SSL VPNs best IPSec rivals

Neoteris and Netilla prove SSL isn’t just for browsers anymore

As as one of their many challenges, IT staffs must provide secure remote access to data and applications from outside the confines of the enterprise. IPSec-style VPNs are no longer up to the task, however. IPSec is just too inflexible and limited in device support to really work in many situations.

VPN appliances based on tried-and-true SSL are gaining popularity. You get all of the features of an IPSec VPN without the restrictions. All you need is a browser to connect to your resources, no matter what the client OS platform.

These appliances allow metered access to back-end servers and resources through a single open port to the Internet. All traffic, no matter what the destination, comes in via port 443, allowing network administrators to close up the firewall to all other ports yet retain full remote access connectivity.

We rounded up two SSL VPN appliances to see just how well these devices stack up. The Access 3000 Series from Neoteris and the Netilla Security Platform (NSP) Release 4.0 both provide secure access to data stored behind the firewall. You get reverse Web proxies, application proxies, and network-level access to resources.  Both come in rack-friendly 1U chassis with dual 10/100Mbps network interfaces, are Web manageable, and are built around a powerful policy engine.

Although both solutions fared well in our tests, the Neoteris Access Series 3000 boasted the best mix of features, functionality, and security, easily providing granular access control and policy management.

NeoterisAccess Series 3000

The Access Series 3000 proved more than capable of handling not only Web-based traffic but also thin-client, thick-client, and pure network-level access. Its Web-based administration was not as easy to navigate as Netilla’s, and the sheer number of available options when defining group policies slowed us down at the outset, but once I became more familiar with the system, policy management was not such a chore.

Configuration begins with the creation of one or more authentication servers. The Access Series 3000 will authenticate users against Active Directory or Windows domains, LDAP, Radius, ACE, or NIS servers; and it also has a local user database. You can mix and match the servers to meet your specific needs. The authentication servers feed to authentication groups. Here, you manage items such as browser and address restrictions, client certificate requirements, and session- specific settings.

User policies are further defined within the context of the type of resource to which you need to grant or deny access. For example, you can create a list of allowed or disallowed Web resources for the authorization group as well as permanent bookmarks. The solution would benefit from wizards-based policy deployment.

Instead of taking the “deny all unless explicitly allowed” approach like most security devices, Neoteris leaves Web and file resources accessible by default. To be truly secure, I believe all access should be denied unless allowed by an administrator.

Web resources on your network may be the primary type of traffic accessed through the appliance, but there are two other types of access that are just as important. The Secure Application Manager (SAM) is a very small download-on-demand application that allows you to create a client/server connection to a specific resource over TCP without opening up the entire network. SAM takes it a step further by certifying the validity of the application with an MD5 checksum.

The third type of access, the closest to an IPSec VPN, is called NC Access (Network Connect Access). This option downloads automatically as a small applet and provides support for TCP, UDP (User Datagram Protocol), ICMP (Internet Control Message Protocol), and all types of traffic over an SSL tunnel. You receive an IP address assigned by the Access Series 3000, and you can specify the destination addresses and ports users can connect to. I tested all three types of access and had no trouble connecting to resources both behind and outside of the Neoteris appliance. The native Windows file browsing worked like a charm.

Access Series 3000 also keeps your system secure by employing the Neoteris Host Checker API and Cache Cleaner. Host Checker performs an “are you there” call to each authenticated user to ensure they are using predefined client security software granting them access. Cache Cleaner purges your users’ browser cache on a preset schedule to remove  traces of confidential material.

Overall, the Access Series 3000 provides all of the necessary pieces to solve the secure remote access puzzle. I really like the level of detail you can provide for each policy definition, and the appliance worked well no matter what type of traffic or application I threw at it. But I would like to see the default setting for file and Web resource access to be “deny all” out of the box.

NetillaSecurity Platform Release 4.0

The NSP is deceptively simple in its ability to securely allow trusted users access network resources. Like Access Series 3000, you get Web, thin-client, and thick-client access through the NSP.

The Web-based administration console is clean and easier to navigate than that of the Neoteris appliance. Though similar to the Neoteris in functionality, the NSP doesn’t have the same far reaching security options as the Access Series 3000. It does come with a stateful inspection firewall for even greater security and built-in fail-over support (with a second unit) for redundancy and maximum uptime.

When setting up the NSP, you first create a security realm (a way of grouping users, policies and authentication servers) and associate an authentication server to it. You authenticate against Active Directory or Windows domains, Radius, ACE, and Kerberos authentication server and also make use of a local user database. The NSP can have multiple realms to fit your user access requirements. Missing is LDAP, but  that support is due early 2004. You can define browser, address, and URL restrictions as well, but there is no support for client-side certificates.

Creating policy definition is a little more cumbersome in the NSP, but it’s not too difficult to master. It also could stand to implement wizards-based policy deployment. An administrator associates applications to an authentication scheme and can set application properties such as cookie-support, forward browser variables or Web server version information. Enabling the policy entails creating a rule that either allows or denies traffic to the specific resource. I like that these multiple layers of policy definition, though a bit repetitious, leave the appliance in a “deny all” mode until you expressly allow the specified traffic.

In the NSP, you have the same three access methods  as you do with the Access 3000 Series. The NSP handles thin-client access differently, however. Instead of  passing traffic through to the application server, you start the apps from the portal page. Using the built-in Tarantella server, they’re then launched against your server.

For network-level access, Netilla again goes a different route from Neoteris. An applet downloads to an end-user’s PC and installs itself as an additional virtual adapter. This creates a PPP tunnel to the NSP, providing you with an IP address assigned from a pool on the NSP. For each tunnel you can assign users, specify the IP range and subnet mask, and a default session time-out value. There are no protocol restrictions on the tunnel and you can list additional networks that your SSL tunnel users may access.

There currently isn’t any end-to-end validation and security checking in the Netilla platform, but support for client integrity is on the way.

The NSP proved quite capable of providing secure access to all of our tested applications, and when the new features are included, it will be right on par with the Neoteris. If you do not need LDAP support or client-side certificates or validation, you won’t be missing any core functionality in the NSP.

InfoWorld Scorecard
Interoperability (25.0%)
Value (10.0%)
Security (30.0%)
Setup (20.0%)
Ease of use (15.0%)
Overall Score (100%)
Neoteris Access Series 3000 9.0 8.0 8.0 7.0 7.0 7.9
Netilla Security Platform Release 4.0 8.0 8.0 7.0 7.0 7.0 7.4