Popular in Course
Popular in Information technology
This 28 page Class Notes was uploaded by Mr. Erik Weissnat on Wednesday October 28, 2015. The Class Notes belongs to DIT2160 at Villanova University taught by Staff in Fall. Since its upload, it has received 18 views. For similar materials see /class/230562/dit2160-villanova-university in Information technology at Villanova University.
Reviews for BusinessDecisionMaking
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 10/28/15
Gartner Research Publication Date 6 October 2006 ID Number G00143589 Magic Quadrant for Wireless LAN Infrastructure 2006 Rachna Ahlawat Ken Dulaney Wireless LAN technologies have matured Most products now offer similar capabilities but this is making it difficult to differentiate Leaders and Challengers offer the least risk but they lack leadingedge technology 2006 Gartner Inc andor its Affiliates All Rights Reserved Reproduction and distribution ofthis publication in any form Without prior written permission is forbidden The information contained herein has been obtained from sources believed to be reliable Gartner disclaims all warranties as to the accuracy completeness or adequacy of such information Although Gartner39s research may discuss legal issues related to the information technology business Gartner does not provide legal advice or services and its research should not be construed or used as such Gartner shall have no liability for errors omissions or inadequacies in the information contained herein or for interpretations thereof The opinions expressed herein are subject to change Without notice WHAT YOU NEED TO KNOW Wireless LAN WLAN products available in the market today offervery similar capabilities The basic difference between vendors is in their overall strategy 1 lncumbent wired networking vendors such as Cisco Systems and HP Procurve have a vision of offering integrated wired and wireless LAN switches 2 Startups such as Aruba and Meru are primarily focusing on the enterprises that view wireless as an overlay of wired We strongly advise enterprises to carry out a full competitive review of different vendors39 offerings after closely examining the true capabilities of their desired WLAN Leaders and Challengers in this Magic Quadrant will pose the least risk for client investment but may not always provide the most leadingedge or current technology Visionaries could provide this capability but might present a greater risk Niche vendors will typically appeal to their existing client base to lowprice buyers orto those looking for a specific set of features Publication Date 6 October 2006ID Number G00143589 Page 2 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner MAGIC QUADRANT Figure 1 Magic quadrant for Wireless LAN Infrastructure 2006 challengers leaders ICisco Systems 3 mbal Techrola les 1quot I I g Aruba Networks Trapeze Networks 0 NorteLNetworks MEN 3929 ng 350m 39 Elluescwket HF39 Frocurvg C lubrie 0 Siemens I Ex lrmie Networks l Li I lily LU exec quotLe A39C am39 Foundry Networks oExlricom IXlrruS Enleraeys Networks niche players uisionariea l corripleiene 1 39v39JEEI39Dquot l F A5 of September 39Z GGE Source Gartner Dataquest September 2006 Market Overview WLANs are becoming a standard part of enterprise networks They are no longer confined to meeting rooms or visitors areas they are now being deployed to cover entire facilities More and more enterprises are moving toward thirdgeneration WLAN architecture access points with wireless controllers in corporate headquarters and large branch offices Smaller offices continue to deploy fully functional standalone access points The top three reasons for deploying wireless LANs are 1 To improve productivity through mobility Publication Date 6 October 2006ID Number G00143589 Page 3 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner 2 To provide access to places where wiring is impossible or too expensive to install 3 To improve efficiency in specific business processes or operations From a technical perspective WLANs are now considered secure both through the adoption of Institute of Electronic and Electrical Engineers lEEE standards and native improvements to the technology WLANs have joined LANs as full members ofthe quotbehind the firewallquot infrastructure The security solutions offered by all vendors have begun to raise the 8021X authentication framework as an issue that clients must consider on their technology road maps However problems of interoperability are still barriers to easier deployment As wireless LANs expand from conference rooms to the whole enterprise concerns about network management are arising We39ve gone from thinking of offices as network nodes to considering each employee as a node on a wired network Now every major physical item the company owns is becoming a node on a wireless network The enterprise WLAN infrastructure market is comprised of a number of high and lowrisk vendors with varied capabilities The best vendors will provide the widest array of options to tailor to a client39s needs at the optimum price points They will also offer flexible security and strong management tools The good news is that the functions offered by the various vendors are narrowing to the core set described here This is making the choice of vendor easier but at the same time more complex because it is more difficult to discern highly differentiated features The toprated vendors have global sales and service presence through direct or reseller arrangements Some vendors are standalone WLAN vendors that provide their technology as a noninvasive overlay to an existing wired network Others possess a family of wired products that are highly integrated with the WLAN products Where the latter exists the best vendors have provided a single management console to control both network types Market DefinitionDescription The enterprise WLAN infrastructure market consists of set of vendors that provide wireless IP networking solutions that conform to lEEE 80211 standards through the WiFi Alliance certification process Vendor products include a minimum of two core components 1 WLAN access points APs that distribute a WiFi radio frequency RF signal to a variety of client devices 2 A set of controllers that sit behind the APs to consolidate functions that are better served through centralized control when the number of installed APs exceeds five in a given area These components are required to support the full set of 80211 worldwide assigned frequencies at 24GHz 496Hz and 52GHz through 586Hz even though some ofthe frequencies cannot be legally used in every country All APs contain a minimum of two radios that can act either as service link radios or as air sensors for security purposes All radios are typically configurable across any ofthe bands in the aforementioned frequencies Each radio supports a minimum of 16 Basic Service Set Identifiers BSSle More advanced APs support the additional capability to use one ofthe radios for wireless backhaul and in the more advanced systems capability as a mesh networking vendor Note meshonly vendors are not covered under this market assessment APs that can be used outdoors are optionally provided by most full service vendors Vendors also provide a variety of antennae from those that provide simple diversity to multiple input multiple output MIMO to higher gain antennae that provide increased coverage All APs should also be configurable to repeater mode when range improvements are desired over capacity Publication Date 6 October 2006ID Number G00143589 Page 4 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner All incumbent wired LANs have already launched WLAN products on their own or in partnership with startups More acquisitions of WLAN startups are expected Based on disclosed information from vendors that wish their supplier relationships to be known and from customers and other external sources regarding relationships that were not made public we have determined the following partner relationships Clients should verify these relationships should they become material to any product acquisition Each vendor is shown followed by its OEM partner shown as not applicable NA where relevant SCom Trapeze Networks Alcatel Aruba Networks Aruba Networks NA Bluesocket NA Cisco Systems NA Acquired Airespace in 2005 Colubris NA Enterasys Networks Trapeze Networks Extreme Networks Siemens Extricom NA Foundry Networks Meru Networks HP Procurve Symbol Technologies Meru Networks NA Nortel Networks Trapeze Networks Siemens NA Symbol Technologies NA Trapeze Networks NA Xirrus NA Inclusion and Exclusion Criteria Products that serve this market must provide a minimum of security features including WiFi Protected Access 2 WPA2 certification that enables overtheair transmissions to be fully encrypted using the highest standard form of encryption Advanced Encryption Standard AES Market participants must also provide airsensing technology that can detect RF anomalies including rogue APs either through separate sensor or via a radio that can dynamically switch between service and sensing modes All vendors must support the 8021x authentication framework to the minimum tested features within the WiFi Alliance WPA2 test suite They should have the ability to segment traffic and support guest networking in a secure scheme that does not expose secure internal traffic to outsiders The more advanced vendors have begun to expand security options to cover wired connections and even widearea connections through integrated virtual private networks VPNs or other mainstream security methods Enterprise WLAN infrastructure products are supplied with management consoles that perform a number of tasks including assistance at setup and layout ofthe APs ongoing assessment ofthe Publication Date 6 October 2006ID Number G00143589 Page 5 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner RF capability to ensure minimum quality of service QOS assistance in managing the security of the network and management of the infrastructure including firmware updates The best products have an intuitive user interface with all capability integrated within a common framework Vendors usually supply secondgeneration standalone access points and either third generation centralized or fourthgeneration trafficoptimized architecture systems Third generation systems offload security and roaming at a minimum to a central controller which is connected to the APs via either a Layer 2 or Layer 3 connection Fourthgeneration systems supplement this with software that controls access to the network by granting time slots for transmission vs the clientcontrolled Carrier Sense Multiple AccessCollision Avoidance CSMACA mechanism ofthirdgeneration and earlier systems Recently all generations have been upgraded to provide QOS for voice clients by supporting a minimum of Wireless Multimedia Power Save which prioritizes voice packets Fourthgeneration systems employ more sophisticated network access schemes to further improve voice quality and are most popular when voice is a mainstream application In this Magic Quadrant we include the vendors that provide third and fourgeneration WLAN systems Added Since there are a large number of WLAN startups one of the criteria for inclusion in our Magic Quadrant is that the vendor should have been selling products for at least one full quarter prior to publication Extricom and Xirrus started shipping products in 2H05 and so were not included in the previous Magic Quadrant but have been added this year Dropped The following two vendors are no longer tracked in this report Proxim once a leader is now a wholly owned subsidiary of Terabeam Wireless For the last two years Proxim was struggling in the enterprise WLAN space Under the new management team it has now decided to primarily focus on broadband wireless networking systems and is therefore not included in this report Vivato received more than 100 million in venturecapital funding but failed to make a mark in the WLAN market It ceased operating in November 2005 Evaluation Criteria Ability to Execute The criteria used to assess vendors in this Magic Quadrant are described in detail below Since these criteria have changed from earlier editions direct comparisons between this edition and previous ones are inappropriate Gartner analysts evaluate technology providers on the quality and efficacy of the processes systems methods or procedures that enable lT provider performance to be competitive efficient and effective and to positively impact revenue retention and reputation Ultimately technology providers are judged on their ability and success in capitalizing on their vision ProductService Core goods and services offered by the technology provider that compete inserve the defined market This includes current productservice capabilities quality feature sets and skills whether offered natively or through OEM agreementspartnerships as defined in the market definition and detailed in the subcriteria Publication Date 6 October 2006ID Number G00143589 Page 6 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner Overall Viability Business Unit Financial Strategy Organization Financias Viability includes n assessment ofthe overall organization s financial health the financial and practical success of the business unit and the likelihood of the individual business unit to continue to invest in the product continue offering the product and advancing the state ofthe art within the organization s portfolio of products Marketing Responsiveness and Track Record The clarity quality creativity and efficacy of programs designed to deliver the organization s message in order to influence the market promote the brand and business increase awareness of the products and establish a positive identification with the productbrand and organization in the minds of buyers This mind share can be driven by a combination of publicity promotional thought leadership wordofmouth and sales activities Customer Experience Relationships products and servicesprograms that enable clients to be successful with the products evaluated Specifically this includes the ways customers receive technical support or account support This can also include ancillary tools customer support programs and the quality thereof availability of user groups and servicelevel agreements Table 1 Ability to Execute Evaluation Criteria Evaluation Criteria Weighting Produc Service standard Overall Viability Business Unit Financial Strategy standard Organization Sales ExecutionPricing no rating Market Responsiveness and Track Record high Marketing Execution no rating Customer Experience high Operations no rating Source Gartner Completeness of Vision Gartner analysts evaluate technology providers on their ability to convincingly articulate logical statements about current and future market direction innovation customer needs and competitive forces and how well they map onto the Gartner position Ultimately technology providers are rated on their understanding of how market forces can be exploited to create opportunity for the provider Marketing Strategy A clear differentiated set of messages consistently communicated throughout the organization and externalized through the Web site advertising customer programs and positioning statements Sales Strategy The strategy for selling product that uses the appropriate network of direct and indirect sales marketing service and communication affiliates that extend the scope and depth of market reach skills expertise technologies services and the customer base Offering Product Strategy A technology provider s approach to product development and delivery that emphasizes differentiation functionality methodology and feature set as they map onto current and future requirements Publication Date 6 October 2006ID Number G00143589 Page 7 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner Innovation Direct related complementary and synergistic layouts of resources expertise or capital for investment consolidation defensive or preemptive purposes Table 2 Completeness of Vision Evaluation Criteria Evaluation Criteria Weighting Market Understanding no rating Marketing Strategy standard Sales Strategy standard Offering Product Strategy high Business Model no rating VerticalIndustry Strategy no rating Innovation high Geographic Strategy no rating Source Gartner Leaders A Leader will have demonstrated a sustained ability to meet the changing needs for mainstream WLAN architectures Leaders should have demonstrated an ability to shape the market maintain strong relationships with their channels and customers and have no obvious gaps within the portfolio Challengers A Challenger will have demonstrated sustained execution in the marketplace and have clear and longterm viability in the market but will not have shown the ability to shape and transform the market Visionaries A Visionary demonstrates an ability to increase features in its offering to provide a unique and differentiated approach to the market A Visionary will have innovated in one or more ofthe key areas of WLAN technologies convergence security management or operational efficiency Niche Players A Niche Player has a complete or nearcomplete product offering but does not have strong goto market capabilities or innovation in its product offerings A Niche Player still has a viable product offering and in some cases will be an appropriate choice for large infrastructure deals Vendor Comments 3Com SCom has refreshed its WLAN portfolio in the last few months It has introduced dual radio stand alone access points and a 24port unified wired and wireless switch targeted at small and midsize businesses SM Bs The unified switch is developed internally by 300m but the company still relies on Trapeze for coordinated APs and centralized wireless controllers SCom resells Trapeze39s controllers to its customer base as a wireless overlay solution Publication Date 6 October 2006ID Number G00143589 Page 8 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner While 3Com has expanded its WLAN portfolio its offerings are primarily targeted at SMBs It is a big market for wireless but consumergrade wireless vendors such as DLink Netgear and Linksys have also moved up the chain and serve the small enterprise market One feature that helps 3Com differentiate from consumergrade WLAN vendors is its network admission control functionality using TippingPoint39s IPS server for wireless devices But 3Com needs to further expand its WLAN offering to compete more effectively with startups that are offering a technically superior product for large deployments Today 3Com mainly sells its WLAN products to existing customers Consider purchasing WLAN infrastructure from 3Com if you have deployed its wired networking products Alcatel Under a reseller partnership agreement with Aruba Alcatel rebrands Aruba39s APs and WLAN controllers underthe Omniswitch product line Unlike some of the other wired networking vendors Alcatel has no plans to integrate wireless features into its wired switching platform However it does provide an option of managing wired and wireless LANs through the same console using its network management suite OmniVista Alcatel could have a bigger profile in enterprise WLAN networking if it were not for its very limited presence in enterprise networking particularly in North America Alcatel39s LAN products offer a wellthoughtout robust architecture at attractive prices but the company continues to suffer from lack of resources that would enable it to sell more aggressively Consider purchasing WLAN infrastructure from Alcatel if you have deployed its wired networking products Aruba Networks Aruba Networks is becoming a quotonestop shopquot for all wireless LAN needs It has progressed well in the last few years and is providing infrastructure for some of the largest WLAN deployments worldwide It has a broad range of product offerings for centralized WLAN deployment for campuses branch offices and corporate small officehome offices SOHOs Aruba39s initial offering consisted of a core WLAN controller with coordinated accesspoint architecture It has introduced scaleddown versions of its core controller technology for branchoffice and smallerscale WLAN deployments Since 8021x is gaining momentum because of WLAN security issues Aruba39s vision of unified wired and wireless access security such as the Webbased 8021x authentication for wired clients that do not support 8021x natively is a good one With the exception of its partnership with Alcatel Aruba has not pursued an OEM partnership strategy very aggressively This may hurt the company in the long term especially since more and more enterprises are looking to buy wired and wireless from the same vendor Aruba had planned to take advantage of closer ties with Alcatel and integrate Alcatel39s voice over WLAN VoWLAN and security components into its lineup but we have not seen the company execute in this direction with its partners Companies considering Aruba must be wary ofthe inherent risks of doing business with a startup But we believe the company is doing a good job of distinguishing itself from other WLAN startups and its product strategy along with its quotdirect touchquot sales strategy has helped it win some major opportunities worldwide Consider Aruba when wireless LAN is being considered as an overlay of wired LAN Bluesocket Bluesocket39s original positioning was based on its WLAN overlay security and management appliances for enterprises that had deployed APs from different vendors Bluesocket marketed its Publication Date 6 October 2006ID Number G00143589 Page 9 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner security offerings as an improvement over Wired Equivalent Privacy WEP but following the ratification of 8021 1 i and as enterprises started moving toward thirdgeneration WLAN products the market for thirdparty security and management gateways started shrinking As a result Bluesocket introduced thirdgeneration WLAN switch architecture in 2005 and joined the ranks of the wireless switch vendors The company has a solid offering it was the first enterprise vendor to launch MIMO APs but is difficult to differentiate Bluesocket39s brand presence should help it win business from existing accounts but overall it has limited coverage It is challenged by its sales and distribution channels The company is too small to support a large stable of direct sales representatives and it has no partnerships in place with incumbent wired networking vendors Bluesocket39s existing customers which bought its authentication gateway products to manage security of various vendors APs consider its thirdgeneration centralized controller and coordinated APs when upgrading or expanding their WLAN But we have doubts about its capability to expand beyond this customer base or to defend it completely In our enduser survey we found that Bluesocket customers were particularly happy with userbased policy control features such as peruser bandwidth control filtering logging and detailed reports by roles Consider Bluesocket if you have deployed APs from different vendors and would like to expand the network by deploying a thirdgeneration WLAN solution Cisco Systems Cisco Systems continues to be the leader in the market and its position has been strengthened following the introduction ofthe centralized WLAN products Cisco is able to meet much ofthe mainstream market requirements lts WLAN product portfolio consists of standalone APs WLAN overlays consisting of coordinated APs and centralized controllers and WLAN service blades for its Ethernet switches The company is in a good position to continue to garner share since most ofthe enterprises are looking toward their incumbent wired networking vendor to provide WLAN products as well Two reasons that make Cisco customers look elsewhere are wireless network management and the cost of the solution For wireless networks that consist of multiple generations of products enterprises use two different products for network management a WLAN service engine WLSE for standalone APs and a wireless control system WCS for centralized controllers and coordinated APs But these two products are not very well integrated and capabilities are quite different In such cases enterprise either have to look at some thirdparty vendors for WLAN management or else develop custom applications Product features are similar to many other vendors included in this report but the price of the solution is much higher Meeting the challenges will take time but Cisco39s other strong attributes in the areas of sales marketing and customer support should keep it in a Leaders position for some time Given the breadth of product line and overall market influence Cisco should be on a shortlist of vendors for all mainstream requirements However this shortlist must include other alternative suppliers to ensure a solution that meets the specific needs ofthe enterprise Colubris Colubris39s WLAN solution has more intelligence at the edge than most othervendors in this report and its controller is mainly tasked with WLAN infrastructure management not RF management lts WLAN offering consists of standalone APs and a central controllerserverbased management system Its access points enforce user authentication Q08 and radio frequency management Publication Date 6 October 2006ID Number G00143589 Page 10 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner The controller automates AP deployment and configuration and also coordinates roaming handoffs between the APs Colubris39s WLAN products are sold both to the enterprises and service providers but most ofthe company39s revenue comes from selling WLAN equipment through service providers into public venues In the last year it has shown a desire to expand its presence in the enterprise networking market and is planning to selectively target certain vertical markets lts offering is especially attractive to enterprises that have a distributed office environment with a large number of small branch offices Colubris has the infrastructure in place to perform WLAN billing to business units Consider this product if you have a large number of distributed branch offices where you want to provide local authentication but want to manage configuration and infrastructure from a central location Enterasys Networks Enterasys Network39s WLAN offering consists of a standalone fullyfunctional AP 4102 product which allows its customers to deploy a granular policybased wireless security approach to the specific user level at the network edge without the need for a central controller or virtual LAN Enterasys also resells a centralized WLAN solution through an OEM partnership with Trapeze While it promotes its own standalone APs more aggressively it does provide a software upgrade for standalone APs allowing them to work as coordinated APs in a switch controllerbased centralized architecture Enterasys is in a transition from being a publicly traded company to becoming part of a private equity arrangement The new management team is showing some early signs of getting Enterasys back on track from an execution perspective Enterasys added some new customers in the last few months but the biggest challenge it faces is winning back the confidence of its customer base which has been nervous about carrying out any further upgrades using Enterays39s wired and wireless LAN products Extreme Networks Extreme Networks launched a new WLAN offering in partnership with Siemens Extreme is still catching up with the market its revenue in the WLAN category is lagging behind the market growth rates Along with the partnership with Siemens for WLAN it also announced a partnership with AirTight for wireless intrusion prevention system IPS products Through OEM partnerships it now has various components required to craft out a decent WLAN solution but not much work has been done to integrate all the pieces to make it easier for customers to deploy and manage their WLAN Extreme39s WLAN offering primarily appeals to its existing customer base of Ethernet switches Consider Extreme39s WLAN products if your company has deployed its wired networking switches Extricom Extricom is a late entrant to the WLAN market having stumbled on the marketing front for some time to get its technology to markets where WLAN sales have been active We classify Extricom as a fourthgeneration WLAN vendor where all APs are deployed on the same channel creating a blanket of coverage By applying centralized perpacket control of all transmissions cochannel interference is avoided eliminating the need for cell planning and delivering a predictable data rate to each client The blanket topology enables seamless mobility by eliminating the delays of APtoAP handoffs which benefits realtime latencysensitive Publication Date 6 October 2006ID Number G00143589 Page 11 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner applications such as VoWLAN Extricom s approach is also able to create multiple overlapping channel blankets from the same switch and set of APs to deliver better QOS through the assignment of separate physical channels to different applications or user types such as voicedata or 80211 bga While this architecture addresses interference problems it does limit the scalability ofthe solution Extricom controllers require APs to be directly connected it operates at Layer 2 only and its biggest controller supports 24 access points In larger deployments where multiple 24 port controllers are to be deployed roaming between APs of different controllers may not be seamless Consider Extricom where WLAN is being deployed to support multiple applications that require predictable bandwidth and RF coverage Foundry Networks Foundry Networks had been unable to break out of its stagnant position in the WLAN market with its original offering So in May 2006 it announced a new WLAN offering in OEM partnership with Meru to make up for the lost ground This product will not ship in volume till 4Q06 Note that feedback we received from reference customers for this report was based on Foundry39s older offering Foundry continues to target specific technologyoriented customers interested in high performance and port density for its wired networking products and its new offering now allows it to sell a latestgeneration WLAN platform with all the features that will appeal to its highend customer segment of wireless networking products Foundry has the technical foundation to integrate WLAN solutions into its wired offering but there is little evidence that it is inclined to offer integrated wired and wireless switches based on Meru39s platform Consider purchasing WLAN infrastructure from Foundry if you have deployed its wired networking products Meru Networks Meru Networks is a fourthgeneration network meaning that network access is controlled by the APs as opposed to the normal CSMA method where client devices control access to the wireless medium As a result one of Meru39s key strengths continues to be its technical innovation For example Meru launched a clever way of intrusion detection without having to deploy dedicated sensors or having to timeslice between sensing and traffic delivery The capacity advantages that Meru39s fourthgeneration architecture brings have helped it with initial sales especially where concerns about voice capacity were important Japan was a key early market and Meru was able to gain marketing leverage from a largescale allwireless office voice PCs and notebooks at Osaka Gas Meru expanded its wireless VolP message to the All Wireless Enterprise theme in North America and elsewhere Yet marketing and awareness remain challenges as well as its need to prove that the processing burden placed on its controllers by its technology can scale to the largest systems lts biggest controller supports 150 APs Meru is offering QOS on an application basis going beyond the 80211e standard which only specifies QOS per device In our survey of enduser organizations we found that two of Meru39s features resonate particularly well in the market 1 RF coordination no cochannel interference roaming capabilities and capability to handle 80211b and g clients without forcing the g clients down to 8021 1 b Publication Date 6 October 2006ID Number G00143589 Page 12 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner 2 Capacity number of clients per AP These features are especially attractive where the number of users per AP cannot be ascertained and different types of applications are being run on a WLAN Meru will appeal to those organizations that have a clear preference for voice capabilities lts architecture is also suitable for denser deployments where network connection requirements are difficult to predict Nortel Networks Nortel Networks began 2004 as Airespace39s primary sales channel and quickly positioned itself as one of Cisco39s closest competitors in capturing enterprise business It was the only vendor that seemed to garner share away from competitors But Cisco39s acquisition of Airespace left Nortel scrambling to explain to its clients what had happened and trying to find a replacement for Airespace Nortel then entered an agreement with Trapeze to resell its WLAN products but it did not start selling the new offering till 4Q05 Although Nortel is in a better position than most other wired networking vendors to sell more WLANs given that a large number of enterprises like to purchase wired and wireless LAN products from the same vendor it sales force is not selling WLAN aggressively To attract business from its own client base it is important for Nortel to make WLAN a more strategic imperative within the company As wireless voice over IP VolP becomes a compellin proposition in the enterprise space it could gain some market notoriety through its presence in the lPprivate branch exchange lPPBX market Consider Nortel for WLAN if you have deployed wired networking switches from Nortel Enterprises that like Trapeze39s offering but would like to buy from a more established player can also looktoward Nortel HP Procurve HewlettPackard39s HP Procurve has launched a new WLAN offering based on Symbol39s technology Its original OEM partner for WLAN controller technology Vernier has refocused toward network access control NAC and for HP to compete more effectively with its competitors it needed a more committed partner Symbol was a good match as it doesn39t have wired networking products while HP needed a controllerbased centralized WLAN offering HP is further ahead of its competitors in terms of integrating wired and wireless management into one console However HP39s 5300 switch line has a wireless blade and not one ofthe latest 5400 series switches that the company is marketing more aggressively HP Procurve39s edge networking switches have proven themselves a strong alternative to Cisco39s with the company39s most significant successes coming in the midsize market lts Layer 2 centralized WLAN offering derived from a partnership with Symbol is integrated with its wired offering including support from HP39s management and security components HP39s management products are its hallmark enabling it to coordinate protection ofthe network by controlling wired defensive actions based on wireless events and vice versa However its management products could provide more depth and improvement to the user interface HP Procurve also sometimes suffers from poor awareness within the context of its larger parent HP39s recent announcement regarding WLAN design services for Cisco39s WLAN products proves that the parent company has little faith in HP Procurve39s offering This leads to the conclusion that the group will be spun off from HP at some point However due to new management and the solid profitability ofthe group we believe this action will be deferred and need not be a concern for buyers HP Procurve39s centralized WLAN offering will only appeal to its existing customers that have deployed 5300 series switches although HP Procurve has plans to launch a similar WLAN blade for the 5400 series Also organizations looking toward Symbol handhelds and who desire a Publication Date 6 October 2006ID Number G00143589 Page 13 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner single vendor footprint across the carpeted and noncarpeted areas manufacturing floors and so on can consider HP Procurve Siemens Siemens has now fully absorbed Chantry following the recent acquisition However this has not significantly improved Siemens standalone WLAN sales thanks to a variety of other events that stand to confuse buyers Siemens is a reseller for many datanetworking vendors including Cisco Nortel Extreme Foundry and Huawei Recently Siemens also announced a global strategic alliance and master reseller agreement with 3Com to integrate and sell 3Com39s data networking and enterprise security products and services via Siemens direct sales organization and indirect channels As one ofthe integration initiatives the Siemens HiPath Wireless portfolio will be integrated with 3Com39s TippingPoint lPS and 3Com will certify the interoperability of Siemens39 HiPath WLAN and its network management platform 3Com also has an OEM partnership with Trapeze for WLAN Afterthe recent merger ofthe Siemens network infrastructure business with Nokia many called into question the future of Siemens39 enterprise networking business The prognosis for this business is still uncertain and it will hurt business opportunities until Siemens can make it clearto buyers what direction this venture will take Siemens39 product marketing has been lukewarm with little visibility in the deals we have reviewed Siemens39 WLAN products have been deployed in some large networks However most of the sales were in Western Europe and have been generated from quotpull throughquot sales of existing and new HiPath PBX sales Our customer survey indicates that Siemens customers like centralized management features such as detailed reporting capabilities on AP status and users that are connected to the network However some work is required on the display of this data Customers are also happy with the ease of configuration of WLAN networks using Siemens products Siemens will find many applications where WLAN technology will be integrated into its core products including healthcare and building monitoring WLAN technology may be sold in a manner similar to the way Symbol sells its WLAN as part of a vertically oriented system This latter approach is most relevant for prospective buyers Symbol Technologies Symbol Technologies has maintained its presence in the WLAN market largely thanks to years of experience in wireless especially in vertical market systems in combination with its handhelds sales It is currently the No 2 player in this space Symbol has tried to expand beyond its traditional markets but its lack of wired equipment and poor brand recognition in the networking market have hindered those efforts Symbol did well to scale backthose efforts and instead construct a partnership with HP where it now has an outlet to address organizationwide deployments of WLAN It has also worked with IBM to supply a controller blade for the eServer product to address the needs of retail companies Symbol plans to add a Layer 3 mobility service in 4Q06 which will broaden its offering It also plans to integrate other network types such as Zigbee cellular and WiMAX through its Wireless Next Generation WiNG architecture to give organizations a more costeffective means to roam across a variety of networks This direction of integrating multiple wireless technologies fits with a key theme of Motorola39s Motorola recently made an announcement to acquire Symbol see quotMotorolaSymbol Deal Will be Challenging Though Promisingquot Symbol39s centralized WLAN offering with thin AP architecture delivers a low cost per square foot and WiNG will continue this effort Publication Date 6 October 2006ID Number G00143589 Page 14 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner Symbol can support a variety of client devices but it is in combination with its handhelds that clients will reap the greatest benefit from their WiFi products Symbol39s Mobile Services Platform MSP provides customers with a strong management tool that combines both handheld and WLAN infrastructure management under one offering Symbol has also done some work in the voice integration segment and has more practical experience than many of its competitors though this lead may not last for long Symbol39s WLAN offering appeals to vertical markets such as manufacturing retail and healthcare where it sells its handhelds Trapeze Networks Trapeze Networks has improved its position most primarily thanks to a rearchitecting of its distribution strategy Trapeze39s products are sold through one of its two major channels consisting of OEMs and resellers lts OEMs 300m Enterasys and Nortel are expected to be joined by at least one other partner by the end of 2006 These vendors quotprivate labelquot the product and market the WLAN offerings39 integration with one or more oftheir core offerings such as their wired infrastructure management tools andor voice systems Trapeze also sells its own brand through its resellers Channel management is accomplished naturally through the various players39 differentiated services and complimentary capabilities against the OEM offerings Yet Trapeze by its own admission would like to increase its reseller sales an effort that in our opinion will require differentiating the offering from what is supplied to the OEMs How it manages this effort will determine whether it can rise to the top tier among the startup vendors A new Trapeze marketing organization is expected to tackle this issue along with raising overall brand awareness Trapeze has long been known for its management product RingMaster yet our user surveys showed that it lost sales due to perceived weakness in this area We believe this was due to a poor organization ofthe features in the product a problem that has since been rectified Trapeze has shored up its wireless intrusion detection system lDSPS through a partnership with AirDefense enabling rollup of AirDefense alarms directly in the RingMaster console as well as onthefly conversion of APs to sensors since both companies use the same AP hardware supplier Trapeze also promotes a distributed forwarding architecture where APs decrypt the frame and tunnel the decrypted 80211 frame to a central controller where forwarding decisions take place But it has done so by claiming centralized encryption approaches are less effective from a networking perspective We expect Trapeze to become less prescriptive in its sales approach and move instead to emphasize the fact that it offers a great range of choices that should appeal to buyers Furthermore any one approach taken by a buyer at the outset can be transformed once the product is installed This flexibility should help the company grow in the coming year but as mentioned earlier it will be a marketing challenge to craft these messages to become more broadly understood Xirrus Xirrus is one of the late entrants to the WLAN market It has developed a WLAN array which has multiple directional radios lts design combines an onboard WLAN switch and up to 16 Integrated APs with a highgain multisector antenna system With this architecture the number of devices to be deployed will be reduced especially when deploying for higher capacity such as in a lecture hall Xirrus39s management suite can control up to 500 arrays and is primarily for infrastructure management configuration firmware upgrades and reporting not specifically for RF management Each array is responsible for managing the RF environment and roaming of clients between APs and between APs on different arrays Consider this solution when pulling cable to individual AP locations may not be feasible but one array with multiple APs can meet the requirements Publication Date 6 October 2006ID Number G00143589 Page 15 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner RECOMMENDED READING quotMagic Quadrants and MarketScopes How Gartner Evaluates Vendors Within a Marketquot Acronym Key and Glossary Terms AES AP BSSID Vol P VoWLA N Advanced Encryption Standard access point Basic Service Set Identifier Collision Avoidance Carrier Sense Multiple Access intrusion detection system Institute of Electronic and Electrical Engineers lPprivate branch exchange intrusion prevention system multiple input multiple output Mobile Services Platform network access control quality of service radio frequency small officehome office small and midsize business voice over IP voice over WLAN virtual private network wireless control system Wired Equivalent Privacy wireless LAN WiFi Protected Access 2 Evaluation Criteria Definitions Ability to Execute ProductService Core goods and services offered by the vendor that compete inserve the defined market This includes current productservice capabilities quality feature sets and skills Publication Date 6 October 2006ID Number G00143589 Page160f18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner whether offered natively or through OEM agreementspartnerships as defined in the market definition and detailed in the subcriteria Overall Viability Business Unit Financial Strategy Organization Viability includes an assessment of the overall organization39s financial health the financial and practical success of the business unit and the likelihood of the individual business unit to continue investing in the product to continue offering the product and to advance the state of the art within the organization39s portfolio of products Sales ExecutionPricing The vendor39s capabilities in all presales activities and the structure that supports them This includes deal management pricing and negotiation presales support and the overall effectiveness of the sales channel Market Responsiveness and Track Record Ability to respond change direction be flexible and achieve competitive success as opportunities develop competitors act customer needs evolve and market dynamics change This criterion also considers the vendor39s history of responsiveness Marketing Execution The clarity quality creativity and efficacy of programs designed to deliver the organization39s message in order to influence the market promote the brand and business increase awareness of the products and establish a positive identification with the productbrand and organization in the minds of buyers This quotmind sharequot can be driven by a combination of publicity promotional thought leadership wordofmouth and sales activities Customer Experience Relationships products and servicesprograms that enable clients to be successful with the products evaluated Specifically this includes the ways customers receive technical support or account support This can also include ancillary tools customer support programs and the quality thereof availability of user groups and servicelevel agreements Operations The ability of the organization to meet its goals and commitments Factors include the quality ofthe organizational structure including skills experiences programs systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis Completeness of Vision Market Understanding Ability ofthe vendor to understand buyers39 wants and needs and to translate those into products and services Vendors that show the highest degree of vision listen and understand buyers39 wants and needs and can shape or enhance those with their added vision Marketing Strategy A clear differentiated set of messages consistently communicated throughout the organization and externalized through the Web site advertising customer programs and positioning statements Sales Strategy The strategy for selling product that uses the appropriate network of direct and indirect sales marketing service and communication affiliates that extend the scope and depth of market reach skills expertise technologies services and the customer base Offering Product Strategy The vendor39s approach to product development and delivery that emphasizes differentiation functionality methodology and feature set as they map to current and future requirements Business Model The soundness and logic ofthe vendor39s underlying business proposition VerticalIndustry Strategy The vendor39s strategy to direct resources skills and offerings to meet the specific needs of individual market segments including verticals Publication Date 6 October 2006ID Number G00143589 Page 17 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner Innovation Direct related complementary and synergistic layouts of resources expertise or capital for investment consolidation defensive or preemptive purposes Geographic Strategy The vendor39s strategy to direct resources skills and offerings to meet the specific needs of geographies outside the quothomequot or native geography either directly or through partners channels and subsidiaries as appropriate for that geography and market REGIONAL HEADQUARTERS Corporate Headquarters 56 Top Gallant Road Stamford CT 069027700 1 o 964 0096 European Headquarters Tames39s The Glanty Egham Surrey TW20 9AW UNITED KINGDOM 441784 431611 AsiaPaci c Headquarters Gartner Australasia Pty Ltd Level 9 141 Walker Street North Sydney New South Wales 2060 AUSTRALIA 61 2 9459 4600 Japan Headquarters Gartner Japan Ltd Aobadai Hills 6F 77 Aobadai 4chome Meguro ku Tokyo 1530042 JAPAN 81 3 3481 3670 Latin America Headquarters Gartner do Brazil Av das Nac es Unidas 12551 9 andar World Trade Center 04578903 Sao Paulo SP BRAZIL 5511 34431509 Publication Date 6 October 2006ID Number G00143589 Page 18 of18 2006 Gartner Inc andor its Af liates All Rights Reserved Gartner Face Off lPSec vs SSL VPNs by Nils Odhner Copyright 2003 Faulkner Information Services All Rights Reserved Docid 00018877 Publication Date 0311 Publication Type FACEOFF Preview Internet Protocol security IPSec and secure sockets layer SSL are two competing technologies used in virtual private network VPN deployments today These technologies are both designed to encrypt and authenticate data in transit from remote enduser locations to resources residing on the corporate network VPNs based on IPSec and SSL each have a distinctive number of advantages and disadvantages and are engineered for varying business and enduser needs This report faces offthe two competing technologies and offers an overview of feature sets strengths and limitations of each cost issues and recommendations fortheir usage in VPN deployment Report Contents Executive Summary Description Solution Set Analysis Strengths amp Limitations Recommendation 0 O O o FaceOff O O 0 Web Links Executive Summary return to top ofthis report IPSec and SSL are two competing technologies used by IT managers for VPN deployments in today39s small businesses enterprises healthcare institutions and government agencies SSL or Secure Sockets Layer is a protocol originally developed by Netscape Communications to secure Webbased transactions SSL was developed to make ecommerce as we know it today possible but is now being used in a much wider context particularly in regard to accessing enterprise applicationbased resources IPSec or Internet Security Protocol on the other hand has been widely deployed in enterprise VPNs for years but is no longer the dominant choice in VPN deployment that it once was Both technologies are widely used to deploy VPNs which provide remote connectivity to a host computer or network so that employees partners or customers can access corporate resources or conduct business transactions Choosing between an IPSec and SSLbased VPN is no simple matter of black and white Organizations led by their IT managers and ClOs must consider a complex of factors before embarking on deployment For example questions such as these must be asked will the remote connection be used for email only or will it be used to access extensive enterprise resources V ll the remote user be accessing Webbased applications only or nonWebbased apps What is the enterprise39s IT budget and are there limits on spending These questions as well as a basic review ofthe pros and cons of each technology are vital in choosing whether an lPSec or SSL VPN is best for an organization Description return to top ofthis report The two competing VPN options that businesses oftoday choose to implement are lPSec and SSL VPNs Both VPN types deliver secure enterpriselevel remote access but their architectural and operational approaches differ greatly These varying approaches signi cantly in uence application and security services and will in the end determine which technology IT managers and ClOs should implement within the organization and what circumstances are optimal for each Essentially lPSec and SSL are encryption and authentication technologies designed for data in transit ie they serve as secure quottunnelsquot that protect data traffic and identify it at the receiving end Both architectures or methods should be considered in the context ofan organization39s overall security architecture and network security policy A careful examination of the data being transferred its level of sensitivity to the enterprise and the impact of unauthorized disclosure are key factors that should be considered when deciding between which architecture to use when implementing a VPN An analysis ofthese factors will determine if data transmission channels are accessible and secure and that the mechanisms in place adequately prevent unauthorized message and traffic ow disclosure It will also ensure that messages sent and received are one in the same that a valid sourcedestination message path has been established and that security mechanisms are invisible to endusers Both lPSec and SSL solve the problem of delivering secure remote access to end users and both use the Internet as the means to provide connectivity Certain types of businesses with speci c goals for employees and customers however will find one more bene cial than the other lPSec VPNs Internet Protocol Security lPSec is a series of protocols developed by the Internet Engineering Task Force IETF to deliver symmetric key encryption and authentication services at the IP layer When lPSec is used to design a secure VPN it operates at the network layer layer three ofthe Open System Interconnection OSI network architecture model lPSec VPNs are extremely exible in supporting network con gurations and applications They utilize a headend device and an lPSecbased client that is downloaded and installed on the enduser39s computer lPSec VPNs secure all data between endpoints quotvirtuallyquot placing the remote client on the corporate network and allowing for the same level of access that an employee would have working in the office Moreover lPSec VPNs deliver two types of security servicesAuthentication Header AH which allows for enduser authentication and Encapsulating Security Payload ESP which supports enduser authentication and data encryption What gives lPSec VPNs their strongest level of security is the TripleDES 3DES encryption algorithm which makes twoway authentication possible while separate protocols such as lSAKMPOakley can also be selected as part ofthe lPSec VPN configuration SSL VPNs OnmnaHv dammed bv Netscape Cummumcauuns m secuve ercummevce Uansacuun Secuve Suckels LavevSSL san unrused upen andamr am nncanen da a encrvmmn and sage mteumy wevTcpw sessmns ssus a su veVeneem as We ETF sTvanSpun Lam Secumv mss1aneave anms used pnnnanw m 1an pma e uansacuuns that momma bank unhne uck vadmu and cveencam puvcnases SSL ename apphcanun aVef vas wmch upeva e at was mm tmuugh seven unne osx nememne mudek and can be useewnn uvwnnuma chem SSLbasedW Ns nma1e cummumcatmn w mmznmne Pmmam avev batman We memel s vaanzxt nans1ev Pmtucu HTTP and Tvanspun Cumvm Pmmcm P SSLVPNSVE 40 w upun122stmmv echnumvmvememnsenelwu acce cn tvans atesme VEmJes1 numne vemme usev s Web bmwsev mm a cumma e nemmk can uneevs1ane u s mucaw veeunee wnen usevs ave an me mad ucated bemnd a mewau and vesmme n a nunmmame Wema w addvess ss n ma hecumuvale and need accessm data space SSLVPNS Wmcaw use R mmnauen pubhcpvwate kEv encrvmmn 5512m wn cenmca eummn Embecause aw Wecenamee macnne can be usedm access as mewa We as ch mc udes a dmna Lnaseevws v amnenucauun s nut pussme um vamev anv vahd usemame and paswmm W 921 a use mm LVPN quve1 shwsme basm avcmecmva dmevences belween who and SSLVPNS mure 1 Comparison 0 PS 1 ecami SSL VPNArcmlecmns msquot v ssL Wm M u mm n 0nan W i an um mm Pmmu39m n W my m k qnawlxmnw cammamquot omenn mummc mnmnmsmwn un Wynnean quotmunmm Kahuna1mm mm mm SslVVN any imuniuvdnu vvmhwhm rawILwmhmvumnxnumnmdmvumlolwhuhaunm murdau lnmis ma ssuammv m may m mmbuocn a bthuhgSewuanduhmhml a u mamaquot aquot mmuwmme same recmarge lPSec and SSL VPN Vendors There are a number of vendors that incorporate lPSec functionality into their network devices many of which serve as the basis for their lPSec VPN suites These vendors include Cisco Systems Nortel Networks Checkpoint and SonicWALL But because lPSec is an older VPN technology and is more established in many vendors39 product and service portfolios there are more standalone lPSec VPN providers SSL VPNs because they are newer are not offered standalone by as many vendors There are a few VPN vendors however that offer both types and they perhaps have the biggest edge considering organizations often need both lPSec VPNs for sitetosite connectivity as well as SSL VPNs for Webbased apps only The following table lists leading SSL and lPSec VPN vendors Table 1 lPSec and SSL VPN Vendors echnologies echnologies echnologies echnologies VOne X WatchGuard X Technologies Whale X Commumcations Solution Set return to top of this report There are a number of key criteria IT managers and CIOs should consider when deciding between implementing an IPSec or SSL VPN Many factors involve the use of security which is contingent upon what an organization intends to use the VPN Key criteria include Authentication and Access C0ntr01 Each type of VPN presents varying user authentication options which in turn determine the level of security This determination for a particular VPN type is based on the level of access desired initially Information Access LevelRelated to access control this determines which devices locations and individuals can access information Attack DefensesThe level of confidentiality and data integrity required will determine the best VPN fit Client SecurityHow well is the client secured if a client is being used in the first place The level of antivirus andor firewall protection will be another determining factor Application AccessibilityDoes the enduser need access to a wide variety of applications on the network or just a niche or easytouse application such as email or collaboration tools Required S0ftwareDoes the VPN implementation require software to get up and running ScalabilityWill the VPN offering be deployed for a whole branch office or a single enduser This will also determine the type of VPN deployment Overall Security CoverageA VPN determination will also be based on how sensitive the information being tunneled from VPN to Web server or corporate network is How far does the security infrastructure extend Deployment Scenari0What is the VPN going to be used for ecommerce or telecommuting from a remote home office FaceOff return to top of this report Table 2 contrasts the criteria based on the explanations in the previous section that IT managers and CIOs should follow when deciding whether to implement an IPSec or SSL VPN Table 2 IPSec vs SSL VPN Implementation Criteria Implementation Criteria IPSec VPN SSL VPN Authentication Uses Internet Key Exchange IKE for authentication through either digital certi cates or SSL Web servers use digital certi cates for authentication attacks Via packet modification uses IP and UDP datagram oods to prevent DOS attacks and Access twoway authentication noncerti cate authentication Control noncerti cate authentication more secure more vulnerable Granularbased peruser perapplication access Homogenous access granted control As a result access Access to trusted user groups on determinations made Control entire private servers and according to ports selected subnets URLs embedded objects content or application events Information accessed from Information Information accessed from any location memdmg Internet kiosks Informatlon Access des1gnated groups of users or can be left behind Locatlon computers 1ntent10nally or unintentionally Supports block encryption algorithms such as TripleDES Supports block encryption Cipher Block Chainmg algorithms such as TripleDES Attack prevents maninthemiddle C39pher BIOCk Cha39n39ngi Defenses supports stream encryption algorithms such as RC4 uses TCP and TLS to prevent packet injection Client Security Session state to detect when secure tunnel has gone away IPSec clients include integrated desktop security products Provides secure browserclient logoff by wiping all traces of user activity lters individual application commands use of applets to secure open ports Accesses all IP apps including deployments Application Accessibility Web enterprise email VoIP Accesses mostly Web apps and multimedia equired Software IPSec client software standard Web browser Highly scalable up to tens of Scaabiity thousands of customer Highly scalable and easy to implement Extends security to the remote Limited security measures Overall access level and enhances dictating Information access Security endpomt securIty With P h methods such as and client enVIronment better 3 a for lesssensitive information personal rewalls Deployment Secure employee and External Web customer Scenario sitetosite access access Analysis Strengths amp Limitations return to top ofthis report The Argument for and against lPSec VPNs IPSec VPNs offer several primary bene ts that SSL either does not offer or its functionality is lower These include quotalways onquot protection for all applications independent of user intervention network layer implementation which resides below the application layer fu remote enduser access to LAN applications and most importantly an IPSec VPN provides a higher level of security which is consistent for each client or end user residing on each remote computer Another quotstronger securityquot plus is that IPSec prevents packet modi cation to stop maninthemiddle attacks and defends better against SSL in denial of service DoS attacks due to its sole use of datagrams instead of TCP sessions which SSL uses Essentially IPSec de ects IP and UDP datagram oods which are easier to block as opposed to TOP SYN oods commonly used in SSL which fi session tables and cripple offtheshelf protocol stacks Despite touting greater overall security than SSL IPSec VPNs are prone to vulnerability when administrators choose a noncerti cate options such as password or tokens In addition IPSec vendors tend to offer alternatives such as Extended Authentication XAUTH and L2TP over IPSec XAUTH however is often deployed using preshared group secrets which is vulnerable to several know attacks Moreover IPSec VPNs tend to be deployed with less granular access controls making it a timeconsuming chore for administrators to con gure individual and group access rules There are other limitations as well While IPSec offers seamless remote access for end users its con gurations tend to be complicated requiring often costly experts to navigate and troubleshoot complex key settings and encryption algorithms Additionally configurations must be performed manually on this note client software updates and installations tend to be cumbersome for large user populations And finally IPSec is behind the game in terms of supporting PDA and mobile phone clients as they are just beginning to appear on the market The Argument for and against SSL VPNs Despite many admonitions about being less secure than IPSec SSL VPNs provide a secure proxied connection to only those resources the user is authorized to access This lack ofa direct network connection combined with split tunneling in which users have access to the Internet and corporate resources at the same timetend to be safer In other words SSL dris down better to specific applications and services This is backed by the fact that SSL VPNs employ granular access control in which varying access privileges are granted to different users In addition SSL VPNs extend remote access capabilities to a larger range of network resources and locations from a greater number of network devices This is made possible because SSL VPNs reside on top of TCPUser Datagram Protocol UDP transports allowing SSL VPNs to travel through network translation address NAT devices as well as stateful inspection and proxybased firewalls Also SSL VPNs are engineered to connect to mobile clients such as PDAs and mobile phones as many vendors have taken advantage of SSL39s easy wireless Webenabled capabilities In this way they are better suited for public kiosk PCs which are often wireless as well as business partner desktops and personal home computers One ofthe key selling points for SSL is that it does not require complex or intrusive clients ie installation of software on enduser computers which means easier installation maintenance and higher costsavings For this reason SSL VPNs are better for smaller budgets An SSLconnection however prevents VPN users from accessing nonWeb applications and is limited to only applications such as Webbased business software Additionally SSL VPNs complicate functions such as le sharing automated le transfers and scheduled le backups Administrators can add support for nonWeb based applications but this requires custom development including extensive upgrades patches SSL gateways and other addons which tend to be costly and difficult to implement In addition endusers are potentially restricted in terms of accessing enterprise resources on V ndows UNIX Linux or mainframe systems But by far SSL39s greatest limitation is its lack of overall security compared to lPSec It is less secure because it enables transparent negotiation ofencryption algorithms and key materials defaulting to smaller weaker keys if a higher key security level cannot be supported in clientserver communications What Are the Costs Involved When comparing the range of costs associated with lPSec and SSL VPNs administrators should base their assessments on the costs at both the host and remote site In general there are three cost categories to consider for each respective VPN type equipment costs deployment costs and ongoing support costs Equipment Costs At the host site both SSL and lPSec VPNs require a headend device for operation at the corporate data center to terminate all data tunnels For lPSec VPNs this requires a routerconcentrator device and for SSL a server with proprietary software is required At the remote site lPSec VPNs will require a VPN client either hardware or software in order to establish a connection Software clients are usually free when purchased with a headend device whereas hardware clients range from 5001000 per device SSL VPNs on the other hand require no client at the remote end and thus no related costs Deployment Costs In terms of deployment costs at the host site lPSec tends to win out over SSL For lPSec VPNs host device configuration is much easier considering the devices have builtin GUIs to bolster the process Also once the secure connection is established all applications can be accessed from any point on the network This is not true for SSL VPNs as each application has to be configured to work with the host device This usually requires a vendor support team and can be quite costly and timeconsuming At the remote site however lPSec VPNs require and initial con guration at minimal costs whereas SSL VPNs because they do not require a client have no associated costs Ongoing Support Costs Host site maintenance costs tend to be minimal since both lPSec and SSL VPN headend devices are usually stable Hardware replacement contracts for each type are priced similarly and include software rmware upgrades SSL VPNs however require an additional cost when new applications are being rolled out for con guration with the SSL server lPSec VPNs being application independent do not incur such costs At the remote site lPSec VPNs must support remote site clients and users translating to additional help desk training and support costs SSL VPNs because they do not have remote clients incur no costs in this area Recommendation return to top ofthis report Some ofthe questions IT staff and executive of cers should answer before making a decision upon an lPSec or SSL VPN include o How does the organization communicate both internally with its employees and externally with partners suppliers and customers What are the requirements for IP and legacy applications What protections do the data security policy determine What applications require remote access sensitive internal documents or casual use apps such as email 0 Are userfriendly interfaces required 0 Does the VPN need to support mobile devices 0 Are there bandwidthintensive users that need 24x7 highlevel performance Answering these questions as well as reviewing the competing architectures and their bene ts and drawbacks will help IT administrators to make the appropriate decision For example if an enduserjust needs to access Webbased applications using a Web interface such as email and le access an SSL VPN would be the best bet This also applies to the filing ofremote time and labor applications that can be easily sent at the click ofa mouse Given these requirements most enterprise enduser needs can be met via SSL In addition if a small business systems administrator does not have adequate centralized management capabilities SSL would also be more optimal considering SSL VPNs are better at providing access from unmanaged devices such as Internet kiosks For endusers accessing nonWebbased clientserver IP applications however an lPSec VPN is the best bet This is an optimal option for socalled quotpower usersquot that need a complete PCtogateway lPSec VPN as well as access to the full gamut ofenterprise network resources from home offices and remote sites A more ideal application for lPSec is for connecting sitetosite VPNs which is often required in the case of large enterprises that have acquired many smaller of ces that are geographically dispersed and need to integrate corporate resources into one model Also because lPSec VPNs are inherently more secure than SSL VPNs they can be easily combined with 8021x authentication technology and firewalls The former leverages key authentication protocols such as LEAP to secure not only wired VPN tunnels but wireless LAN security as well If an organization is looking to save money SSL VPNs will accomplish this goal Because they are typically clientless SSL VPNs do not require the implementation and maintenance costs associated with con guring an upgrading a VPN client SSL VPNs however are limited in their capabilities They are ideal if for example an organization is looking to provide email connectivity and maybe availability of marketing materials to salespeople On the other hand if an entire branch of ce needs connectivity to the corporate headquarters and all the materials from human resources legal sales and marketing and nancial departments lPSec VPNs are a must Choosing between an lPSec and SSL VPN is not a matter ofone being betterthan the other as each has myriad benefits and drawbacks depending on an organization39s needs A careful evaluation based on the factors mentioned previously is a necessity for any organization looking to bolster secure remote connectivity through the use ofa VPN About the Author Nils Odhner is Senior Editor of Data Networking at Faulkner Information Services His coverage includes biometric technologies network and Internet security VPNs WiFi and convergence and data networking issues Web Links return to tog ofthis report Array Networks httQwwwarraynetworksnet Aventail htt9wwwaventailcom BorderWare Technologies htt9wwwborderwarecom Check Point Software Technologies httQwwwcheconintcom Cisco Systems htt9wwwciscocom Citrix Systems htt9wwwcitrixcom CyberGuard httQwwwcyberguardcom Enterasys Networks httQwwwenterasyscom eSoft htt9wwwesoftcom Fortinet httQwwwfortinetcom lnfoEXpress httQwwwinfoex9resscom Microsoft htt9wwwmicrosoftcom Neoteris httQwwwneoteriscom Netilla Networks htt9wwwnetillacom NetScreen Technologies htt9wwwnetscreencom NetSilica httQwwwnetsilicacom Nokia htt9wwwnokiacom Nortel Networks htt9wwwnortelnetworkscom Novell httQwwwnovellcom Permeo Technologies htt9www9ermeocom Rainbow Technologies httQwwwrainbowcom SafeWeb httQwwwsafewebcom SonicWALL htt9wwwsonicwallcom Stonesoft htt9wwwstonesoftcom uRoam httQwwwuroamcom V One htt9wwwvonecom Watchguard Technologies htt9wwwwatchguardcom Whale Communications httQwwwwhalecommunicationscom return to tog of this report
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'