Remote users can authenticate against Active Directory, LDAP, RADIUS, Netegrity, digital certificates, or a local database,
and each authentication realm can use multiple authentication servers. User roles map authenticated users into specific groups.
These groups define what forms of remote access have been granted to a user, as well as any session-specific details such
as inactivity time-out or session persistence. For example, an admin can create one role that includes Web access, Windows
file shares, and Terminal Services and another that allows only Web access.
The NetScreen-SA 5000 provides all the standard remote-access methods, including Web, TCP-based, and layer 3. For Web applications,
the granularity with which an administrator can define access policies is amazing, with settings to control all sorts of features,
ranging from caching policies to HTML rewriting to compression. Despite all this perceived complexity, defining a Web policy
turned out to be relatively simple. Web-based Windows, Unix file browsing, and Telnet support are also included.
TCP-based applications get routed through SAM (Security Access Manager), software that is available in Windows and Java versions.
SAM can be configured to automatically launch based on a user’s role.
Layer 3 tunneling is handled by Network Connect, Windows-only software that installs a virtual PPP adapter on a remote PC.
Administrators can assign IP addresses to Network Connect clients from a private DHCP pool. Full and split tunneling are available,
as are custom DNS settings. Admins aren’t given as fine-grained access controls on the tunnel as for other services, but what
they get is definitely superior to what is available with IPSec. Juniper says Network Connect will be available for Mac OS
X and Linux in the next major release.
The SA-500’s end-point security mechanism, JEDI (Juniper Endpoint Defense Initiative), works with InfoExpress, McAfee, Sygate,
and Zone Labs client software. The only downside is that JEDI works only on Windows.
At first glance, the administration UI looks awkward and confusing. Because of the sheer number of options and features available,
GUI fatigue is inevitable. In practice, context-sensitive links quickly take you to related functions. Logging and reporting
are first-rate, including real-time usage graphs.
Other than F5’s FirePass 4100, the NetScreen-SA 5000 is the only appliance in our roundup that is available in a FIPS 140-compliant
model. In addition, the NetScreen-SA 5000 handles high availability in an Active-Passive mode and can scale to eight nodes
in a single cluster. VLAN support is not currently available, although Juniper says it is in development.
Nokia Secure Access System 3.0
The NSAS (Nokia Secure Access System) provides everything you need for secure remote access without overwhelming you with
its administration UI. It supports Web portal, file share, TCP application support, and layer 3 tunneling. Web application
access is first rate and is very easy to define and maintain. A Web resource can be added to the NSAS portal in a matter of
a few clicks, which is not possible with some of the other appliances in this roundup.
Another difference is that the NSAS defines authentication schemes on a global scale and doesn’t allow for multiple virtual
sites, although the appliance does support multiple authentication schemes. Options include LDAP, Active Directory, NTLM (NT
LAN Manager), RADIUS, PKI certificates, and use of local user databases. For high availability, NSAS can cluster two nodes
with no additional hardware.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
