Aventail and F5 extend their security reach to network access control

During the past few years, SSL VPNs have matured from devices offering very basic application support to enterprise-ready security jacks-of-all-trades, capable of handling thousands of users and a wide range of connectivity options. Security features are evolving, with extensive host checking taking place prior to user log-on and adaptive, dynamic security policies being applied accordingly.

SSL VPNs are continuing to win over new converts for several reasons: They don't need a "fat client" on a device to function; they require less administrative management; and they can reduce help-desk support calls dramatically. No longer relegated to designer solutions, SSL VPNs are more commonly being added to routers and core network concentrators through a software upgrade or licensing option. Additional refinement of existing features notwithstanding, more noticeable is the absence of any landmark changes to the overall technology in the past 12 months.

I recently looked at the latest releases from two of the SSL VPN market leaders. Both the Aventail EX-2500 and the F5 Networks FirePass 4100 continue to mature and provide excellent platforms from which to build a secure remote access solution. Each appliance comes with updated hardware for greater scalability, as well as software improvements that take existing capabilities to new heights.

Same technology, new uses

Few would have thought that SSL VPNs, as a secure remote access technology, would help provide a solution for internal network access control. Yet some companies are forcing their local network users to log in to the SSL appliance's Web portal before gaining access to corporate resources.

This serves a couple of purposes. First, it allows administrators to perform a preflight check on the client device before permitting access to the network. For example, both the Aventail and F5 boxes can perform end-point security audits to determine the level of trust to apply to the host and deny entry if it fails any test.

This type of policy enforcement intrudes on local policy platforms such as the ConSentry Secure LAN Controller and Elemental Compliance System, although the latter provides a much more granular and flexible system for classifying clients on the network. Aventail and F5 are heading in the right direction, but they have a ways to go to catch up to these two products.

Second, by having users log in to an SSL VPN portal, admins have additional control over the applications and resources those users will be accessing. It allows very granular access control rules to be deployed so that resources can only be accessed a specific way, reducing their exposure to unauthorized guests and allowing admins to perform resource control management from one UI, not many.

As an additional benefit, admins can encrypt all traffic to the resources using SSL for better internal security. With all the encrypted traffic flying around, however, network monitoring and management tools won't be capable of correctly identifying and classifying the data flows. Monitoring tools that peer into TCP traffic will be blinded by the SSL packets, and routers and switches will have trouble identifying traffic to apply QoS policy. Use encryption wisely; it may not be suitable for everything.

Aventail EX-2500