Posted
18 January 2006 @ 10 AM

Tagged
security, technology

7 Comments

IPSec Dead?

I usually take Gartner's 'prophecies', 'surveys' and 'magic quadrants' with huge dollops of salt. They are good for using as quotes in presentations to scare the gullible but reality is mostly otherwise. I did so again when I read their report on the IPSec protocol.

The first fallacy in their statement is the 'younger technological rival' part -- SSL encryption technology is the grand daddy of IPSec, not the other way around. But yes, SSL VPNs are newer that IPSec VPNs. They are more as an afterthought rather than ground up. VPNs have existed in many forms. You had MS PPTP VPNs, L2TP VPNs and even unencrypted simple IP over TCP virtual networks. IPSec was considered strongest.

Secondly, SSL VPNs are not a replacement for IPSec VPNs. They are convenient for most people which is why they are increasingly used. You don't have to install any client software. All you need is a web browser to initiate an SSL VPN connection. They will succeed over IPSec VPNs in most remote applications. But IPSec will still be around for network-to-network VPNs.

Thirdly, IPSec is an integral part of IPv6. So is Gartner suggesting that IPv6 will be dead? :-) In fact, I predict, when IPv6 becomes widespread, it will be easier to use IPSec than SSL because SSL is more of an IPv4 technology and using it as VPN will mean more overhead for applications in the future.

7 Comments (closed)

Posted by
Tushar

19 January 2006 @ 2 PM

IPSec, as you said, is fine for infrastructure needs. It probably won't go away, and with IPv6, it will become part of a layer that we don't normally think that much about. The reasons for SSL VPNs catching on are simply because they do enough, easily. I'm all for it. (This also may be the result of the fact that I never quite got an IPSec tunnel to work on Linux :)

Posted by
Nilesh

20 January 2006 @ 4 PM

The overheads of IPsec will reduce with IPv6 in use. So it will definitely pick up more use. I too wasn't comfortable with IPsec and linux. But on OpenBSD, it used to be a breeze. I clocked one hour FW/VPN setups on OBSD at one point of time.

Posted by
codey

22 January 2006 @ 2 PM

Gartner reports are nothing but corporate porn, the kinds that CEOs, CFOs and CTOs love to ogle at with glee while sitting on the pot. In all the meetings that I've attended, the funny thing I see about its usage is that they are never used in internal proposals, but when you have to make a pitch to an outside firm or when an outside firm makes a pitch to you, the PPTs have like a zillion tables and pie charts citing the big G.

Posted by
Ambar

12 May 2006 @ 7 AM

>> You don't have to install any client software. All you need is a web browser to initiate an SSL VPN connection. Nope. Most of these SSL VPNs do install client s/w via the browser.

Posted by
Amol Hatwar

05 June 2006 @ 7 PM

You are right. Sometimes, Gartner is all FUD.

Posted by
Alok

31 January 2007 @ 6 PM

Well I think there is no definate benfit of deploying IPv6. NATs are here to stay mainly because of the extendable address space. The next level is DNS and not IPv6 that is for sure. Content is the king, not "numbers used to identify end points"

Posted by
Dharmbhai

09 February 2007 @ 9 PM

Hmmmmmmmmmm, intresting. Writing from experience, IPSEC will stay even past IPv6. There is millions of $$ worth infrastructure invested by service providers and enterprises that cater to IPSEC VPNs. Also IMHO SSL VPN are somehow slower the Thick Client VPN.