New to this release is full, bidirectional layer 3 tunnel support. Administrators can define multiple tunnel definitions per
virtual site, each with its own unique settings. For instance, one definition might include full tunneling, whereas another
might specify split tunneling; and each can hand out IP addresses from a completely different DHCP pool.
Lack of cross-platform support is the price you pay for many of the more advanced features of SSL VPNs. Currently, the SPX3000’s
layer 3 tunnel is available only to clients running Windows, but Array says that Mac and Linux versions are in development.
Array’s end-point security, including host checking and cache cleanup, is handled via Sygate On-Demand and Sygate Secure Desktop.
Although the end-point security component is tightly integrated in the SPX3000, it must be purchased separately. Host checking
takes place only prior to authentication.
For large enterprises or service providers, the SPX3000 offers VLAN support, as well as “virtual sites.” These allow admins
to provision a single appliance into minisites, each with its own authentication and authorization settings. In addition,
the appliance supports Active-Active and Active-Standby clustering configurations for as many as 32 nodes.
The administration UI of the SPX3000 isn’t all that different from that of Array’s previous releases. It’s still a little
bumpy, but it has improved. Similar items are grouped together to minimize UI fatigue, and each virtual site is self-contained.
Delegated administration is well-supported; the appliance administrator assigns an individual user to administer a single
virtual site, and only that virtual site. In all, I found that Array has successfully rounded out the SPX3000’s feature set
to make it competitive with any other appliance on the market.
AventailEX-1500
The EX-1500 is a good all-around performer for secure remote access. Aventail’s Unified Policy engine makes life much easier
for VPN administrators. Resources and users are tightly coupled, making policy definitions similar to a set of firewall rules.
Instead of hopping all over the admin UI, everything is neatly nested together, and a handy Quick Start menu helps get you
going. In fact, I was able to create a new access rule, complete with new resources and users, from a single screen -- a small
thing, perhaps, but one that busy IT managers will appreciate.
Each realm also includes access method and security zone definitions. Compatible authentication sources include LDAP, RADIUS,
Active Directory, SecurID, and a local user database. Two-node clustering is available in an Active-Active configuration.
Built-in load balancing and automatic fail-over require no additional hardware.
Endpoint Control 2.0, probably the best end-point security mechanism of any appliance reviewed here, has been added since
I last reviewed Aventail’s platform. When users connect to the appliance, Endpoint Control places them in specific security “zones” based on their device profiles.
A zone is a grouping that defines policy details such as whether to use a cache cleaner on the client’s browser or to allow
remote access (deny/allow all). This system makes it easy for administrators to create and maintain security policies that
change as the user changes locations.
Endpoint Control relies on client-side software from WholeSecurity or Zone Labs to perform preauthentication host scans; either
product must be purchased separately. Without these add-ons, Endpoint Control can still determine where a client is connecting
from but cannot determine details about running processes and so on. For even more protection, the EX-1500 also works Aventail’s
cache cleaner and either Aventail Secure Desktop or Sygate On-Demand (also purchased separately).
The EX-1500 comes with excellent Web application support. It rewrites HTML on the fly and comes with some default Web application
profiles to handle special applications such as Outlook Web Access -- although none of the appliances in this roundup had
trouble with either of the Test Center’s Outlook Web Access 2000 and 2003 servers.
Thin-client support is Aventail OnDemand’s job. Not to be confused with Sygate On-Demand, Aventail OnDemand is a Java application
that downloads on request to your browser and provides TCP application support.
AEP Networks Netilla Security Platform
AEP Networks, netilla.com
|
 Very Good 8.0 |
|
| criteria |
score |
weight |
| Security |
9 |
35% |
 |
| Interoperability |
7 |
25% |
|
| Scalability |
8 |
20% |
|
| Setup |
8 |
10% |
|
| Value |
7 |
10% |
|
|
|
Cost:
100 users, $34,300
Bottom Line:
AEP has polished its NSP with this release, improving authentication support and adding end-point host checking via Sygate
On-Demand. The NSP handles TCP-based thin-client applications in a unique way, using a method based on server proxy software
from Tarantella. Although the NSP is a solid performer overall, its policy granularity could be improved.
|
|
About our Reviews and Scoring Methodology
|
|
Array Networks SPX3000
Array Networks, arraynetworks.net
|
| Very Good 8.5 |
|
| criteria |
score |
weight |
| Security |
9 |
35% |
|
| Interoperability |
8 |
25% |
|
| Scalability |
9 |
20% |
|
| Setup |
7 |
10% |
|
| Value |
8 |
10% |
|
|
|
Cost:
100 users, $25,000
Bottom Line:
Array has added full layer 3 tunneling and Sygate-based end-point security checking with this release, making it competitive
with other appliances. The SPX3000’s Web proxy is the only one in the roundup to support complex content, including Flash.
VLAN support is available, and the appliance itself can be partitioned into virtual sites. Its UI, however, is a little rough
around the edges.
|
|
About our Reviews and Scoring Methodology
|
|
Aventail EX-1500
Aventail, aventail.com
|
| Very Good 8.4 |
|
| criteria |
score |
weight |
| Security |
8 |
35% |
|
| Interoperability |
9 |
25% |
|
| Scalability |
8 |
20% |
|
| Speed |
9 |
10% |
|
| Value |
8 |
10% |
|
|
|
Cost:
100 users, $28,095
Bottom Line:
The EX-1500 is a good all-around performer for secure remote access, but it only supports unidirectional TCP and UDP connections,
rather than true IPSec-style layer 3 tunneling. On the plus side, its administration UI is easy to navigate and Aventail’s
end-point security management, when coupled with client software from WholeSecurity or Zone Labs, was the best of the bunch.
|
|
About our Reviews and Scoring Methodology
|
|
F5 Networks FirePass 4100
F5 Networks, f5.com
|
| Excellent 8.8 |
|
| criteria |
score |
weight |
| Security |
9 |
35% |
|
| Interoperability |
9 |
25% |
|
| Scalability |
9 |
20% |
|
| Setup |
7 |
10% |
|
| Value |
9 |
10% |
|
|
|
Cost:
100 users, $24,990
Bottom Line:
The FirePass 4100 is one of the strongest platforms for Web, thin-client application, and layer 3 connectivity. It supports
IPSec termination and includes a built-in browser-based remote desktop access application -- features not normally found in
an SSL VPN appliance. Unfortunately, F5 misses the mark with its homegrown end-point security software.
|
|
About our Reviews and Scoring Methodology
|
|
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
