[VPN] Universal VPN client

Doug Dooley ddooley at juniper.net
Sun Jul 18 14:27:43 EDT 2004


Travis - here are my attempts at answering your questions... 

About the "adapter over SSL" option to support client/server applications: At Juniper, we call it SAM (Secure Applications Manager).  There are two types: Java Applet and Win32 based (delivery can/will be done via ActiveX, Java, or Installer service).

In the case of J-SAM, it supports client-initiated static TCP port application and a few more complex applications: Outlook (MAPI), Citrix (ICA), and Lotus Notes. J-SAM runs on most version of Windows, Linux, and Mac OS X.

In the case of W-SAM, it supports any client-initiated (static or dynamic port) TCP application in two ways: by process name with MD5 checksum (optional) AND/OR by IPRange:PortRange. As you might guess, W-SAM runs on Windows only.

Here's an example of W-SAM configuration, if you wish to support Outlook (any version) on an end-user client to a specific set of servers on any port.

  Add Application: Outlook.exe
  MD5 Checksum: 40825acfc23e0ad28da1fc63f77e9825
  Add Host:Port: 10.10.7-10.1-2:*

Here's another example, for adding Citrix client/server support for multiple versions/type of ICA clients (anything with "ica" in the process name) and also enforce MD5 checksum signature in case you will only support let's say 3 specific Citrix client versions:

  Add Application: *ica*.* 
  MD5 Checksum: 40825acfc23e0ad28da1fc63f77e9825, 40825acfc23e0ad28da1fc63f77e6895, 85745acfc23e0ad28da1fc63f77e7777
  Add Host:Port: 10.*.*.*:1494

Lastly, to your point about CAP-EX (capital expenditure) being more expensive then IPSec - that is more of a function of time, it will continue to go down.  The OP-EX (operational expenditure) is much better with SSL today.  So if cost is both (CAP + OP) and if the OP-EX is the larger of the two components, then SSL VPN could be compelling for any organization.

As for the other things you outlined for Juniper (ASIC, Layer3, etc.) - those are not out of the question by any means.  FYI: Juniper/Neoteris can handle Layer 3 connections in a clientless fashion today (called Network Connect) on the SSL VPN gateway.  It's our recommended access option for UDP and server-initiated based applications.  Also, significant R&D is underway to continue to make NC even better and even faster.

Bill Yazji - 

I appreciate your comments and my apologies for the "plug" not my intention just trying to provide information and a point of view (hopefully not too bias).

As for the security points you raised, the more you learn about how to hijack SSL VPN connection the more you'll begin to understand that many SSL VPN offerings have some unique security advantages that IPSec remote acces does not.  Also, the number of End Point Security partners that integrate with SSL VPNs make the security offering looking even more promising for SSL.  But I don't want to get into a religious argument about which is more secure.  

I believe both technologies have a lot to offer, both are going to be around for a long time, and I'll admit IPSec remote client software is very mature.

That said, the cost of managing IPSec clients is "operationally" prohibitive for many organizations (maybe not yours?) but most analyst (Forrester, Gartner, Meta, etc.) have concluded that over time SSL remote clients and access options will be used in the majority of cases because the vast majority of users need access to applications (web, file server, email, client/server) but they do NOT need access to the network or better they do not need to be a member of the network with their own IP address and better yet IT security teams do not want to add them to the network if possible.

SSL VPNs lend themselves to solving the problem at the application layer unlike IPSec.

As for the Aventail comparison, frankly anyone at Juniper will tell you that we enjoy taking the "Pepsi challenge" against Aventail everyday of the week if possible.  We have received more competitive wins with customers purchasing Juniper/NetScreen/Neoteris over Aventail than any other competitor.

According to Infonetics, Aventail (after 7 years in the space) has watched its market share numbers shrink - they went from ~16% to 12% where Juniper/NetScreen/Neoteris grew from ~38% to 45%.  Also, there are several other competitors who are much more formidable.  What I can say about Aventail is that they have a strong marketing team (check out the "spin" they put on that Infonetics report) but their current appliance offering and their ability to execute is allowing other vendors in this space to take the #2 spot away from Aventail.

SOURCES: 
 http://www.infonetics.com/resources/purple.shtml?ms04.vf.1q04.nr.shtml 
 http://www.infonetics.com/resources/purple.shtml?vpn04.na.nr.shtml
Juniper 45%: 
 http://www.juniper.net/company/presscenter/pr/2004/pr-040608.html 
Aventail 12%: 
 http://www.aventail.com/news/press/2004/07_12_04.asp 

Also Forrester just came out with a comprehensive report about the Remote Access VPN market (SSL & IPSec) and Juniper is the leading SSL vendor with Aventail being the runner up. 

http://www.forrester.com/Research/Document/Excerpt/0,7211,34334,00.html 

As for competitive reviews with Trade Press on the SSL VPN space - the fact remains that Juniper has been very fortunate - taking top honors at Network World, Network Computing, and PC Magazine.  In the Network Computing review, Aventail was #5 out of 8 SSL VPN vendors (in order): Neoteris (Juniper), Nokia, Nortel, Whale, Aventail, SafeWeb (Symantec), Array, then Portwise.

NWC (#1 of 7): 
http://www.nwc.com/showitem.jhtml?articleID=16000510&pgno=4 
NWW (#1 of 8): http://www.networkworldfusion.com/reviews/2004/0112revmain.html 
PCM (#1 of 6): 
http://www.pcmag.com/article2/0,4149,1202255,00.asp  

Not trying to beat up any vendor here but these are facts so you can draw your own conclusion on who leads the SSL VPN space:
 - by customers
 - by market share
 - by analyst research 
 - by trade press reviews.

Today, it appears Juniper is leading on all fronts but there are many tough competitors in the space and lots more maturing of technology to go but it's been a fun ride so far.

I hope this was useful.

Doug Dooley
Juniper Security Products
Technical Marketing, Manager



-----Original Message-----
From: Travis Watson [mailto:travis at traviswatson.com] 
Sent: Saturday, July 17, 2004 8:43 AM
To: Doug Dooley
Cc: Jas Chase; vpn at lists.shmoo.com
Subject: Re: [VPN] Universal VPN client

Doug,

I'm sure most everyone on the list would love to do ssl VPN for their 
clients, but cost is the main issue for me and probably most out there. 
For small to mid-sized companies, a 5-figure initial investment probably 
isn't met too well--particularly when they can do it for less than 
$1000. For large companies, ssl VPN (as it is today) becomes 
impractical--even if cost isn't as big a factor. We currently have over 
20,000 VPN users in my company (well, the company I work for, not 
exactly mine). To serve all of them with ssl VPN would require a 
7-figure investment and care and feeding on dozens of termination 
points. We can do it now for under $10 a head with standard IPSec 
clients and just a few pairs of termination points distributed around 
the world.

Plus we have a lot of fruity, home-grown applications that use custom 
tcp-ports (a *lot* of them), that ssl wouldn't seem to be able to do. 
Even common commercial applications are known for using random, or 
custom, tcp high ports--Exchange being the biggest one (OWA just doesn't 
cut it for executives). You mention a windows adapter over SSL--could 
you give us more info on that, please? I'm not familiar with it.

Now if you can get that old Neoteris stuff onto your ASIC, handle layer 
3 without having to futz with the Destops much (hopefully not at all), 
and get the cost toward $10/person, you may well have something. That 
just seems like a lot to ask.

Regards,

Travis


Doug Dooley wrote:

> Just curious - why would you want to deal with the headaches of full 
> client software configuration + management, all the various NAT 
> traversal problems, and Proxy conflict issues associated with legacy 
> Layer 3 tunneling clients (L2TP, PPTP, IPSec)?
>
> SSL VPN devices provide "anytime anywhere" access in three forms:
>
> - Pure clientless (web-based) - Internet café, kiosk, PDA, cell phone, 
> anything with a first-class SSL enabled browser
>
> - Semi clientless (client/server app support) via Java Applet or 
> ActiveX/Win32
>
> - Full Layer 3 access (windows network adapter over SSL)
>
> No client software installation/configuration/management, No NAT 
> traversal problems, No proxy conflicts.
>
> Sorry for the pitch but just thinking - right tool for the right job?
>
> Maybe I'm missing something?
>
> If cap-ex cost of the appliance is the issue, there are cost-effective 
> choices out there.
>
> Just wait a couple of weeks when Juniper announces an extremely cost 
> effective SSL VPN appliance that will resonant with those 
> price-sensitive folks.
>
> Your thoughts...
>
> *Doug Dooley*
> Security Products Group
> Technical Marketing, Manager
>
> ------------------------------------------------------------------------
>
> *From:* vpn-bounces+ddooley=juniper.net at lists.shmoo.com 
> [mailto:vpn-bounces+ddooley=juniper.net at lists.shmoo.com] *On Behalf Of 
> *Jas Chase
> *Sent:* Thursday, July 08, 2004 10:16 AM
> *To:* vpn at lists.shmoo.com
> *Subject:* [VPN] Universal VPN client
>
> Hi All,
>
> Just wanted to know whether there is a universal VPN client for 
> Windows that supports IPSEC, PPTP, L2TP. My reason for asking this is 
> because I do not want to install proprietary Netscreen Client software 
> on my laptop but instead a universal client. Any help would be greatly 
> appreciated. Thanks.
>
> Sincerely,
> Jas Chase
> /K-Swiss MIS/
>
>------------------------------------------------------------------------
>
>_______________________________________________
>VPN mailing list
>VPN at lists.shmoo.com
>http://lists.shmoo.com/mailman/listinfo/vpn
>






More information about the VPN mailing list