Comparing Mobile VPNs with SSL VPNs
The secure remote access or Virtual Private Network (VPN) market is comprised of three types of VPN solutions: IPSec, SSL and
Mobile VPNs. Each type of VPN is designed for a specific application and type of user. Today, the
secure remote access market is evolving. Two clear trends are emerging:
Remote users, users that work primarily from a single, fixed location, are migrating from traditional IPSec VPNs to SSL VPNs for secure remote access to enterprise resources. IPSec VPN appliances are being relegated to site-to-site solutions for which they are best suited.
There is a distinct and growing faction of remote users who do not work from a single, fixed location. These mobile users frequently move throughout the day and rely on wireless connectivity. A Mobile VPN, designed for mobile users in wireless environments, is the only VPN solution that can address the challenges associated with mobility such as wireless security, coverage gaps, roaming, performance and handheld device support.
Mobility XE is the industry's leading Mobile VPN solution.
Mobile Versus Remote
Remote workers can be defined as a worker who performs a variety of tasks away from corporate, branch or home office but does not require an “always on” connection to enterprise resources. These users typically work from a single, fixed location. Remote users are usually satisfied with solutions that synchronize their data with enterprise resources on an occasional basis (i.e., in the evening from the hotel room or from a local hotspot).
Mobile workers, on the other hand, require true mobility in their every day activities. These users typically have purchased a mobile data solution from their wireless carrier or perhaps even deployed a private radio network of their own. It is not uncommon for mobile workers to have access to and to use multiple networks throughout the day.
While productivity is a common goal for both user groups, this requirement introduces challenges in a truly mobile environment that can only be satisfied by a Mobile VPN solution designed to address such complexities. These include:
SSL VPNs are adequate solutions for remote workers but are not designed to handle the above challenges. The overhead associated with SSL VPNs (because they rely on TCP and HTTPS as a transport) can be very costly in terms of performance and productivity in a bandwidth sensitive environment.
Universal Application Access
IPSec has been recognized for its ability to secure most all application traffic without issues of compatibility. In competitive response to IPSec and Mobile IP offerings, SSL VPN solution providers had to significantly improve their compatibility with applications common to enterprise environments. These compatibility initiatives led to marketing hype and the term "universal application access" was coined. Universal application access is meant to describe the high degree of application compatibility offered by the SSL VPN vendor.
Recent studies indicate that "universal application access" still eludes the SSL VPN solutions. Many deployments require significant application modifications to run properly over a SSL VPN tunnel. Additionally, “fat” clients are required on the mobile device eroding the "clientless" value proposition and increasing the complexity of device provisioning and configuration. Much effort has gone into increasing compatibility with well known applications and protocols but line of business applications often introduce environment-specific complexities and are not handled well by SSL VPN solutions. Mobile VPN solutions, such as NetMotion Mobility XE, that reside below the application layer are most ideal for truly mobile computing environments.
It should also be noted that although IPSec solutions are known for their application compatibility, they fall short as these solutions cannot survive wireless coverage gaps, loss of connectivity, or network transitions where source addresses may change or be released. Resolving this weakness with IPSec has become a core mission of the Mobile IP working group. Although Mobile IP (a modification to IPSec) solutions mask IP address changes and allow transport layer connections to survive network transitions, they natively create an overhead that can be costly when running over bandwidth-sensitive networks. In summary, although IPSec and Mobile IP inherently provide universal application access, both create new risks for mobile workers including dropped connections resulting in productivity loss and compromised security.
Only mobile VPN solutions such as NetMotion Mobility XE can provide universal application access and complete compatibility with virtually all enterprise applications, including an organization’s line-of-business applications – and all without creating unnecessary overhead or compromising security.
To find out more about SSL application interoperability issues, review this insightful article,SSL VPN Interoperability Across Applications Proves Tricky, by Joel Snyder of NetWork World (12/19/05).
VPN Comparison
The table below provides a summary comparison of SSL VPNs and NetMotion Mobility XE.
| |
Mobile VPN
Mobility XE |
SSL |
| Standards-based key exchange |
 |
|
| Standards-based encryption |
|
|
| Integrates with existing authentication schema |
|
|
| Device-to-DMZ security |
|
|
| Wireless-friendly |
|
Tolerant |
| Seamless roaming (fast handoffs) |
|
|
| Seamless roaming (slow handoffs, out-of-range conditions, or suspend and resume operations) |
|
 |
| Application session persistence |
|
|
| Data compression |
|
|
| Link optimizations |
|
|
| Compatible with Win32 applications without modification |
|
[1] |
| Transparency (ease of use) |
|
[2] |
| NAT-friendly |
|
|
| Quarantine by device or user |
|
|
| Policy management—layer 3 |
|
|
| Policy management—layer 7 |
|
|
| Client required for Win32 applications |
|
|
| Support for secure, clientless connectivity |
|
|
| Multi-platform support |
Windows only |
|
| [1] |
Requires the installation and configuration of client software |
| [2] |
For web-based traffic |
|
Deployment Considerations
When deploying a secure remote access solution consider the following attributes and when determining whether or not you need a true mobile computing solution or a solution limited to simply providing “remote” connectivity.
Seamless roaming
- Network transitions without re-authentication or application restarts
- Transparent to end-user
Application persistence
- Data is protected during roaming events, suspend/resumes,or loss of coverage
- User can initiate a data transmission, suspend the device, resume after two days, and pick up where they left off
IP address management
- Manages changing local (IP) addresses while preserving applications and connectivity
- Preserves IT management visibility and control
Policy Management
Policy Management module provides capabilities that control access to network resources and/or applications
Optimization for wireless and/or bandwidth sensitive networks:
- Employs data compression
- Uses UDP instead of TCP
- Offers link level optimizations
- Data coalescing
- Selective acknowledgements
- Uses policy management to limit protocol-heavy applications on low bandwidth networks
Universal application access
- General enterprise application compatibility
- Organizational line-of-business application compatibility
For More Information
