VPN Concentrator, its IPSec and firewall appliance. Check Point Software Technologies Ltd. (Nasdaq: CHKP), which has a rudimentary SSL solution, is also expected to integrate its next-generation SSL solution into its firewall/VPN software product.
But at least one competitor thinks all this integration is a bad idea. NetScreen has publicly stated it has no intention of integrating SSL VPNs on the same platform as its firewall and IPSec VPN solution.
“The vast majority of customers don’t want to see SSL built into a firewall box,” said Robert Thomas, CEO of NetScreen, on its quarterly conference call last week. “We will integrate the Neoteris product into the management platform. Overtime we may integrate the SSL VPN feature into the low-end devices, but we haven’t set a timetable for that yet.”
At a high level, the Neoteris/NetScreen team views two distinct applications for IPSec and SSL VPNs. IPSec VPNs should be used for site-to-site connectivity, while clientless SSL VPNs should be used for remote users, says Jason Matlof, vice president of marketing and business development for Neoteris.
“IPSec is dead for remote access,” he says. “We can provide the functional equivalent of an IPSec VPN using a clientless SSL VPN.”
Conover disagrees with the Neoteris/NetScreen approach.
“IPSec VPNs need to maintain their identity as a remote access technology,” says Conover. “Opening an SSL tunnel from any work station compromises network security. IPSec has been engineered to work around those issues. Maybe I am on a soap box preaching and no one will listen to me, but I think using clientless remote access everywhere will come back to bite enterprises on the butt.”
Conover also warns that clientless SSL VPNs do not support the same breadth of applications that can be accessed using an IPSec VPN solution.
“If you follow the Neoteris/NetScreen argument, and you don’t use IPSec for remote access at all, then you need to be able to support all applications over SSL VPNs,” he says. “That includes voice over IP and any other application you can think of.”
— Marguerite Reardon, Senior Editor, Light Reading