SSL VPNs come of age

We see how six leading appliances measure up to one another and to IPSec

Endpoint Control relies on client-side software from WholeSecurity or Zone Labs to perform preauthentication host scans; either product must be purchased separately. Without these add-ons, Endpoint Control can still determine where a client is connecting from but cannot determine details about running processes and so on. For even more protection, the EX-1500 also works Aventail’s cache cleaner and either Aventail Secure Desktop or Sygate On-Demand (also purchased separately).

The EX-1500 comes with excellent Web application support. It rewrites HTML on the fly and comes with some default Web application profiles to handle special applications such as Outlook Web Access -- although none of the appliances in this roundup had trouble with either of the Test Center’s Outlook Web Access 2000 and 2003 servers.

Thin-client support is Aventail OnDemand’s job. Not to be confused with Sygate On-Demand, Aventail OnDemand is a Java application that downloads on request to your browser and provides TCP application support.

Although good, Aventail’s logging features aren’t as comprehensive as those of the F5 FirePass 4100 or the Juniper NetScreen-SA 5000. The EX-1500 comes with support for Syslog, SNMP, and internal text logging but offers no built-in graphical reports.

One big drawback is that, as opposed to the other appliances reviewed here, the EX-1500 lacks any facility for true layer 3 tunneling. The included Aventail Connect utility almost makes up for this shortcoming, however. Aventail Connect is a Windows application installed on the remote PC that provides “network-level” access to back-end resources. It is not a true layer 3 tunnel -- remote users can ping in but not out -- but it does provide full TCP and UDP inbound support. Aventail promises to deliver full bidirectional tunnel capabilities in a future release.

F5 Networks FirePass 4100

Many features found in F5’s FirePass 1000 -- which InfoWorld reviewed in October -- carry over to the FirePass 4100 but in an updated, more powerful way. The 4100 also includes some less common features among SSL VPNs, such as content filtering and anti-virus scanning, both of which are implemented using open source software. The FirePass can even terminate site-to-site IPSec tunnels, although it isn’t designed to handle client-to-site IPSec.

The FirePass offers the standard portal-based access for Web applications, application access via TCP-only AppTunnels, and a layer 3 connector called Network Access. It also allows thin-client access to native host applications such as Citrix MetaFrame, Microsoft Terminal Services, X Windows, and “green-screen” legacy applications via special connector software. I tested the Terminal Services support against one of our Windows 2000 Servers and was surprised at how quick and smooth it was. The FirePass 4100’s layer 3 tunnel allows for both split and full tunneling and includes built-in VLAN support.

One notable feature of the FirePass 4100 is Desktop Access. Similar to the Beam application found in the enKoo-3000, Desktop Access is remote access software for Windows that runs in a browser via a Java applet or an ActiveX control, either of which can be pushed to the remote client on demand.

The FirePass offers almost too many logging options. Every conceivable thing that can be logged, is, and support for SNMP and Syslog is included. Graphical reporting tools are also built in, making at-a-glance monitoring easy.

Authentication services in the FirePass 4100 include LDAP, RADIUS, Active Directory, Vasco DigiPass, basic HTTP authentication, client certificates, and local database. Each authentication scheme is assigned to a specific resource group. SSO for Windows resources is enabled by default and worked in every case I tested.

Clustering support is particularly strong in the FirePass 4100. Linking 10 nodes allows it to support as many as 10,000 concurrent users, and both Active-Active and Active-Standby clustering come standard.

The FirePass administrator UI suffers from a bit of “hyperlink overload,” but after spending some time hunting through the myriad options, I became familiar with the layout, which proved fairly easy to navigate. There are also some nice features. For example, to avoid keystroke loggers on client PCs, F5 offers a graphical virtual keyboard for both user name and password.

The FirePass should be especially attractive to government users because F5 offers a version that complies with FIPS (Federal Information Processing Standard) 140, the U.S. National Institute of Standards and Technology specification that outlines security requirements for cryptographic modules. Most of the vendors represented here expect to have FIPS 140 compliance ready in 2005, but only F5 and Juniper offer compliant products today.

The one area where the FirePass could use some work is in end-point security management. Unlike other appliances, the FirePass relies on its own host checking software rather than partnering with a third party. Although F5’s offering does provide cache-cleaning options and a virtual desktop called Protected Workspace, it isn’t as powerful as the Sygate On-Demand engine. It will, however, check for running processes, Registry entries, OS and Internet Explorer service pack levels, and the presence of McAfee VirusScan. If a client fails any host check, its access falls back to a quarantine network. Unfortunately, the host check doesn’t take place until after the user has authenticated. F5 tells us that preauthentication support is in development and is slated for the next software release.

Juniper Networks NetScreen-SA 5000

InfoWorld reviewed the Neoteris Access Series SSL appliance in October 2003. Now owned by Juniper, the heart of the old product beats on in new and improved hardware and with a more mature security engine. The current software release, Version 4.2, still suffers from GUI fatigue and needs better organization, but overall, the product proved flexible and secure.

Remote users can authenticate against Active Directory, LDAP, RADIUS, Netegrity, digital certificates, or a local database, and each authentication realm can use multiple authentication servers. User roles map authenticated users into specific groups. These groups define what forms of remote access have been granted to a user, as well as any session-specific details such as inactivity time-out or session persistence. For example, an admin can create one role that includes Web access, Windows file shares, and Terminal Services and another that allows only Web access.

The NetScreen-SA 5000 provides all the standard remote-access methods, including Web, TCP-based, and layer 3. For Web applications, the granularity with which an administrator can define access policies is amazing, with settings to control all sorts of features, ranging from caching policies to HTML rewriting to compression. Despite all this perceived complexity, defining a Web policy turned out to be relatively simple. Web-based Windows, Unix file browsing, and Telnet support are also included.

TCP-based applications get routed through SAM (Security Access Manager), software that is available in Windows and Java versions. SAM can be configured to automatically launch based on a user’s role.

Layer 3 tunneling is handled by Network Connect, Windows-only software that installs a virtual PPP adapter on a remote PC. Administrators can assign IP addresses to Network Connect clients from a private DHCP pool. Full and split tunneling are available, as are custom DNS settings. Admins aren’t given as fine-grained access controls on the tunnel as for other services, but what they get is definitely superior to what is available with IPSec. Juniper says Network Connect will be available for Mac OS X and Linux in the next major release.

The SA-500’s end-point security mechanism, JEDI (Juniper Endpoint Defense Initiative), works with InfoExpress, McAfee, Sygate, and Zone Labs client software. The only downside is that JEDI works only on Windows.

At first glance, the administration UI looks awkward and confusing. Because of the sheer number of options and features available, GUI fatigue is inevitable. In practice, context-sensitive links quickly take you to related functions. Logging and reporting are first-rate, including real-time usage graphs.

Other than F5’s FirePass 4100, the NetScreen-SA 5000 is the only appliance in our roundup that is available in a FIPS 140-compliant model. In addition, the NetScreen-SA 5000 handles high availability in an Active-Passive mode and can scale to eight nodes in a single cluster. VLAN support is not currently available, although Juniper says it is in development.

Nokia Secure Access System 3.0

The NSAS (Nokia Secure Access System) provides everything you need for secure remote access without overwhelming you with its administration UI. It supports Web portal, file share, TCP application support, and layer 3 tunneling. Web application access is first rate and is very easy to define and maintain. A Web resource can be added to the NSAS portal in a matter of a few clicks, which is not possible with some of the other appliances in this roundup.

Another difference is that the NSAS defines authentication schemes on a global scale and doesn’t allow for multiple virtual sites, although the appliance does support multiple authentication schemes. Options include LDAP, Active Directory, NTLM (NT LAN Manager), RADIUS, PKI certificates, and use of local user databases. For high availability, NSAS can cluster two nodes with no additional hardware.

NSAS supports TCP-based applications through a Java helper program, but the overall UI needs a major face-lift. The user must query the portal to learn which local loopback address to connect to for each specific client program. All the other boxes we reviewed do a much better job hiding this process from the end-user.

Secure Connector, Nokia’s IPSec replacement technology, is built into NSAS and supports full and split tunneling. Secure Connector allows admins to create a private IP address pool for remote users, as is possible with the Juniper NetScreen-SA 5000. NSAS uses firewall-style allow/deny rulesets to define access controls within the tunnel. Administrators can specify address ranges, ports, and protocols for access to specific resources and can even deny access to clients that don’t meet anti-virus requirements. The Secure Connector client is available only for Windows PCs running Internet Explorer.

Secure Workspace is Nokia’s virtual sandbox, and it, too, is available only to Windows and Internet Explorer users. As does Sygate’s Secure Desktop, Secure Workspace deletes all temporary files, removes browsing history, and erases any session information. A floating toolbar allows you to switch between your local desktop and the secure desktop.

Nokia’s Client Integrity Scan checks the remote PC to asses its status either before or after authentication. Administrators configure the scan using a custom scripting language. This has the benefit of allowing admins to build scripts specific to their needs, but it is likely to be time-consuming.

The administration UI in the NSAS is fairly easy to navigate. The amount of logging and monitoring information is almost overwhelming, as it is with the FirePass 4100, but the use of filters helps keep it manageable.

Unfortunately, the NSAS offers no support for third-party host checkers such as those offered by Sygate or WholeSecurity. Third-party support must be added to the NSAS to allow for easier integration into existing client security infrastructures and to provide additional client-side management if it is to hold its own against the other appliances on the market.

Ready to switch?

To be fair, it doesn’t make sense to tear out all your existing IPSec gear and immediately replace it with SSL. It does make sense, however, to start deploying SSL and migrating users to it. IPSec and SSL can coexist and complement each other, allowing for a gradual move from one platform to the other.

Even for an enterprise that has an extensive investment in IPSec, migration to SSL is justifiable. The support cost per client is so much greater with IPSec than with SSL that the labor cost savings will offset the expense of the new hardware. Long-term administration is also much easier to manage on an SSL VPN because everything is centrally located. Any policy updates or changes to client-side applets are automatically pushed out on the next connect.

What’s more, SSL VPNs simply offer better security than IPSec appliances do. All SSL VPN connections -- even IPSec-style layer 3 connections -- have access control policies associated with them. This allows administrators to grant access to specific resources, rather than opening up the entire network as you would with IPSec.

Each of the SSL VPN appliances reviewed here provides an admirable range of features that make them worthy competitors against any IPSec equivalent. After the smoke cleared and all the results had been tallied, the Juniper NetScreen-SA 5000 came out on top. Although not perfect, the NetScreen-SA 5000 passed every test thrown at it, and it never failed to meet challenges. Still, none of the competitors in this roundup is a bad choice. As this market continues to mature, you’ll have more and more reasons to expect your next VPN to be an SSL one.

InfoWorld Scorecard
Scalability (20.0%)
Value (10.0%)
Interoperability (25.0%)
Setup (10.0%)
Security (35.0%)
Overall Score (100%)
AEP Networks Netilla Security Platform 8.0 7.0 7.0 8.0 9.0 8.0
Array Networks SPX3000 9.0 8.0 8.0 7.0 9.0 8.5
Aventail EX-1500 9.0 8.0 8.0 9.0 8.0 8.4
F5 Networks FirePass 4100 9.0 9.0 9.0 7.0 9.0 8.8
Juniper Networks NetScreen-SA 5000 9.0 9.0 9.0 8.0 9.0 8.9
Nokia Secure Access System 3.0 8.0 8.0 8.0 7.0 8.0 7.9
| 1 2 Page 3