The industry has been buzzing about secure socket layer (SSL) VPNs for nearly three years now. It was hard to ignore the promise of easy and secure remote access using a Web interface that was cheaper than traditional RAS and IPSec, easy for anyone to use and flexible enough to allow users to access data from any computer anywhere on the planet. But has reality met hype? Are SSL VPNs the next generation of remote access? Vendors certainly have their opinions, as do I as an analyst--but what do the users think?

This summer, Infonetics conducted a survey of user plans for all types of VPNs and published a study called User Plans for VPN Products and Services, North America 2004. Users definitely sounded off about SSL.

Nearly all respondents deploy CPE for remote access VPNs and manage their own VPNs; only 19% outsource some aspects, and only 7% buy managed remote access services, down from last year. Network-based service providers should focus on the site-to-site market for the time being, but as users become comfortable with network-based services, they will buy them for remote access as well as site-to-site, but network-based VPNs will never be a huge factor for IPSec or SSL. As the application hosting market begins to make a comeback, SSL VPN access to hosted applications will be a natural fit, but the bulk of remote access users will access applications hosted on their company’s network, not in the cloud.

We asked respondents to name their primary remote access VPN technology. IPSec is on top, used by 57% of respondents in 2006; SSL is second by 2006, but it’s not surprising that it’s only used as the primary remote access VPN technology by 7% of respondents now. PPTP and L2TP are both on a long and slow decline.

We also asked about secondary technologies used for remote access VPNs. SSL jumps up to 19% of respondents. SSL will creep into many enterprise networks as a backup or secondary remote access technology, but as the technology proves its worth, it will move into the primary position, likely faster than respondents expect; this happened when IPSec replaced traditional RAS, and the process will be the same for SSL.

One of the strong drivers for SSL VPNs is the availability of new access options for true nomadic mobile workers. Telecommuters have had access to broadband connections for years, but mobile workers are just now getting into high gear, finding broadband and wireless Internet connections or connected kiosks in hotels, airports, and convention centers around the globe. About a third of these mobile workers, on average, access their VPNs from the road by using hospitality broadband connections. The use of 802.11 hotspots grows from an average of 13% now to 27% in 2006, an opportunity for wireless LAN vendors. Guest computers and Internet-connected kiosks require SSL VPNs in most cases, and their use will increase as more companies deploy SSL VPNs.

In an open-ended question, we asked respondents what is driving them to use SSL VPNs. Ease of use and the lack of client software lead the list by far, but there is a raft of other drivers, including the deployment of more Web-based applications and the requirement to work from non-company-owned computers (guest machines, kiosks, etc.). At this point, customers are not driven by the cost savings of SSL VPNs, but they will see savings, and may possibly use those savings to enable a larger portion of the user population to use VPNs.

Users are already picky about what they are looking for in SSL VPN products, and are very concerned with security; respondents are looking for secure platforms when evaluating SSL VPN solutions, as SSL VPNs create a bridge between the outside world and key corporate applications, and respondents want to be sure that the platform itself is secure and difficult to hack. Device authentication is also key; IT managers want the ability to ID devices accessing the SSL VPN, and then apply appropriate security policies based on the status of that device (known or unknown computer, security posture of the device, etc.)

Over half of respondents are looking for a full client or full application support when they buy SSL VPN devices, so the SSL VPN can actually replace IPSec for remote access; this will be key to the success of any SSL VPN vendor. Java/ActiveX client support is not terribly important to respondents at this point, but if vendors can develop a Java/ActiveX client that can provide full application support, end-users will adopt, because those technologies help reduce the client management burden.

Vendors sold $25 million worth of SSL VPN gear in the first quarter of 2004, and we expect the market will hit $151 million in CY04. Juniper (NetScreen) is the leading vendor now, but although the market is small it is growing quickly, and market share could change considerably over the next few quarters. End-users are definitely interested in SSL VPNs--and the second half of this year should prove that this is a technology ready for prime time.

Jeff Wilson is the principal analyst, VPNs and Security with Infonetics Research and may be contacted at Jeff@infonetics.com.

Visit Infonetics Research online.