During the past few years, SSL VPNs have matured from devices offering very basic application support to enterprise-ready security jacks-of-all-trades, capable of handling thousands of users and a wide range of connectivity options. Security features are evolving, with extensive host checking taking place prior to user log-on and adaptive, dynamic security policies being applied accordingly.
SSL VPNs are continuing to win over new converts for several reasons: They don't need a "fat client" on a device to function; they require less administrative management; and they can reduce help-desk support calls dramatically. No longer relegated to designer solutions, SSL VPNs are more commonly being added to routers and core network concentrators through a software upgrade or licensing option. Additional refinement of existing features notwithstanding, more noticeable is the absence of any landmark changes to the overall technology in the past 12 months.
I recently looked at the latest releases from two of the SSL VPN market leaders. Both the Aventail EX-2500 and the F5 Networks FirePass 4100 continue to mature and provide excellent platforms from which to build a secure remote access solution. Each appliance comes with updated hardware for greater scalability, as well as software improvements that take existing capabilities to new heights.
Same technology, new uses
Few would have thought that SSL VPNs, as a secure remote access technology, would help provide a solution for internal network access control. Yet some companies are forcing their local network users to log in to the SSL appliance's Web portal before gaining access to corporate resources.
This serves a couple of purposes. First, it allows administrators to perform a preflight check on the client device before permitting access to the network. For example, both the Aventail and F5 boxes can perform end-point security audits to determine the level of trust to apply to the host and deny entry if it fails any test.
This type of policy enforcement intrudes on local policy platforms such as the ConSentry Secure LAN Controller and Elemental Compliance System, although the latter provides a much more granular and flexible system for classifying clients on the network. Aventail and F5 are heading in the right direction, but they have a ways to go to catch up to these two products.
Second, by having users log in to an SSL VPN portal, admins have additional control over the applications and resources those users will be accessing. It allows very granular access control rules to be deployed so that resources can only be accessed a specific way, reducing their exposure to unauthorized guests and allowing admins to perform resource control management from one UI, not many.
As an additional benefit, admins can encrypt all traffic to the resources using SSL for better internal security. With all the encrypted traffic flying around, however, network monitoring and management tools won't be capable of correctly identifying and classifying the data flows. Monitoring tools that peer into TCP traffic will be blinded by the SSL packets, and routers and switches will have trouble identifying traffic to apply QoS policy. Use encryption wisely; it may not be suitable for everything.
Aventail EX-2500
| Test Center Scorecard | ||||||
|---|---|---|---|---|---|---|
 |  |  |  |  |  | |
| 35% | 25% | 20% | 10% | 10% | ||
| Aventail EX-2500 | 9 | 9 | 8 | 9 | 8 |
8.7
Very Good
|
| 35% | 25% | 20% | 10% | 10% | ||
| F5 FirePass 4100 | 9 | 9 | 10 | 8 | 9 |
9.1
Excellent
|
Get the independent advice and expertise you need to support a virtual workforce.
The increase in Linux popularity has increased the frequency and sophistication of malware attacks. Read this 2 page white paper now to learn how you can protect your Linux environment with real-time protection that is certified by all major Linux vendors.
Download now »
Ensuring acceptable application delivery will become even more difficult over the next few years. As a result, IT organizations need to ensure that the approach that they take to resolving the current application delivery challenges can scale to support the emerging challenges. This handbook elaborates on the key tasks associated with planning, optimization, management and control and provides decision criteria to help IT organizations choose appropriate solutions.
Download now »
A common misconception is that mid-range storage requirements are dramatically different than that of a larger enterprise. Mid-range storage users may require less capacity, but they have similar functionality and management requirements. This ESG paper examines mid-range storage needs and reviews a new solution that adjusts size while retaining value, performance and functionality.
Download now »
This white paper provides guidance on how to develop a strategic approach to managing and monitoring logs, a key function required for compliance with many regulatory mandates and a critical defense against security threats.
Download now! »
Learn about the processes and technologies that support security information management (SIM) operations, as well as the business case for SIM. The series examines different options for implementing SIM and gives you evaluation criteria for selecting the best option for your organization.
Download now! »
Learn the strategies, actions, and capabilities that Best-in-Class organizations employ and technologies they choose to obtain superior performance against various security performance metrics. This report provides guidelines for identifying which security solutions to consume as a MSS and defines best practices for choosing and managing MSSPs.
Download now! »
Recommend This
