Secure remote access to small and branch offices

SonicWall made its name in the small office market, and although the company is expanding rapidly into the enterprise, products such as the SSL-VPN 200 show that it hasn’t lost the value touch. SonicWall has positioned this VPN appliance to combine the ease-of-use advantage associated with SSL VPNs with a smaller form factor and an attractive price tag: less than $600 for roughly 10 concurrent SSL VPN tunnels. A bigger sibling, the SSL-VPN 2000, is available for larger networks at about $2,300.

Free IT resource Virtualization Insights from Top Experts - Learn how virtualization gets real! Sponsored by Dell Free IT resource TechNet: More ways to know it, share it, and keep it running. Sponsored by Microsoft SonicWall SSL-VPN 220 SonicWall, sonicwall.com Very Good  8.2 criteria score weight Security 9 25% Interoperability 8 25% Management 7 20% Setup 8 20% Value 9 10% Cost: $595 including unrestricted user license. Recommended for maximum of 10 concurrent users Platforms: Supports Windows, Linux, and Mac OS X users; NetExtender thin client for Windows only Bottom Line: The SonicWall SSL-VPN 200 aims to easily connect a handful of remote users to a small office network, and it does this job well, providing easy, portal-based access to Web applications and files in addition to good support for VoIP, e-mail, and other TCP/IP apps through an ActiveX on-demand client. The addition of configuration wizards would ease administration. About our Reviews and Scoring Methodology

What makes SSL VPNs an easier option for IT administrators than traditional IPSec VPNs? Short answer: No client configuration. Establishing an SSL session is something Microsoft Internet Explorer and other browsers can handle out of the box, making a private, encrypted connection a simple matter of authentication. No need to install quirky VPN clients on every company laptop. SSL is also less likely to give telecommuters using cable modems any trouble.

Some cable modem providers, including Comcast, have a reputation for blocking IPSec traffic in certain markets in an effort to force users to pay for business-grade accounts rather than lower-cost home connections. That’s doable with IPSec VPNs because the traffic can be identified at the packet level. An SSL connection is used for almost every secure Web session, including consumer uses such as online shopping and bill paying, so ISPs can’t block that traffic without also jeopardizing activities that their home customers are paying for.

Configuring the SonicWall SSL-VPN 200 is straightforward, but not for beginners. Administrators can specify an internal address range to be made available to VPN users and then assign an internal certificate or import an outside cert from the CA of their choice. That’s all you really need, but SonicWall has added a few more niceties such as the capability to import your own Web page to serve as users’ default log-in or portal.

Admins choose between a Windows GUI and a command line accessible from Mac or Linux. The user’s guide contains step-by-step setup procedures for the most common deployment scenarios. Although the docs provide more details for connecting to SonicWall’s own firewalls, the SSL-VPN 200 will work with other vendors’ firewalls and perimeter gateways. Currently, that setup process is manual, but SonicWall promised us a setup wizard sometime in the second half of 2006.

SSL VPNs enable secure access to Web applications, file servers, Telnet, and such via the basic browser portal, meaning without the need for additional client software. For more advanced network applications, SonicWall provides an ActiveX on-demand client called NetExtender, which includes MCCP compression with enough oomph that remote VPN users may not even notice much of a performance hit.

From outside our test network, we were able to use NetExtender to access the VoIP PBX in the lab and establish a remote voice tunnel. The neat extra is that NetExtender also improves VoIP performance. H.323 and SIP are handled through one-to-one NAT and dynamic port forwarding.

As for security, NetExtender goes beyond ordinary SSL to provide a full TLS (Transport Layer Security) VPN. The cool thing about TLS is that you can explicitly advertise routes to either hosts or networks so that whenever a remote computer tries to access a protected resource, the traffic will be forced to travel through the VPN tunnel and not out into the wild. NetExtender is also smart enough to automatically do things such as log itself out and clean the browser cache when ending the session -- handy for Internet cafés, for example.

Overall, we think the SSL-VPN 200 appliance hits the bull’s-eye. It combines exceptional ease of use with rich application support at a price that shouldn’t make you jittery.