A whole lot more than a firewall

In a landscape already cluttered by secure, managed remote-access solutions, Caymas Systems’ Caymas 525 Identity-Driven Access Gateway further blurs the lines between application firewall, end-point access control, and remote-application portal.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft Caymas 525 Identity-Driven Access Gateway Caymas Systems, caymas.com Excellent  8.7 criteria score weight Security 9 35% Interoperability 8 25% Scalability 9 20% Setup 8 10% Value 9 10% Cost: 2,500 concurrent users and all available services, $44,995 (flat-rate pricing model) Platforms: Client: any Java-compatible Web browser; some client features require ActiveX and run only on Windows PCs Bottom Line: Caymas has put together a powerful, flexible secure-remote-access appliance by bundling SSL VPN with both site-to-site and client-to-site IPSec VPN features. An application-layer firewall and IDS based on the open source Snort signatures are tightly integrated. End-point management and security are good, but they miss non-Windows platforms. About our Reviews and Scoring Methodology

The Caymas 525 provides supergranular control of protected resources and a comprehensive app-layer firewall that goes beyond simple HTTP analysis. End-point policy management is among the best out there, featuring an easy-to-use policy tool and support for Sygate On-Demand, but unfortunately, it’s available only for remote Windows users.

I was really impressed with the capabilities built into the Caymas 525. I installed the 2U appliance in my lab and tested it against the same authentication servers and resources I used in my Feb. 7 roundup of six SSL VPNs. I set up the Caymas 525 without any major hassles; within an hour, I had published various resources on the 525’s portal page and had set up authentication using my local Active Directory server.

The administration UI is a pure Java application, and it allows for delegated administration. As do many Java-based applications, the Caymas Management System took a little time to load up, but when running, it performed flawlessly. Caymas’ engineers did a great job on the layout and functionality of the UI.

All resources, all the time

Caymas has built a near-perfect security gateway. Regardless of whether a user is inside or outside the network boundary, the Caymas 525 provides finely metered, manageable access control. Its use of ASICs and FPGAs (field-programmable gate arrays) offload many tasks normally handled by software and CPU, yielding higher throughput and greater capacity. Two ASICs handle the cryptographic functions and two FPGAs manage packet-flow processing and policy enforcement.

Included support for various Web and TCP/IP applications is first-rate. Caymas’ access-control policies are based on various network services, and the appliance comes with one of the most extensive lists of predefined services I’ve ever seen. From CIFS to POP3 to VNC (Virtual Network Computing), nearly every popular network service is built-in, and if one is missing, it’s easy enough to create a new service definition.

Every aspect of the connection -- SSO (single sign-on), cookie, and URL signing, for instance -- can be defined to meet the security and access needs for the enterprise. As do other gateways, the Caymas 525 supports browser-based file access and WebDAV access.

One thing I did find odd is that, for some Web applications, including OWA (Outlook Web Access), I had to create two Web application definitions, one of them being “hidden.” The hidden definition was necessary to provide access to Microsoft Exchange Web folders not necessarily located in the default Exchange location. Other SSL appliances don’t require this extra step, handling OWA cleanly with a single definition.

Caymas comes with an SSL-protected layer 3 tunnel named Secure Connect and support for client-to-server IPSec and site-to-site IPSec VPNs. Secure Connect handles DHCP for remote clients, and it will force the client to request a new key based on either time or amount of data transferred. It does not, however, allow for multiple network or DHCP definitions.

Host checking and cache cleaning are available only for Windows 2000 and Windows XP users, but administrators can specify which users they should apply to. I found creating the host-checking policy intuitive and straightforward. Administrators can choose OS, file, port, process, and Registry settings as items to look for, and they can create complex policies using AND and OR logic. Caymas will also work with Sygate On-Demand to enforce client-side security policies.

Snort for security

The ability to apply application-layer protection on a resource-by-resource basis sets Caymas apart. Caymas uses the Snort IDS signatures, organizing them into categories that make choosing the proper protection easier. Specific protections cover everything from IIS to ColdFusion.

Application protection extends to other areas such as HTTP methods allowed and threat patterns. Although I don’t believe the Caymas box is a direct replacement for a dedicated application firewall, the built-in application protection goes a long way toward providing strong, flexible security at all levels. The 525 also allows administrators to set some basic thresholds in order to help defend against DoS attacks. Administrators set the maximum inbound pings per second, TCP SYNs per second, and new HTTP or HTTPS sessions per second.

Achilles’ directory

The past few SSL VPN appliances I’ve reviewed all share an irritating trait: They all make AD (Active Directory) server definition harder than it needs to be. Although Caymas’ AD setup was not nearly as difficult as that of Nortel’s VPN Gateway 3050, I still had to dig out a fully qualified user name and edit the mappings between Caymas and AD user names. F5 Networks and Juniper have streamlined this process; Caymas and other vendors should follow suit.

There is a method to the user-name-mapping madness: It leads to greater flexibility. By creating multiple AD definitions with different user group mappings, you can break out users based on their AD group affiliation. You can then use different authentication policies bound to different user groups to specify group-specific settings such as password length and expiration, as well as other restrictions. Additional authentication methods include local database, LDAP, RADIUS, and RSA SecureID.

It’s hard to classify the Caymas 525 as just an SSL VPN appliance. Not only is it a first-rate SSL VPN, but it’s also a well-rounded application firewall with some DoS protection and a full complement of IPSec thrown in for good measure. Its use of specialized hardware offloads CPU-intensive tasks, and its end-point security allows for a wide range of customization. AD setup could be easier, and the end-point control, although good, is limited to late-model Windows clients. But overall, the Caymas 525 will make a big splash in an already big pond.