AN EXECUTIVE GUIDE TO VPN TCO
NOVEMBER 2005
WatchGuard Technologies, Inc.
www.watchguard.com
�AN EXECUTIVE GUIDE TO VPN TCO
OVERVIEW
IPSec VPNs revolutionized the way that remote workers and business partners connected to a business, by establishing a secure tunnel between a remote worker or business partner and the organization to which they were connecting. IPSec VPNs enabled employees to attain immense productivity gains while reducing the costs for the employers. From a total cost of ownership standpoint, IPSec VPNs provided significant cost reductions for organizations using Remote Access Servers (RAS) to provide secure remote access to their employees. Unfortunately, IPSec VPNs bring along the administrative headaches and high costs of support and configuration, primarily from the installation and updating of VPN clients. Support costs associated with IPSec VPNs are the main reason for the high Total Cost of Ownership (TCO). The high TCO of IPSec VPNs is also the reason why SSL VPNs successfully emerged in the market. According to Forrester, 2005 will mark a transition in the VPN landscape, with some businesses continuing to use IPSec for site-to-site connectivity, while the majority will deploy SSL for remote access. In addition to having high support costs, IPSec VPNs also prevent traveling users from connecting back to corporate resources while behind the firewall at a customer or partner site. Additionally, because secured clients obtain a routable IP address on the private network, IPSec VPNs have become a prime traversal route for the spread of worms, which have had a decimating impact on business. It’s no wonder then that SSL is fast emerging emerged as the remote-access VPN technology of choice. According to Forrester, SSL adoption climbed to 44% of all North American enterprises between 2002 and 2004.
HISTORY
Remote Access Servers (RAS) were developed to provide employee access to corporate resources from remote locations. RAS enabled employees to dial a telephone number that connected them to a modem bank that sat on the organization’s firewall. Although very secure, RAS was extremely expensive and usually did not work for employees who were at a customer or partner site as there would be few analog ports for modem access. Virtual Private Networks (VPNs) were created to solve this problem. VPNs enabled employees to access corporate resources using a regular Internet Service Provider (ISP) or wired or wireless LAN connection. Over the years, organizations have deployed different types of these solutions, such as thick-client VPNs (IPSec, PPTP, and L2TP).
IPSEC VPN FUNCTIONALITY AND LIMITATIONS
IPSec VPNs provide secure remote access by creating a tunnel between an employee’s PC and the VPN gateway. This tunnel is managed by software that is installed on the client PC and the VPN gateway. Although IPSec VPNs freed organizations from the high cost of RAS, they introduced an expensive support requirement, while still not solving the issue of employees needing to connect from behind firewalls. The issues with IPSec VPNs are as follows:
www.watchguard.com
page 2
�IPSec VPNs introduce administrative headaches and high support costs. Thick-client solutions require an organization to employ large support teams to aid end users with installation, maintenance, and troubleshooting. IPSec VPNs are not firewall-friendly. This prevents the use of VPN by employees who need to connect to a private network from some other organization, where it is not possible to contact network administrators and request them to change firewall policies. This situation leaves many employees -- often key sales, marketing, or executive staff -- unable to access company information from customer or partner organizations they may be visiting. IPSec traffic is considered “business-level” by many DSL and cable providers. This means that employees who have residential DSL and cable modem service will have IPSec traffic blocked by that provider. IPSec VPNs aid in worm traversal by opening up a tunnel between networks. This is because the remote PC is assigned an IP address on the destination network. Worms scan route tables on the remote PCs for all the available networks to propagate. IPSEC VPN TCO The main factor in the high TCO of IPSec VPNs is the support of the client software on the employee PCs, and the help desk support to troubleshoot issues that employees experience with their VPN connections. The high cost of client software support is not unique to IPSec VPNs. This is the reason why most applications today have gone from a client-server model to a Web-based model. Applications like Sales Force Automation (SFA), Customer Relationship Management (CRM), Enterprise Resource Planning (ERP), and a host of others have evolved to a Web-based model to eliminate issues with supporting and upgrading client software. Based upon research into VPN management costs within various organizations, Cisco Systems has estimated that inhouse VPN management costs approximately $30 per user, per month. Criteria used in making this determination include the number of simultaneous remote users that require support, and whether software clients, hardware clients, or router-based solutions for remote workers must be deployed. Some IT organizations might reject the possibility of TCO of IPSec VPNs being as high as research-based estimates. According to the Yankee Group, however, the Cisco figure is realistic. In a 2004 research report , the Yankee Group estimates that based upon a scenario of 150 VPN users and 15 concurrent VPN tunnels, the monthly TCO of an IPSec VPN solution is around $31.25 per user. Note that this figure incorporates costs for IT administration, support, and troubleshooting only. There are also hidden costs around loss of employee productivity that, while difficult to quantify, are also a significant factor: Employees on the phone with the help desk for VPN support Employees upgrading VPN clients (estimated at least 15 minutes per upgrade) Employees connecting via ISPs that block IPSec traffic Employees who are unable to connect to their resources from behind customer or partner firewalls
SSL VPN FUNCTIONALITY AND LIMITATIONS
To overcome all of the issues and problems associated with IPSec VPN, the category of remote access known as SSL VPN was created. SSL VPNs provide access to Web applications by recreating the navigation paths of the application. They do this by deconstructing and reconstructing the Web page in real time as requests are serviced. Essentially these solutions provide a Web portal of access to a certain list of Web applications.
www.watchguard.com
page 3
�Although SSL VPNs primarily work with Web-based applications, a few SSL VPN vendors have written custom connectors that enable access to a limited number of client-server applications. Custom connectors sold by SSL VPN vendors are normally for applications that have a standard (non-customizable) client. An example of this type of application is Microsoft Outlook, which has a standard client (within releases). In other words, the Microsoft® Outlook® 2000 SP3 client is the same for company A as it is for company B or any other company. An example of an application that does not have a standard client is one that is customized for a particular customer. Examples of these custom applications are the SFA, CRM, and ERP applications from companies such as Siebel, Oracle, Remedy, Clarify, SAP, and others. For the SSL VPN vendors that do support limited client-server application access (only a few do), they approach these two types of applications differently. With an application that has a standard client, they use the client that is on the users’ PC, but create a protocol mapping scheme that slows performance, is specific to the version of software, and necessitates that the IT department change settings in the network as well as on each laptop. For applications that do not have a standard client, the SSL VPN vendor can either create a custom connector or bring in their Professional Services team to “Webify” the product. To justify the cost of developing a custom connector, this connector must be able to be sold to many customers. Since these applications are customized for a particular organization (that is, SFA, CRM, ERP, etc.) and not a standard client (like Outlook), the client will be specific to each customer. Therefore, a SSL VPN vendor will default to the customer using their professional services organization to Webify the application, since a custom connector for a customized application is cannot be leveraged across many customers. After reading about the issues that SSL VPNs have with thick client-server applications, you may wonder why an organization doesn’t simply develop and deploy the Web interface available from many of the SFA, CRM, and ERP vendors. Unfortunately, SSL VPNs can’t work with many of the “real business” Web applications being deployed. This is because SSL VPN is essentially a proxy technology, and as such, has to deconstruct and rewrite links to provide access to internal Web applications. This means SSL VPNs can only work with Web structures that can be parsed. Java applets, ActiveX, Flash, and other Web structures are executable binary code and cannot be parsed. Unfortunately, many of the Web interfaces from SFA, CRM, and ERP vendors contain these structures, and that prevents them from being accessed through SSL VPN. For the Web applications that can be used with a SSL VPN, there is significant performance degradation. For every page of every internal Web application that is accessed using SSL VPN, the SSL VPN has to parse the Web page, identify navigation paths (such as URLs), rewrite and map navigation paths to externally accessible URLs, and then reconstruct all of the Web pages. SSL VPN TCO While the main issues with IPSec VPNs are the recurring annual operating costs; the main issue with SSL VPNs is the high acquisition costs in terms of product pricing, professional services, and software maintenance costs. SSL VPN companies have been able to justify this because they were relieving organizations of the burden of recurring annual IPSec operating costs. Most articles on SSL VPNs warn potential customers to be wary of “add-on” costs. What this means is that it may be $10,000 for the base SSL VPN package, plus an additional $5,000 per custom connector. Custom connectors can consist of basic functionality like FTP, e-mail, file sharing, etc. Basic functionality that comes standard with IPSec is an extra feature with SSL VPNs.
www.watchguard.com
page 4
�A recent quote for 50 concurrent tunnels from one of the leading SSL VPN vendors totaled $30,000. Add to this a 20% annual maintenance agreement and any subsequent professional services for Webification of applications where there is no custom connector, and the acquisition costs increase rapidly. SSL VPNs will eventually cause an organization to spend additional capital on application upgrades as they do not inherently support all applications or protocols. Additionally, since there are setup issues involved to ensure that applications can be accessed correctly from both inside and outside of an organization’s firewall, there is significant IT setup time required on both the application side and on the client PC side. This is especially true with applications like e-mail, where IT departments have to set up special network configurations such as split DNS entries to make the applications work. Another issue is the fact that nearly all SSL VPN vendors recommend that organizations maintain an IPSec VPN deployment for the applications that cannot work over an SSL VPN, even with Webification. And just as is the case with IPSec VPNs, SSL VPNs also are impacted by associated costs that are not quantifiable, including: Employees having to use a portal view of the applications instead of the normal desktop-like look and feel that they have with IPSec Employees cannot use soft phones while remote Employees cannot synchronize thick-client applications, such as e-mail, for work off-line
IPSEC VS. SSL: FUNCTIONALITY AND TCO
The bottom line is that the strengths of an IPSec VPN are the weaknesses of an SSL VPN and the strengths of an SSL VPN are the weaknesses of an IPSec VPN. This is the case of not only the functionality, but also in the factors that comprise the TCO: IPSec VPNs have low starting and high recurring costs SSL VPNs have high starting and low recurring costs The ideal case would be for an organization to replace both of these types of products with a single solution that not only provides the combined advantages of both IPSec and SSL VPN solutions, but also does so with both low starting and recurring costs.
THE WATCHGUARD FIREBOX® SSL CORE VPN GATEWAY: SECURE, UNIVERSAL REMOTE ACCESS FROM ANY DEVICE, ANYWHERE
The WatchGuard® approach to secure remote access provides organizations with the combined advantages of both IPSec and SSL VPNs, while eliminating the shortcomings of both technologies. The WatchGuard Firebox® SSL Core VPN Gateway provides this functionality with a low TCO in terms of acquisition and recurring costs. FIREBOX® SSL CORE VPN GATEWAY FUNCTIONALITY Resolving issues that plague traditional IPSec VPNs, the WatchGuard Firebox SSL Core VPN Gateway provides users remote access through firewalls, and prevents the traversal of worms by not bridging networks. IT upgrade support costs are eliminated with a URL-distributed client that automatically updates when the user connects to the network. Unlike SSL VPNs, the Firebox SSL Core VPN Gateway provides a desktop-like network experience and supports all protocols and applications in native form without requiring any custom Webification.
www.watchguard.com
page 5
�Category Desktop-like network access All applications supported Peer-to-peer and real-time applications (voice/video) Supports all protocols Low support costs Access through any firewall Hides network IP address (blocks worms) Clientless kiosk mode Optimized (UDP) media and voice streaming Always-on functionality
IPSec VPN Yes Yes Yes Yes No No No No No No
SSL VPN No No No No Yes Yes Yes Yes No No
Firebox Core SSL VPN Gateway Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes
Strengths and weaknesses of IPSec and SSL VPN solutions, demonstrating how the WatchGuard Firebox SSL Core VPN Gateway stacks up against both types of VPN products.
IPSec, L2TP, or PPTP VPN solutions provide network layer access and encryption. SSL VPNs provide application layer access and encryption. WatchGuard combines network layer access with application level encryption to drastically improve the end-user experience, while significantly reducing the IT security administrator’s overhead and risks. The WatchGuard Firebox SSL Core VPN Gateway allows organizations to deploy just one technology for all their secure remote access needs. The benefits of this technology include: DEPENDABLE, UNIVERSAL ACCESS Firebox SSL Core VPN Gateway provides two access modes within a single appliance: Secure Access client mode lets authorized users connect over an automatically updating, Web-deployed client for an in-office user experience, accessing any application or network resource Kiosk mode allows authorized users to use Web-enabled handhelds, laptops, desktops, and Internet kiosks to securely access Web applications, Citrix® servers, and other Web-based network resources Regardless of the mode used, Firebox SSL VPN Gateway traverses any firewall and supports all major operating systems and protocols, including UDP (VoIP), TCP, and IP. EASE OF USE Firebox SSL Core VPN Gateway provides secure access without additional costs, reconfiguration, development work, or administrative headaches: No additional components, adapters, or special application connectors are required The client automatically updates whenever the user connects to the network, and requires no customization, installation, or maintenance Intuitive interfaces reduce configuration and management for the IT administrators The familiar user interface maintains productivity and minimizes support incidents
www.watchguard.com
page 6
�STRONG ADMINISTRATIVE CONTROLS Granular controls with integrated logging and reporting enable centralized user and group access management: Determine level of trust for both user and endpoint Assign authentication and authorization to give users and groups levels of network and application access Enable or disable split tunneling and split DNS POWERFUL SECURITY Firebox SSL Core VPN Gateway provides security between endpoints to network resources, from both managed and unmanaged devices: Verifies security status by checking device attributes such as IP address, firewall settings, operating system, patch level, and status of antivirus software 196-bit TLS encryption supports all OpenSSL cipher, including 3DES and RC4 Hides IP addresses of remote network to block worm traversal Session timeout protects corporate information from unauthorized users Since no data is transferred in Kiosk mode, cache clearing is not required Support for two-factor authentication and PEM digital certificates alleviates security concerns for extending network access
SUMMARY
In today’s tight economy, organizations need to ensure that they are leveraging their capital and their expenses wisely. This means purchasing products that not only save on recurring costs, but are not overwhelming expensive to begin with. IPSec VPNs and SSL VPNs both have inherent advantages and disadvantages. Organizations need the superset of advantages of both these types of products, with none of the shortcomings. The WatchGuard Firebox SSL Core VPN Gateway provides organizations with the best of both worlds by providing the combined advantages of IPSec VPNs and SSL VPNs in a single product that is easy to install and maintain. The WatchGuard Firebox SSL Core VPN Gateway enables IT departments to provide an unmatched secure remote access solution at a fiscally responsible price.
www.watchguard.com
page 7
�