SSL VPNs best IPSec rivals

Overall, the Access Series 3000 provides all of the necessary pieces to solve the secure remote access puzzle. I really like the level of detail you can provide for each policy definition, and the appliance worked well no matter what type of traffic or application I threw at it. But I would like to see the default setting for file and Web resource access to be “deny all” out of the box.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft

NetillaSecurity Platform Release 4.0

The NSP is deceptively simple in its ability to securely allow trusted users access network resources. Like Access Series 3000, you get Web, thin-client, and thick-client access through the NSP.

The Web-based administration console is clean and easier to navigate than that of the Neoteris appliance. Though similar to the Neoteris in functionality, the NSP doesn’t have the same far reaching security options as the Access Series 3000. It does come with a stateful inspection firewall for even greater security and built-in fail-over support (with a second unit) for redundancy and maximum uptime.

When setting up the NSP, you first create a security realm (a way of grouping users, policies and authentication servers) and associate an authentication server to it. You authenticate against Active Directory or Windows domains, Radius, ACE, and Kerberos authentication server and also make use of a local user database. The NSP can have multiple realms to fit your user access requirements. Missing is LDAP, but  that support is due early 2004. You can define browser, address, and URL restrictions as well, but there is no support for client-side certificates.

Creating policy definition is a little more cumbersome in the NSP, but it’s not too difficult to master. It also could stand to implement wizards-based policy deployment. An administrator associates applications to an authentication scheme and can set application properties such as cookie-support, forward browser variables or Web server version information. Enabling the policy entails creating a rule that either allows or denies traffic to the specific resource. I like that these multiple layers of policy definition, though a bit repetitious, leave the appliance in a “deny all” mode until you expressly allow the specified traffic.

In the NSP, you have the same three access methods  as you do with the Access 3000 Series. The NSP handles thin-client access differently, however. Instead of  passing traffic through to the application server, you start the apps from the portal page. Using the built-in Tarantella server, they’re then launched against your server.

For network-level access, Netilla again goes a different route from Neoteris. An applet downloads to an end-user’s PC and installs itself as an additional virtual adapter. This creates a PPP tunnel to the NSP, providing you with an IP address assigned from a pool on the NSP. For each tunnel you can assign users, specify the IP range and subnet mask, and a default session time-out value. There are no protocol restrictions on the tunnel and you can list additional networks that your SSL tunnel users may access.

There currently isn’t any end-to-end validation and security checking in the Netilla platform, but support for client integrity is on the way.

The NSP proved quite capable of providing secure access to all of our tested applications, and when the new features are included, it will be right on par with the Neoteris. If you do not need LDAP support or client-side certificates or validation, you won’t be missing any core functionality in the NSP.