As in its previous releases, the NSP uses “realms” to organize users, authentication schemes, and resource access policies
into manageable groups and includes built-in support for Microsoft SMB (Server Message Block), Active Directory, SecurID,
Kerberos, RADIUS, and local user authentication. The NSP also continues its tradition of using “authentication scopes” to
pass user credentials to an application, enabling SSO (single sign-on). This method works but can lead to unnecessary administrative
overhead when creating and managing links to Web resources.
As do all the appliances in this roundup, the NSP offers clients access to both Web-based and server-based applications. The
NSP also offers layer 3 tunneling for direct IPSec-style network access, allowing TCP and UDP (User Datagram Protocol) traffic
to pass through, and as do most appliances, it supports full or split tunneling. Full tunneling means that all traffic, local
and nonlocal, goes across the tunnel to the enterprise and is routed from there. Split tunneling routes enterprise traffic
over the tunnel while other traffic -- such as Internet traffic -- goes out through the remote user’s default gateway. The
method you choose will depend on the strictness of your security policies.
The NSP’s layer 3 tunnel is deployed as an ActiveX control, so layer 3 support is available only for Windows clients. This
shortcoming is mitigated somewhat by the fact that the NSP handles thin-client access such as to terminal servers or “green-screen”
legacy hosts in a way that’s different from that of any other appliance in this roundup. It uses Java client software and
a proprietary protocol to connect the remote user to built-in proxy server software from Tarantella. The Tarantella server
then makes the connection to the protected resource. This extra layer between client and server proxies all inbound traffic,
regardless of its method of transport.
Also new to this release is support for Sygate’s On-Demand end-point policy enforcement software, which AEP Networks offers
at additional cost. Client integrity scans can take place before and after authentication, and each realm can have its own
specific host policy. The more advanced Sygate features are available only to clients on the Windows platform, but its cache-cleaning
component will erase temporary files, cookies, and other session information for any Java-compatible browser.
When compared with those of other appliances, the NSP’s user interface is plain but easy to navigate. It still forces you
to do some UI “link hopping” to create your realms, user authentication, and application definitions, but it could be worse.
When I became comfortable with the UI’s organization, I had little trouble modifying or adding new applications and realms,
although the NSP’s policy granularity is not as fine as that of some other products.
The NSP also has good internal logging and reporting capabilities, but it isn’t the best of the bunch in this regard. As do
all the products in this roundup, the NSP supports both SNMP and Syslog logging. In addition, the NSP offers internally generated
HTML graphs of basic system statistics.
Two-node clustering is part of the base NSP package, rounding out this solid offering. Clustering requires no additional hardware,
although only a Hot-Standby configuration is supported.
Array Networks SPX3000
When I first reviewed Array Networks’ SSL VPN, I thought it needed to improve a bit to be a real player. In the past year, Array has enhanced its product through the inclusion
of a layer 3 tunnel, site virtualization, and client-side host checking.
The SPX3000 provides all the modes of access that administrators have come to expect from an SSL VPN gateway. Policy enforcement
is strong but not quite as granular as that found in the F5 FirePass 4100 or the Juniper NetScreen-SA 5000. As is the case
with the other appliances in this roundup, Array’s Web Resource Mapping service rewrites content as it passes through the
appliance to obscure resource URLs. As opposed to the other offerings, however, the SPX3000 works not only with HTML but also
JavaScript, Cascading Style Sheets, cookies, and even Macromedia Flash.
Array allows for easy access to file shares located on either Windows or NFS (Network File System) servers via its Web-based
gateway. For client/server resources, the SPX3000 provides access in two ways. Application Manager is a Java applet that connects
TCP-based applications to back-end services such as terminal servers. Windows Redirector, on the other hand, is a stand-alone
application that is available only for Windows PCs running Internet Explorer but which allows for even greater control over
access to specific resources.
AEP Networks Netilla Security Platform
AEP Networks, netilla.com
|
 Very Good 8.0 |
|
| criteria |
score |
weight |
| Security |
9 |
35% |
 |
| Interoperability |
7 |
25% |
|
| Scalability |
8 |
20% |
|
| Setup |
8 |
10% |
|
| Value |
7 |
10% |
|
|
|
Cost:
100 users, $34,300
Bottom Line:
AEP has polished its NSP with this release, improving authentication support and adding end-point host checking via Sygate
On-Demand. The NSP handles TCP-based thin-client applications in a unique way, using a method based on server proxy software
from Tarantella. Although the NSP is a solid performer overall, its policy granularity could be improved.
|
|
About our Reviews and Scoring Methodology
|
|
Array Networks SPX3000
Array Networks, arraynetworks.net
|
| Very Good 8.5 |
|
| criteria |
score |
weight |
| Security |
9 |
35% |
|
| Interoperability |
8 |
25% |
|
| Scalability |
9 |
20% |
|
| Setup |
7 |
10% |
|
| Value |
8 |
10% |
|
|
|
Cost:
100 users, $25,000
Bottom Line:
Array has added full layer 3 tunneling and Sygate-based end-point security checking with this release, making it competitive
with other appliances. The SPX3000’s Web proxy is the only one in the roundup to support complex content, including Flash.
VLAN support is available, and the appliance itself can be partitioned into virtual sites. Its UI, however, is a little rough
around the edges.
|
|
About our Reviews and Scoring Methodology
|
|
Aventail EX-1500
Aventail, aventail.com
|
| Very Good 8.4 |
|
| criteria |
score |
weight |
| Security |
8 |
35% |
|
| Interoperability |
9 |
25% |
|
| Scalability |
8 |
20% |
|
| Speed |
9 |
10% |
|
| Value |
8 |
10% |
|
|
|
Cost:
100 users, $28,095
Bottom Line:
The EX-1500 is a good all-around performer for secure remote access, but it only supports unidirectional TCP and UDP connections,
rather than true IPSec-style layer 3 tunneling. On the plus side, its administration UI is easy to navigate and Aventail’s
end-point security management, when coupled with client software from WholeSecurity or Zone Labs, was the best of the bunch.
|
|
About our Reviews and Scoring Methodology
|
|
F5 Networks FirePass 4100
F5 Networks, f5.com
|
| Excellent 8.8 |
|
| criteria |
score |
weight |
| Security |
9 |
35% |
|
| Interoperability |
9 |
25% |
|
| Scalability |
9 |
20% |
|
| Setup |
7 |
10% |
|
| Value |
9 |
10% |
|
|
|
Cost:
100 users, $24,990
Bottom Line:
The FirePass 4100 is one of the strongest platforms for Web, thin-client application, and layer 3 connectivity. It supports
IPSec termination and includes a built-in browser-based remote desktop access application -- features not normally found in
an SSL VPN appliance. Unfortunately, F5 misses the mark with its homegrown end-point security software.
|
|
About our Reviews and Scoring Methodology
|
|
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
