As as one of their many challenges, IT staffs must provide secure remote access to data and applications from outside the
confines of the enterprise. IPSec-style VPNs are no longer up to the task, however. IPSec is just too inflexible and limited
in device support to really work in many situations.
VPN appliances based on tried-and-true SSL are gaining popularity. You get all of the features of an IPSec VPN without the
restrictions. All you need is a browser to connect to your resources, no matter what the client OS platform.
These appliances allow metered access to back-end servers and resources through a single open port to the Internet. All traffic,
no matter what the destination, comes in via port 443, allowing network administrators to close up the firewall to all other
ports yet retain full remote access connectivity.
We rounded up two SSL VPN appliances to see just how well these devices stack up. The Access 3000 Series from Neoteris and
the Netilla Security Platform (NSP) Release 4.0 both provide secure access to data stored behind the firewall. You get reverse
Web proxies, application proxies, and network-level access to resources. Both come in rack-friendly 1U chassis with dual
10/100Mbps network interfaces, are Web manageable, and are built around a powerful policy engine.
Although both solutions fared well in our tests, the Neoteris Access Series 3000 boasted the best mix of features, functionality,
and security, easily providing granular access control and policy management.
NeoterisAccess Series 3000
The Access Series 3000 proved more than capable of handling not only Web-based traffic but also thin-client, thick-client,
and pure network-level access. Its Web-based administration was not as easy to navigate as Netilla’s, and the sheer number
of available options when defining group policies slowed us down at the outset, but once I became more familiar with the system,
policy management was not such a chore.
Configuration begins with the creation of one or more authentication servers. The Access Series 3000 will authenticate users
against Active Directory or Windows domains, LDAP, Radius, ACE, or NIS servers; and it also has a local user database. You
can mix and match the servers to meet your specific needs. The authentication servers feed to authentication groups. Here,
you manage items such as browser and address restrictions, client certificate requirements, and session- specific settings.
User policies are further defined within the context of the type of resource to which you need to grant or deny access. For
example, you can create a list of allowed or disallowed Web resources for the authorization group as well as permanent bookmarks.
The solution would benefit from wizards-based policy deployment.
Instead of taking the “deny all unless explicitly allowed” approach like most security devices, Neoteris leaves Web and file
resources accessible by default. To be truly secure, I believe all access should be denied unless allowed by an administrator.
Web resources on your network may be the primary type of traffic accessed through the appliance, but there are two other types
of access that are just as important. The Secure Application Manager (SAM) is a very small download-on-demand application
that allows you to create a client/server connection to a specific resource over TCP without opening up the entire network.
SAM takes it a step further by certifying the validity of the application with an MD5 checksum.
The third type of access, the closest to an IPSec VPN, is called NC Access (Network Connect Access). This option downloads
automatically as a small applet and provides support for TCP, UDP (User Datagram Protocol), ICMP (Internet Control Message
Protocol), and all types of traffic over an SSL tunnel. You receive an IP address assigned by the Access Series 3000, and
you can specify the destination addresses and ports users can connect to. I tested all three types of access and had no trouble
connecting to resources both behind and outside of the Neoteris appliance. The native Windows file browsing worked like a
charm.
Access Series 3000 also keeps your system secure by employing the Neoteris Host Checker API and Cache Cleaner. Host Checker
performs an “are you there” call to each authenticated user to ensure they are using predefined client security software granting
them access. Cache Cleaner purges your users’ browser cache on a preset schedule to remove traces of confidential material.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
