Traditionally, providing road warriors and business partners with access to back-end servers and resources has meant deploying
an IPSec VPN. For site-to-site communication, IPSec remains the only game in town, but for client-to-enterprise links, it
is falling out of favor precipitously. The administrative overhead associated with deploying IPSec client software has become
overwhelming given the ever increasing number of clients to support. There is also the potential that IPSec tunneling will
allow an untrusted device to punch a hole through the firewall -- and directly into the heart of the network.
These kinds of basic problems with IPSec are why SSL VPNs are showing up on more and more IT radar screens. With an SSL VPN,
there is no client software to install, let alone maintain. Not only does this cut down on IT labor, but it also means remote
users aren’t limited to specified locations. Public Internet kiosks, partner sites, a borrowed laptop -- they all work.
More importantly, with an SSL VPN there is no open tunnel to the enterprise. SSL VPNs enforce security policies on each connection,
allowing access only to specific
resources based on user, location, and/or device. As with any good security control, everything is off-limits unless expressly
allowed by the administrator.
I explored the mechanics of SSL VPNs and explained how these appliances differ from their IPSec cousins in a similar roundup a year ago. This time around, I put six different SSL VPN appliances to the test to find out whether they’ve matured enough
to replace enterprise-class IPSec deployments -- and to determine which ones, if any, stand out from the rest.
Packed with features
The SSL VPN playing field gets more level with each product release cycle. Many of the appliances in this roundup are in their
third generation and are technologically mature. The main features differentiating the products from one another are the way
in which they implement security policies, how they handle remote end points, and how transparent the overall experience is
to the end-user.
The granularity of their access policies is where SSL VPN appliances really shine. All the solutions reviewed here allow administrators
to implement policies that change based not only on who is logging in but also on where they are logging in from.
In addition, every SSL appliance in this roundup supports some kind of end-point security software, although some do a better
job than others. End-point software analyzes a client device, determines the level of confidence in its security, and applies
access rights based on predefined “trust zones.” For instance, the software might determine that a user’s laptop has anti-virus
software and a personal firewall running on it, but because the laptop is attempting to connect via Wi-Fi from Starbucks,
the appliance will only grant it proxied access, rather than full network access over an IPSec-style layer 3 tunnel. Currently
no industrywide standard for end-point security control exists, but companies such as Cisco and Microsoft are working to change
that.
Beyond access controls, all the appliances reviewed offer additional security measures. All support “secure browsing” clients
such as Sygate Secure Desktop. These clients create virtual sandboxes in which SSL sessions run. When a user closes the secure
browser, its temporary files and session information go to a binary black hole. What’s more, most SSL VPNs provide cache-cleaning
software that covers users’ tracks by removing temporary files, cookies, and other session information from the browser. These
measures are very important for users connecting from publicly accessible PCs, but they aren’t nearly as effective as using
a secure browser because deleted files can often be recovered.
Other features that will interest some customers include VLAN support and clustering. VLANs allow for segregated traffic on
the same physical network, a handy feature for service providers or large enterprises. Clustering allows SSL VPN appliances
to provide high availability through automatic fail-over and load balancing and can extend the number of concurrent users
an appliance supports into the thousands. Given the relatively equal performance of the products in this roundup, it may be
these and other niche features that ultimately tip the balance in favor of one particular product for any given customer.
AEP Networks Netilla Security Platform
When last I visited the NSP (Netilla Security Platform), it was missing some core features necessary for an SSL VPN appliance. Since then, Netilla merged
with AEP Systems to form AEP Networks and released Version 5 of its Netilla Dynatrust operating system. The new offering builds
on the strengths of the previous release by adding previously missing features such as LDAP support and end-point security
checking.
AEP Networks Netilla Security Platform
AEP Networks, netilla.com
|
 Very Good 8.0 |
|
| criteria |
score |
weight |
| Security |
9 |
35% |
 |
| Interoperability |
7 |
25% |
|
| Scalability |
8 |
20% |
|
| Setup |
8 |
10% |
|
| Value |
7 |
10% |
|
|
|
Cost:
100 users, $34,300
Bottom Line:
AEP has polished its NSP with this release, improving authentication support and adding end-point host checking via Sygate
On-Demand. The NSP handles TCP-based thin-client applications in a unique way, using a method based on server proxy software
from Tarantella. Although the NSP is a solid performer overall, its policy granularity could be improved.
|
|
About our Reviews and Scoring Methodology
|
|
Array Networks SPX3000
Array Networks, arraynetworks.net
|
| Very Good 8.5 |
|
| criteria |
score |
weight |
| Security |
9 |
35% |
|
| Interoperability |
8 |
25% |
|
| Scalability |
9 |
20% |
|
| Setup |
7 |
10% |
|
| Value |
8 |
10% |
|
|
|
Cost:
100 users, $25,000
Bottom Line:
Array has added full layer 3 tunneling and Sygate-based end-point security checking with this release, making it competitive
with other appliances. The SPX3000’s Web proxy is the only one in the roundup to support complex content, including Flash.
VLAN support is available, and the appliance itself can be partitioned into virtual sites. Its UI, however, is a little rough
around the edges.
|
|
About our Reviews and Scoring Methodology
|
|
Aventail EX-1500
Aventail, aventail.com
|
| Very Good 8.4 |
|
| criteria |
score |
weight |
| Security |
8 |
35% |
|
| Interoperability |
9 |
25% |
|
| Scalability |
8 |
20% |
|
| Speed |
9 |
10% |
|
| Value |
8 |
10% |
|
|
|
Cost:
100 users, $28,095
Bottom Line:
The EX-1500 is a good all-around performer for secure remote access, but it only supports unidirectional TCP and UDP connections,
rather than true IPSec-style layer 3 tunneling. On the plus side, its administration UI is easy to navigate and Aventail’s
end-point security management, when coupled with client software from WholeSecurity or Zone Labs, was the best of the bunch.
|
|
About our Reviews and Scoring Methodology
|
|
F5 Networks FirePass 4100
F5 Networks, f5.com
|
| Excellent 8.8 |
|
| criteria |
score |
weight |
| Security |
9 |
35% |
|
| Interoperability |
9 |
25% |
|
| Scalability |
9 |
20% |
|
| Setup |
7 |
10% |
|
| Value |
9 |
10% |
|
|
|
Cost:
100 users, $24,990
Bottom Line:
The FirePass 4100 is one of the strongest platforms for Web, thin-client application, and layer 3 connectivity. It supports
IPSec termination and includes a built-in browser-based remote desktop access application -- features not normally found in
an SSL VPN appliance. Unfortunately, F5 misses the mark with its homegrown end-point security software.
|
|
About our Reviews and Scoring Methodology
|
|
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
