Rainbow's SSL VPN is a good start

iGate has the basics but lacks some enterprise-level functions of its competition

SSL VPN appliances continue are gaining momentum in the minds of IT administrators, as evidenced by the growing number of vendors catering to the market. Secure Sockets Layer encryption, the same technology used to keep personal and financial information safe across the Internet, is quickly making SSL VPNs the preferred way to provide remote users with secure access to back-end Web services.

Unlike IPSec VPN tunnels, SSL VPNs do not need a special client on the remote user device, making them easier to deploy and requiring less administrative maintenance. (See our special report on VPNs.)

The NetSwift iGate Pro from Rainbow Technologies provides the core SSL VPN functions -- TCP-based IP traffic and a wide range of authentication options. It does not, however, have all of the enterprise-level features found in other competitor’s products, such as the Neoteris Access 3000 Series or the Netilla Security Platform (NSP) Release 4.0. Among its shortcomings, iGate lacks an IPSec tunnel, cache cleaning, and host-checking technologies. Software releases due over the next few months will address many of these issues.

Based on Rainbow’s CryptoSwift 200 SSL encryption cards, the iGate Pro can handle up to 1,000 concurrent users while securing Web-based applications and any TCP-based service, as long as you specify the proper ports. For my tests, I used Windows 2000 Server as the host application server, running Active Directory, IIS 5.0, Exchange 2000, Outlook Web Access, and a custom, home-grown ASPX application. For file-level access to the server, I used SMB/CIFS (Server Message Block/Common Internet File System). The iGate can also handle native secure access to an Exchange server from a client running Microsoft Outlook.

To assist with setup, the iGate incorporates two simple wizards to help you get things going right out of the box. The Net Wizard guides you through the initial network configuration and the Site Wizard shows you how to create a new protected site. Although effective, the wizards only cover the basics, leaving you to finish configuration using the advanced portion of the user interface.

The iGate has a clean and easy-to-navigate Web-based user interface to help you manage the appliance. It also has the Windows-based Access Control Manager for user management and resource association. Although there are arguments for separating user functions from resource policy management, I found jumping between the two applications burdesome, with each UI requiring you to apply your changes before they would take effect.

In order to create the SSL sessions between client and server, the iGate maps the address for the published resources to different localhost addresses in your PC’s hosts file. A Java applet rewrites the hosts file on your PC to match the resources’ addresses. Despite the advantages of this procedure, I ran into some trouble with it during my tests. It seems that each SSL-protected resource must have a FQDN (fully qualified domain name) that resolves to a unique address in your hosts file. Because I was running multiple services (Exchange, Terminal Services, and Outlook Web Access) on the same server with the same FQDN, I, with the help of Rainbow support, had to play tricks with domain names and DNS in order to make everything work. If all of your resources are on different machines, you should have no trouble.

Like most other SSL appliances, the iGate uses application proxies to secure both inbound and outbound HTTP traffic and to intermediate the data stream, rewriting the HTML on the fly to help obscure internal host names. You can use SSL to secure traffic not only between client and iGate, but also between iGate and server resources. HTTP compression is also available to help increase performance.

Missing from this release of the iGate is an IPSec-style tunnel. You do not have the ability to open a tunnel directly into your network. For power users or those who need UDP (User Datagram Protocol) support, this level of access is critical. Also missing is a browser cache cleanup utility and a client application verification control. The cache cleaner purges temporary files left in your browser’s cache when you log off, and the application checker looks to see what processes are running on your client to determine if your PC is a security risk or not. The cache cleaner should be available by the time this publishes, and the other features should be available in a software update due out in July.

Resources are defined in the iGate using the concept of sites and connectors. A site is made up of a group of Web apps and their associated SSL tunnel connections, called a VPX. You do have a lot of control over each site definition, such as the type of authentication required, the SSL cipher to use, whether or not to enable compression (on the HTML stream) and the level of logging to use. Site definition is the strongest part of the iGate system.

For user authentication, the iGate can use RADIUS, Active Directory, LDAP, an internal database, Rainbow USB tokens, and SecureID, with support for client certificates coming in mid-April. There is also support for connecting to any ODBC-compliant database for custom user lists.

The Rainbow NetSwift iGate is a well-rounded performer that will improve as new features are added, which should happen this month. I would love to see the user and device management incorporated into a single user interface to reduce jumping between platforms.

When the IPSec-style tunnel, cache cleaning and host checking technologies are all available, the iGate will gain on the SSL VPN front-runners.

InfoWorld Scorecard
Security (30.0%)
Interoperability (25.0%)
Ease of use (15.0%)
Setup (20.0%)
Value (10.0%)
Overall Score (100%)
Rainbow NetSwift iGate SSL VPN Appliance 6.0 6.0 7.0 8.0 7.0 6.7