NSAS supports TCP-based applications through a Java helper program, but the overall UI needs a major face-lift. The user must
query the portal to learn which local loopback address to connect to for each specific client program. All the other boxes
we reviewed do a much better job hiding this process from the end-user.
Secure Connector, Nokia’s IPSec replacement technology, is built into NSAS and supports full and split tunneling. Secure Connector
allows admins to create a private IP address pool for remote users, as is possible with the Juniper NetScreen-SA 5000. NSAS
uses firewall-style allow/deny rulesets to define access controls within the tunnel. Administrators can specify address ranges,
ports, and protocols for access to specific resources and can even deny access to clients that don’t meet anti-virus requirements.
The Secure Connector client is available only for Windows PCs running Internet Explorer.
Secure Workspace is Nokia’s virtual sandbox, and it, too, is available only to Windows and Internet Explorer users. As does
Sygate’s Secure Desktop, Secure Workspace deletes all temporary files, removes browsing history, and erases any session information.
A floating toolbar allows you to switch between your local desktop and the secure desktop.
Nokia’s Client Integrity Scan checks the remote PC to asses its status either before or after authentication. Administrators
configure the scan using a custom scripting language. This has the benefit of allowing admins to build scripts specific to
their needs, but it is likely to be time-consuming.
The administration UI in the NSAS is fairly easy to navigate. The amount of logging and monitoring information is almost overwhelming,
as it is with the FirePass 4100, but the use of filters helps keep it manageable.
Unfortunately, the NSAS offers no support for third-party host checkers such as those offered by Sygate or WholeSecurity.
Third-party support must be added to the NSAS to allow for easier integration into existing client security infrastructures
and to provide additional client-side management if it is to hold its own against the other appliances on the market.
Ready to switch?
To be fair, it doesn’t make sense to tear out all your existing IPSec gear and immediately replace it with SSL. It does make
sense, however, to start deploying SSL and migrating users to it. IPSec and SSL can coexist and complement each other, allowing
for a gradual move from one platform to the other.
Even for an enterprise that has an extensive investment in IPSec, migration to SSL is justifiable. The support cost per client
is so much greater with IPSec than with SSL that the labor cost savings will offset the expense of the new hardware. Long-term
administration is also much easier to manage on an SSL VPN because everything is centrally located. Any policy updates or
changes to client-side applets are automatically pushed out on the next connect.
What’s more, SSL VPNs simply offer better security than IPSec appliances do. All SSL VPN connections -- even IPSec-style layer
3 connections -- have access control policies associated with them. This allows administrators to grant access to specific
resources, rather than opening up the entire network as you would with IPSec.
Each of the SSL VPN appliances reviewed here provides an admirable range of features that make them worthy competitors against
any IPSec equivalent. After the smoke cleared and all the results had been tallied, the Juniper NetScreen-SA 5000 came out
on top. Although not perfect, the NetScreen-SA 5000 passed every test thrown at it, and it never failed to meet challenges.
Still, none of the competitors in this roundup is a bad choice. As this market continues to mature, you’ll have more and more
reasons to expect your next VPN to be an SSL one.
AEP Networks Netilla Security Platform
AEP Networks, netilla.com
|
 Very Good 8.0 |
|
| criteria |
score |
weight |
| Security |
9 |
35% |
 |
| Interoperability |
7 |
25% |
|
| Scalability |
8 |
20% |
|
| Setup |
8 |
10% |
|
| Value |
7 |
10% |
|
|
|
Cost:
100 users, $34,300
Bottom Line:
AEP has polished its NSP with this release, improving authentication support and adding end-point host checking via Sygate
On-Demand. The NSP handles TCP-based thin-client applications in a unique way, using a method based on server proxy software
from Tarantella. Although the NSP is a solid performer overall, its policy granularity could be improved.
|
|
About our Reviews and Scoring Methodology
|
|
Array Networks SPX3000
Array Networks, arraynetworks.net
|
| Very Good 8.5 |
|
| criteria |
score |
weight |
| Security |
9 |
35% |
|
| Interoperability |
8 |
25% |
|
| Scalability |
9 |
20% |
|
| Setup |
7 |
10% |
|
| Value |
8 |
10% |
|
|
|
Cost:
100 users, $25,000
Bottom Line:
Array has added full layer 3 tunneling and Sygate-based end-point security checking with this release, making it competitive
with other appliances. The SPX3000’s Web proxy is the only one in the roundup to support complex content, including Flash.
VLAN support is available, and the appliance itself can be partitioned into virtual sites. Its UI, however, is a little rough
around the edges.
|
|
About our Reviews and Scoring Methodology
|
|
Aventail EX-1500
Aventail, aventail.com
|
| Very Good 8.4 |
|
| criteria |
score |
weight |
| Security |
8 |
35% |
|
| Interoperability |
9 |
25% |
|
| Scalability |
8 |
20% |
|
| Speed |
9 |
10% |
|
| Value |
8 |
10% |
|
|
|
Cost:
100 users, $28,095
Bottom Line:
The EX-1500 is a good all-around performer for secure remote access, but it only supports unidirectional TCP and UDP connections,
rather than true IPSec-style layer 3 tunneling. On the plus side, its administration UI is easy to navigate and Aventail’s
end-point security management, when coupled with client software from WholeSecurity or Zone Labs, was the best of the bunch.
|
|
About our Reviews and Scoring Methodology
|
|
F5 Networks FirePass 4100
F5 Networks, f5.com
|
| Excellent 8.8 |
|
| criteria |
score |
weight |
| Security |
9 |
35% |
|
| Interoperability |
9 |
25% |
|
| Scalability |
9 |
20% |
|
| Setup |
7 |
10% |
|
| Value |
9 |
10% |
|
|
|
Cost:
100 users, $24,990
Bottom Line:
The FirePass 4100 is one of the strongest platforms for Web, thin-client application, and layer 3 connectivity. It supports
IPSec termination and includes a built-in browser-based remote desktop access application -- features not normally found in
an SSL VPN appliance. Unfortunately, F5 misses the mark with its homegrown end-point security software.
|
|
About our Reviews and Scoring Methodology
|
|
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
