NeoAccel SSL VPN-Plus The Future of Virtual Private Networks



Similar documents
VPN. Date: 4/15/2004 By: Heena Patel

Comparing Mobile VPN Technologies WHITE PAPER

Technical papers Virtual private networks

Secure Network Design: Designing a DMZ & VPN

Why SSL is better than IPsec for Fully Transparent Mobile Network Access

IPSec or SSL VPN? Copyright 2004 Juniper Networks, Inc. 1

Virtual Private Networks Solutions for Secure Remote Access. White Paper

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

I. What is VPN? II. Types of VPN connection. There are two types of VPN connection:

Connecting an Android to a FortiGate with SSL VPN

Understanding VPN Technology Choices

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

How To Configure SSL VPN in Cyberoam

Remote Access VPNs Performance Comparison between Windows Server 2003 and Fedora Core 6

Building Remote Access VPNs

Juniper Networks VPN Decision Guide

White Paper. SSL vs. IPSec. Streamlining Site-to-Site VPN Deployments

Using Entrust certificates with VPN

A Performance Analysis of Gateway-to-Gateway VPN on the Linux Platform

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

ReadyNAS Remote White Paper. NETGEAR May 2010

SiteCelerate white paper

What the Experts Say

MCTS Guide to Microsoft Windows 7. Chapter 14 Remote Access

How To Configure Apple ipad for Cyberoam L2TP

Secure remote access to your applications and data. Secure Application Access

Cisco Which VPN Solution is Right for You?

Virtual Private Networks: IPSec vs. SSL

A Web Broker Architecture for Remote Access A simple and cost-effective way to remotely maintain and service industrial machinery worldwide

Virtual Private Networks Secured Connectivity for the Distributed Organization

Creating a VPN Using Windows 2003 Server and XP Professional

Building Your Complete Remote Access Infrastructure on Windows Server 2012

SSL Encryption and Traffic Inspection ADDRESSING THE INCREASED 2048-BIT PERFORMANCE DEMANDS OF 2048-BIT SSL CERTIFICATES

SAFE-T RSACCESS REPLACEMENT FOR MICROSOFT FOREFRONT UNIFIED ACCESS GATEWAY (UAG)

How To Establish Site-to-Site VPN Connection. using Preshared Key. Applicable Version: onwards. Overview. Scenario. Site A Configuration

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

Highly Available Unified Communication Services with Microsoft Lync Server 2013 and Radware s Application Delivery Solution

The term Virtual Private Networks comes with a simple three-letter acronym VPN

SSL VPN 1H03 Magic Quadrant Evaluation Criteria

Small Business Server Part 2

AppDirector Load balancing IBM Websphere and AppXcel

Cisco Virtual Office Express

How Virtual Private Networks Work

Virtual Private Networks

SSL VPN vs. IPSec VPN

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Sonicwall Firewall.

Endpoint Security VPN for Mac

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Network Access Security. Lesson 10

Radware s AppDirector and AppXcel An Application Delivery solution for applications developed over BEA s Weblogic

Sophos Certified Architect Course overview

Licenses are not interchangeable between the ISRs and NGX Series ISRs.

Cisco ASA 5500-X Series ASA 5512-X, ASA 5515-X, ASA 5525-X, ASA 5545-X, and ASA 5555-X

1.264 Lecture 37. Telecom: Enterprise networks, VPN

How Virtual Private Networks Work

SSL VPN Technology White Paper

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

This document describes how the Meraki Cloud Controller system enables the construction of large-scale, cost-effective wireless networks.

SSL VPN Technical Primer

SSL VPN. Virtual Private Networks based on Secure Socket Layer. Mario Baldi. Politecnico di Torino. Dipartimento di Automatica e Informatica

Solutions Guide. Secure Remote Access. Allied Telesis provides comprehensive solutions for secure remote access.

IPSec vs. SSL: Why Choose?

Design and Implementation Guide. Apple iphone Compatibility

Integrating F5 Application Delivery Solutions with VMware View 4.5

Astaro Gateway Software Applications

GajShield UPTM Certification Module 4. GajShield Infotech Pvt Ltd

Workflow Guide. Establish Site-to-Site VPN Connection using RSA Keys. For Customers with Sophos Firewall Document Date: November 2015

Juniper Networks VPN Decision Guide

Preparing Your IP network for High Definition Video Conferencing

7.1. Remote Access Connection

SVN5800 Secure Access Gateway

ISG50 Application Note Version 1.0 June, 2011

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

VMware View 4 with PCoIP I N F O R M AT I O N G U I D E

WAN Traffic Management with PowerLink Pro100

Acceleration Performance Tests for IBM Rational ClearTeam Explorer

New Obvious and Obscure MikroTik RouterOS v5 features. Budapest, Hungary MUM Europe 2011

Stateful Inspection Technology

Array Purpose-Built SSL VPN

Cornerstones of Security

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Internet Privacy Options

DrayTek Vigor High Performance Firewall Router. - VPN - Up to 200 concurrent tunnels. - Load Balancing & Failover between WAN ports

White Paper: Managing Security on Mobile Phones

Cisco Wide Area Application Services Optimizes Application Delivery from the Cloud

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Securing Citrix with SSL VPN Technology

Chapter 5. Data Communication And Internet Technology

How To Protect Your Network From Attack

Chapter 6 Configuring the SSL VPN Tunnel Client and Port Forwarding

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Frequently Asked Questions

WanVelocity. WAN Optimization & Acceleration

The Application Delivery Controller Understanding Next-Generation Load Balancing Appliances

SSL VPN Evaluation Guide. Criteria for Choosing the Right SSL VPN

VPN Lesson 2: VPN Implementation. Summary

Transcription:

NeoAccel SSL VPN-Plus The Future of Virtual Private Networks NeoAccel White Paper Overcoming the Performance Limitations of Conventional SSL VPN Introduction: The Evolution of Virtual Private Networks VPN (Virtual Private Network) technology was created to enable secure communications over public networks. Current VPN technology permits using the public Internet or any IP (Internet Protocol) network as if it were a private leased line between end-points, providing secure access to all private resources. Earlier generations of VPN technology were narrow solutions that supported limited networking protocols, utilizing transport mechanisms including PPTP (Point to Point Tunneling Protocol), L2TP (Layer 2 Tunneling Protocol), and today s pre-dominant IPSec (Internet Protocol Security). IPSec VPN technology was designed exclusively for IP networks. IPSec based VPN offers reasonable performance, standards-based security, and application transparency. However, IPSec suffers from technical complexity for both users of the VPN and administrators of the network infrastructure, resulting in a very high total cost of ownership (TCO). The newest generation of VPN technology is based on the ubiquitous Secure Socket Layer (SSL), which is embedded in all contemporary web browsers and web servers. This newest generation emerged a few years ago to take advantage of the widespread adoption of SSL for secure web page delivery between a web server and a user s web browser. The motivation behind the rapid adoption of SSL VPN technology was the desire to eliminate the high complexity and support costs of IPSec VPN for secure delivery of applications and information. SSL security protocols for web page delivery are universally supported by all web servers and web browsers. It is well understood and easy to implement and use. Importantly, network infrastructure, such as firewalls, are

typically configured to pass SSL traffic without administrator intervention of specialized configurations. The Limitations of Conventional SSL VPN The first generation of SSL VPN requires a gateway between remote clients and the private network. The remote user accesses the web site hosting the portal and supplies information for authentication purposes (such as an user ID and password). After being authenticated, the gateway serves as a proxy between the web enabled application and the end user. The link from the SSL VPN gateway to the end user is HTTPS (i.e., SSL-encrypted Web pages). The SSL VPN gateway proxies connections between the gateway and the end user, converting internal addresses to externally viewable pages that the remote user can access to appropriate applications and data. This is referred to as no client, web enabled application access or in many cases kiosk mode. Today s second generation of SSL VPN technology adds full application transparency without the need for applications to be web enabled. The problem with secondgeneration implementations is the high overhead and resulting slow performance of the communication between client and gateway. This performance impact is due to three architectural issues. 1) SSL is implemented in the user space of an operating system environment as opposed to the kernel space. Since SSL works as a TCP application, the SSLencrypted link between client and server contains the TCP data stream between the client and the target application server (Figure 1). This overhead results in the TCP-over-TCP meltdown problem that is well known in satellite networks. This TCP-over-TCP meltdown problem dramatically reduces data throughput by a factor of up to 30x and decreases the maximum number of concurrent connections. These performance and scalability limitations are due to the high overhead associated with context-switching operations between user space and kernel space.

2) The high latency conditions associated with lossy networks often results in significant packet loss especially in WLAN (wireless) environments. 3) The latency injection introduced by SSL processing in user space many times contributes to performance degradation compared to IPSec VPN. Figure 1 - TCP-over-TCP Overcoming the TCP-over-TCP Meltdown Problem The TCP-over-TCP meltdown problem can be overcome by processing SSL connections in the kernel space of the operating system which decreases the number of contextswitching operations and eliminates the TCP resizing and slow start problems associated with wireless network jitter. Additionally, by adding hardware encryption, essentially all overhead of SSL processing can be eliminated to provide performance for SSL VPN equivalent to or greater than conventional IPSec VPN. However, if SSL processing is not performed in the kernel, then hardware-assisted encryption loses its acceleration benefits due to the overhead associated with moving data and session

information between the SSL processing routines in user space and the SSL encryption hardware driver in kernel space. NeoAccel s SSL VPN-Plus is the first solution to implement the third generation of SSL VPN technology to overcome the performance-sapping overhead of SSL processing and eliminate the TCP-over-TCP meltdown that plagues conventional SSL VPN in lossy environments such as wireless LANs, which can typically consume as much as 20 percent of the SSL VPN throughput capacity. NeoAccel SSL VPN-Plus moves all SSL processing into the operating system s kernel space, thus reducing SSL protocol overhead by typically 80 percent compared to second-generation SSL VPN implementations as well as providing complete application transparency. Additionally, NeoAccel has implemented a unique solution based on its patent-pending Intelligent Connection Acceleration Architecture (ICAA ) that eliminates the need for the user's application session information to be encapsulated over an SSL session -- instead creating a single connection between the client and the VPN gateway. It is not unusual for network traffic to suffer 1 to 10 percent packet loss, which produces TCP-over-TCP meltdown resulting in 1.5x to 30x longer response time for conventional SSL VPN. Most organizations that have adopted second-generation SSL VPN have experienced the frustration of gaining application transparency at the cost of unacceptable application performance. NeoAccel s SSL VPN-Plus uniquely offers the low overhead, high performance, and application transparency of IPSec VPN, but without the complexity experienced by end users or the heavy support costs required by IT organizations. The following references are some market research analyst observations about the pros and cons of SSL VPN vs. IPSec VPN. Their observations and conclusion now need to be rewritten as a result of NeoAccel s new third generation of SSL VPN solutions.

NeoAccel SSL VPN-Plus now offers ALL of the performance and full-access advantages of IPSec VPN combined with the simplicity of SSL VPN. NeoAccel s SSL VPN-Plus overcomes the conventional wisdom that only IPSec VPN can provide site-to-site support while conventional SSL VPN providing only remote access support. Because of the unique architecture of SSL VPN-Plus and the resulting dramatic performance and scalability advantages, a third-generation SSL VPN can now offer both the site-to-site support of IPSec VPN and the remote access capabilities of SSL VPN. SSL VPN and the Future of Virtual Private Networks Gartner notes that the simplicity and portability of SSL VPN can lower the cost to implement remote-user VPN for corporate workstations, as well as access from noncorporate systems such as PCs. Where traditional VPN are not required, expect immediate value from investments in SSL VPN in the form of easier deployment and support. However, META Group s METAspectrum SSL Virtual Private Networks Market Summary points to the future broad market adoption of SSL VPN as a replacement for IPSec VPN. With the onset of widespread adoption and large-scale deployments (i.e., >1,000 concurrent users) during the next two years, the critical requirements will become scalable management functions (particularly configuration capabilities) and greater system performance/capacity. As with most other security solutions, vendors that best balance security, performance, and manageability and in this case, accessibility to applications as well will be positioned to dominate the market. Adds Michael Suby, senior research analyst at Stratecast Partners (a division of Frost & Sullivan), Complete remote access solutions encompass three functional components connectivity, security, and performance. Most SSL VPN are designed to address only connectivity and security. Where NeoAccel is positioned is in directly addressing the performance inhibitors in today's SSL VPN. Once overcome, we expect enterprise deployments of performance-enhanced SSL VPN in WAN and wireless LAN environments to accelerate.

Contact NeoAccel CORPORATE HEADQUARTERS NeoAccel Inc, 2055 Gateway Place, Suite 240 TEL: +1 408 274 8000 San Jose, CA 95110 FAX: +1 408 274 8044 EMAIL: info@neoaccel.com NeoAccel, SSL VPN Plus, Intelligent Connection Acceleration Architecture and Secure Everything are trademarks of NeoAccel. All other products are or may be trademarks of their respective owners.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information