Michel Susai, Providing a high-performance replacement for conventional IPSec VPNs

Today’s dominant/legacy Virtual Private Networking (VPN) technology follows the IPSec (Internet Protocol Security) standard. Despite being a secure protocol, the IPSec standard is complex and laborious for the IT staff to administer/maintain and provides limited use for remote users.  The result is a high ongoing TCO. ( IPSec suffers from complexity for the users and the administration of the infrastructure by IT staff, resulting in very high TCO (Total Cost of Ownership). SSL VPN technology emerged a few years ago to take advantage of the widespread adoption of SSL for secure web page delivery between a web server and a user (web browser). The motivation was to eliminate the high complexity and cost of IPSec-based VPN delivery of applications to remote users (clients).

First-generation SSL-based VPNs created a VPN gateway by providing a web-proxy server between the actual (“webified”) application server and the end-user. The current, second-generation SSL VPN technology added full application transparency without the need for webification of applications.
The problem with second-generation implementations is the high overhead and resulting slow performance of the communication between client and gateway.  This performance impact is due to two architectural issues.  SSL is implemented in the “user space” of an operating system environment – as opposed to the kernel space.  And since SSL works as a TCP application, the SSL-encrypted link between client and server contains the TCP data stream between the client and the target application server. This overhead results in the TCP-over-TCP meltdown problem that is well documented (known) in satellite networks.  This TCP-over-TCP meltdown problem dramatically reduces data throughput by a factor of up to 30x and decreases the maximum number of concurrent connections.  These performance and scalability limitations are due to the high overhead associated with context-switching operations between user space and kernel space combined with the network jitter associated with significant packet loss especially in wireless LAN environments.

Name: Michel Susai
Title: CEO and Chairman
Likes to be called: Michel
Company: NeoAccel Inc.

The TCP-over-TCP meltdown problem that plagues conventional SSL VPNs is overcome by NeoAccel’s patent pending technology and ability to process (can be overcome by processing) SSL connections in the kernel space of the operating system which decreases the number of context-switching operations and eliminates the TCP resizing and slow start problems associated with wireless network jitter.  Additionally, by adding hardware encryption, essentially all overhead of SSL processing can be eliminated to provide performance for SSL VPNs equivalent to or greater than conventional IPSec VPNs.  However, if SSL processing is not performed in the kernel, then hardware-assisted encryption loses its acceleration benefits due to the overhead associated with moving data and session information between the SSL processing routines in user space and the SSL encryption hardware driver in kernel space.

NeoAccel’s SSL VPN-Plus is the first solution to provide IPSec levels of performance with the enhanced security features and benefits of SSL VPN. As a (implement the) third generation (of) SSL VPN technology, (to) NeoAccel overcomes both the performance-sapping overhead of SSL processing and the elimination (eliminate the) of TCP-over-TCP meltdown that plague conventional SSL VPNs. This performance drain is most noticeable in “lossy” environments such as wireless LANs,  which can  (typically) consume as much as 20 percent of a conventional (the) SSL VPN’s throughput capacity.

NeoAccel SSL VPN-Plus moves all SSL processing into the operating system’s kernel space, thus reducing SSL protocol overhead by typically 80 percent compared to second-generation SSL VPN implementations as well as providing complete application transparency.   Additionally, NeoAccel has implemented a unique solution based on Michel Susai’s patent-pending Intelligent Connection Acceleration Architecture™ (ICAA) that eliminates the need for the user's application session information to be encapsulated over an SSL session -- instead creating a single connection between the client and the VPN gateway.

It is not unusual for network traffic to suffer 1 to 10 percent packet loss, which produces TCP-over-TCP meltdown resulting in 1.5x to 30x longer response time for conventional SSL VPNs.  Most organizations that have adopted second-generation SSL VPNs have experienced the frustration of gaining application transparency at the cost of unacceptable application performance.

NeoAccel/s SSL VPN-Plus uniquely offers the low overhead, high performance, and application transparency of IPSec VPNs, but without the complexity experienced by end users or the heavy support costs required by IT organizations.

The following references are some market research analyst observations about the pro’s and con’s of SSL VPNs vs. IPSec VPNs.  Their observations and conclusion now need to be rewritten as a result of NeoAccel’s new third generation (of) SSL VPN solution(s). 

NeoAccel SSL VPN-Plus now offers ALL of the performance and full-access advantages of IPSec VPNs combined with the simplicity and enhanced security of SSL VPNs. NeoAccel’s SSL VPN-Plus overcomes the “conventional wisdom” that only IPSec VPNs can provide site-to-site support while conventional SSL VPNs providing only remote access support.  Because of SSL VPN-Plus’s unique architecture and the resulting dramatic performance and scalability advantages, a third-generation SSL VPN can now offer both the site-to-site support of IPSec VPNs and the remote access capabilities of SSL VPNs.

Industry analysts at Gartner note that the simplicity and portability of SSL VPNs can lower the cost to implement remote-user VPNs for corporate workstations, as well as access from non-corporate systems such as PCs. Where traditional VPNs are not required, expect immediate value from investments in SSL VPNs in the form of easier deployment and support. Gartner observes.
However, META Group’s METAspectrum SSL Virtual Private Networks Market Summary points to the future broad market adoption of SSL VPNs as a replacement for IPSec VPNS.  “With the onset of widespread adoption and large-scale deployments (i.e., >1,000 concurrent users) during the next two years, the critical requirements will become scalable management functions (particularly configuration capabilities) and greater system performance/capacity.  As with most other security solutions, vendors that best balance security, performance, and manageability – and in this case, accessibility to applications as well – will be positioned to dominate the market.”

States Michael Suby, senior research analyst at Stratecast Partners (a division of Frost & Sullivan), “Complete remote access solutions encompass three functional components – connectivity, security, and performance. Most SSL VPNs are designed to address only connectivity and security. Where NeoAccel is positioned is in directly addressing the performance inhibitors in today's SSL VPNs. Once overcome, we expect enterprise deployments of performance-enhanced SSL VPNs in WAN and wireless LAN environments to accelerate.”

NeoAccel is targeting end users in education, healthcare, finance and other industries where secure, high-performance access to business applications is a critical requirement.  NeoAccel’s SSL VPN-Plus has been shown to inject latency of just 10 ms for a real-time video conferencing environment, compared with 20 ms for IPSec VPNs and 40 ms for conventional 2nd Generation SSL VPNs.  The competitors’ higher levels of injected latency rendered these systems unusable for the video conferencing environment.  NeoAccel’s provides highly scalable enterprise-class performance for secure access to all enterprise applications, while competitors’ SSL VPNs typically do not scale to enterprise levels, deliver inadequate response and reconnect times to end users and can lack the ability to provide access to all enterprise applications.

Michel Susai is an inventor who has developed patent-pending technologies that provide fundamental means of securely optimizing and accelerating the performance of the Internet's underlying TCP/IP networking protocols. Michel focuses his passion for pure science and innovation on highly scalable large-scale network systems using clustering and massively parallel processing technologies, fields in which he is an acknowledged expert. In 2005, Michel launched NeoAccel to address the fundamental problems associated with and inherent in existing SSL VPN technologies. In 1997,  Michel founded NetScaler, a leading innovator of intelligent network systems that up to 75 percent of Internet users go through each day to visit the world's highest traffic websites such as Google, MLB.com, MSN and Ticketmaster. NetScaler was recently acquired by Citrix Systems (NASDAQ: CTSX) for more than U.S. $300 million.  Michel has more than 15 years of leadership, management, engineering and business development experience. Prior to NetScaler, Michel was responsible for developing several Internet infrastructure scalability products at Sun Microsystems, Inc. Prior to joining Sun, Michel led the development of the Internet strategy initiative at Unisys Corporation.  He holds a B.S. in Computer Science and Engineering from PICT (Pune Institute of Computer Technology and Research), Pune, India.

NeoAccel Inc.
2055 Gateway Place, Suite 240
San Jose, CA 95110 USA
Tel: +1 (408) 274 8000

Recommend this to others: