The virtual private network (VPN) is far from solving all the security issues of mobilising a workforce, but it has taken a major step in ensuring that businesses can accommodate the needs of remote workers without compromising their corporate security.
Selling VPNs should, in theory, become easier as customer demand and understanding increase, and as the products themselves become cheaper and easier to install. While at first sight they may not seem a great idea for a reseller, the reality is that this potential is helping to expand the market and to fuel the expectation, among analysts at least, that this is a product worth having.
The reasons for the expected surge in VPN investment are fairly obvious. A rise in home working and better staff mobility have increased the need to access corporate networks and data from remote locations. The growth of broadband internet has made remote access easier, while staff demand for home working has been given a push by the flexible-working legislation introduced last year.
Factor in the reduced costs of employing a more mobile or teleworking workforce, and you have a recipe to print VPN money.
The fear within companies, of course, is that a mobile workforce potentially makes a network more vulnerable. Unauthorised access to the corporate network is high on the list of worries - not just nuisance hacking but also unauthorised access to sensitive data - along with denial-of-service attacks.
These are understandable concerns, and ones that resellers can exploit to help businesses choose, install and manage VPNs.
The demand for 'anywhere, anytime' corporate network access has resulted in an increased demand for Secure Socket Layer (SSL) VPNs, and most analysts believe investment in these will rocket. Datamonitor expects enterprise investment in SSL VPNs to rise from $120m in 2003 to just over $1bn in 2007.
The dilemma over whether to install IP security (IPsec) or SSL VPNs has been raising its head over the past few months. The question is not necessarily whether or not SSL will oust IPsec as the VPN technology of choice; it is more a case of which technology is best suited to which type of business user.
In fact, the advent of SSL has widened the market for VPNs and not stolen business from the IPsec installed base.
"SSL hasn't taken business away from IPsec; it has created its own market," observes Graeme Smee, director at distributor equIP. "SSL has enabled secure remote access to corporate networks for more businesses, whereas IPsec has been more to do with site-to-site connections for a few elite enterprise businesses."
David Ellis, director of e-security at distributor Unipalm, says IPsec "will work with any application but requires a client to be installed on each remote device [laptop, PDA etc] to add the encryption".
"As SSL is built into every browser, no special client software is required for SSL VPNs," he explains. "However, because of its dependence on browsers, SSL normally works only with web-based applications - for example, not Microsoft Outlook for email.
"There are workarounds for this, with vendors such as Rainbow/SafeNet and Nokia downloading a client-side Java applet to manage decryption, and port and host file-mapping changes."
The key benefit of an SSL VPN is that it enables businesses of all shapes and sizes to take advantage of remote working capabilities through the built-in security functionality of a web browser. SSL is not new, of course, and as a security technology it has already gained widespread acceptance, including that of the financial industry which uses an evolved version of SSL called Transport Layer Security.
The bottom line, then, is that SSL is a proven technology that enables businesses to deploy a cost-effective security policy for all workers, remote or otherwise. This total cost of ownership issue is also driving interest. Where IPsec is complicated to install and a complex technology to run, SSL is well within the grasp of most IT managers.
EquIP, which has NetScreen and Neoteris VPN products on its books (NetScreen recently acquired Neoteris), believes resellers are well positioned to sell VPNs alongside other security products. Customers demand it, according to Smee. "We sell a lot of SSL VPNs in conjunction with other forms of authentication," he says.
It all signals that businesses are willing to take a multi-faceted approach to their security requirements, and to give resellers reasonable rein to set up and manage them.
"We are seeing strong demand in the VPN market, which is being driven by organisations wanting to reduce connectivity costs for site-to-site communications while coping with an increase in remote workers," says Ellis.
"Most big projects are still IPsec-based, although there is good growth in the SSL VPN market. As it stands today, most SSL VPN deployments are being rolled out at a departmental level within enterprise and corporate organisations, rather than across the whole of the company."
This fits with the idea that businesses could recognise a requirement for both types of VPN, although this will mainly concern the larger enterprises rather than the SME space. The prevailing feeling is that SSL will dominate in time.
"Now that vendors within the SSL market are tackling the traditional issues associated with running a clientless VPN, such as having non-web-enabled applications, I expect to see some companies start to switch over totally to this environment," says Ellis.
"Certainly, there are benefits in moving to SSL VPNs in terms of reducing management costs, such as not needing to have local access to every client machine for upgrades, improving user flexibility and ease of use."
This view is supported by Ian Kilpatrick, chairman of Wick Hill Group. Although he believes IPsec has its place, he also claims there is "a lot of reseller activity" in the SME market for remote connectivity, and it is here that SSL is gaining ground, albeit slowly.
IPsec, he predicts, will still be around for a few years to come, despite the fact that it is more complex than SSL.
"IPsec is still the biggest area by value. SSL is growing slowly but we have resellers selling managed IPsec VPNs along with WatchGuard point-and-click centralised management," says Kilpatrick. "There is a perceived complexity with VPN deployment and this can be a good business opportunity for resellers."
Kilpatrick also points out that there are some good opportunities for resellers with VPN upgrades, particularly for VPNs installed with the early adopters.
"There are also a number of businesses that installed cheap no-brand VPN routers and have tried to replace a dial-up remote access server with a VPN connection, leaving remote workers struggling to connect," he says.
Businesses need a strategy for remote working and some have had their fingers burned by not doing it properly and cutting corners, he adds. As a result, resellers are picking up business in sorting out these problems and are being given the management of the VPN too.
Niall Moynihan, Check Point's northern European technical director, reiterates this point by claiming: "If the customer goes past the channel and looks straight to the vendor for products, they are heading for trouble."
Many businesses may have been buoyed by the more 'user-friendly' VPN appliances on the market, but as most vendors will appreciate, they are more to do with marketing than reality. There is still a need for integration and, more importantly, maintenance and support.
However, the appliances themselves will help resellers, Moynihan claims. "Resellers don't want to build security boxes; they want to install, upgrade and support," he says.
"A number of our resellers have been dealing with appliances in the high end and now there are products for SMEs, too."
The science of appliance
The continued complications that arise from installing security products such as VPNs do mean the reseller's role is far from being reduced to fulfilment when it comes to appliances.
Check Point's [email protected] appliance for small businesses, for example, has a firewall, a four-port switch and an IPsec-based VPN. So while the appliance covers some ground in reducing the hardware, there is still a lot of work to be done in linking the VPN with specific clients.
What customers really want is an SSL-based appliance, and that is exactly what NetScreen has just unveiled. The NetScreen Secure Meeting appliance includes an SSL-based VPN at its core and is being aimed at companies that want to hold online meetings and collaborate through peer-to-peer connections.
It is an effective off-the-shelf solution that still requires considerable reseller input, so resellers, rather than fearing appliances, should be inspired by the market opportunities they will undoubtedly create.
Smee believes it will not be long before appliances with both technologies integrated will be on the market. The boundaries are blurring, not just with VPNs but also with a range of security technologies, including intrusion detection systems (IDS) and firewalls.
The idea that security products are merging into one appliance is backed by Ellis. "The trend is to install appliances to run VPNs, whether they are IPsec or SSL," he states.
"These give the same benefits - strong security, high performance and ease of deployment - as other security applications, such as firewalls, antivirus, IDS/IPS and so on, which are normally also appliance-based."
So who is buying VPNs? According to most industry observers, VPN installations are becoming more horizontal as businesses of all shapes and sizes, from a large cross-section of industries, recognise the benefits.
According to Datamonitor, however, the most rapid growth is in the government, utilities and pharmaceutical sectors, with financial services maintaining its position as the leading buyer. It also predicts the utilities sector will account for expenditure of $900m by 2007.
According to Moynihan, there do not seem to be any industry boundaries for VPN technology. "Banks are always big," he says. "Manufacturing, health and government are also big buyers of VPNs but we have also sold products to a community of farmers in Sweden."
Other vendors and distributors echo Moynihan's customer list (with the exception of the farming community), and the belief is that SSL-based VPNs will be a real money-spinner for resellers over the next two to three years.
It is interesting to observe the movements within the vendor community, too. Vendors seem to be jostling for position, most notably NetScreen, which bought SSL-based VPN technology in the form of Neoteris and in turn has been snapped up by Juniper.
The acquisitions seem to be driven by the need for technology as opposed to any consolidation of businesses through market saturation.
According to Kilpatrick, this is a trend that will continue into next year, which is when we may witness some consolidation as vendors push for market share and competitive products.
Do the homework now
What is apparent, though, is the extent of reseller training that is being geared towards VPNs. This is a technology that just about every distributor involved has pinpointed as being of massive significance to the channel.
Smee claims equIP's training courses are "well attended", for SSL VPNs in particular, and Kilpatrick also confirms that Wick Hill's courses are fully booked. The trend seems set to continue for the next two to three years at least, although companies are foreseeing changes in the products that could affect how they are sold.
"Certainly, the trend in the mid-market will be that security appliances become multi-functional - running antivirus, content checking, firewalls, VPNs, IDS/IPS and anti-spam applications all in one box - as these are far more cost-effective and easier to manage," says Ellis.
"Examples of vendors with this type of solution include Symantec and Internet Security Systems. In the enterprise, 'best of breed' security applications will continue to be deployed, although there also will be a shift towards running these on a single and highly resilient platform for reducing total cost of ownership. We are seeing vendors such as Crossbeam offering this type of box."
The important thing for resellers is to secure the trust of their customers now. Further down the road, the scope for upgrades to other security products, and more likely merged security appliances, looks good. But if the analysts are to be believed, the VPN market is an opportunity that has to be realised over the next three years.
Resellers need to market to SMEs, and SSL-based VPNs appear to be as good a product as any to help open those doors.
SSL or IPsec?
One of the main differences between the IP security (IPsec) and Secure Socket Layer (SSL) technologies is that IPsec operates at the network layer. This essentially gives the IT manager total control of the VPN, as an IPsec tunnel enables the same access that a user would have if connected to the Lan.
SSL remote access, on the other hand, operates at the application layer and uses proxy servers to access web-based network resources. Whereas IPsec requires a full client on the remote computer, SSL uses the SSL capabilities of the web browser, so virtually any internet-connected machine can access corporate resources.
Each technology has its own benefits, and the belief is that companies may want to retain IPsec-based VPNs for a small number of users who remotely access the corporate network for long stretches at a time. This leaves SSL-based VPNs for more general remote access, for applications such as remote email.
The support and cost issues associated with IPsec could threaten to undermine it in the long run. However, resellers should be well placed to judge customer requirements and, where possible, offer managed services to ensure the smooth running of an IPsec VPN.
Allasso (0870) 366 8511
Check Point (01223) 713 600
equIP Technology (01256) 365 500
NetScreen (08700) 750 000
Unipalm (01638) 569 600
Wick Hill Group (01483) 466 500
Nima Green asks what is driving public cloud uptake in Germany
In the wake of yet another lawsuit involving Oracle, we run through 10 of the vendor's biggest court battles
CEO Chuck Robbins says Cisco will use the Catalyst 9000 product range as a template for future launches
Today saw 14 of the UK IT channel's biggest hitters come together to determine the winners of CRN's WiC awards. But what does being a WiC judge actually involve? Doug Woodburn reports