Check Point and Nortel VPNs prove enterprise-worthy
Security strengths far outweigh shortcomings such as heavy IE reliance
For many companies, rolling out an IPSec client to road warriors and trusted business partners was once the only way to provide the secure access they needed. Now SSL VPNs are quickly gaining steam, poised to replace cumbersome IPSec implementations.
SSL VPNs provide easy, clientless access to corporate resources without requiring a fat client on each remote PC. Remote users connect using their Web browser and have secure, managed access to Web applications, file shares, and the like.
I reviewed two SSL VPN gateways from longtime security vendors: Check Point Software Technologies' Connectra 2.0 and Nortel's VPN Gateway 3050. Both systems are quite capable of handling an enterprise's remote-access needs, but each has its little, not-so-charming quirks, too.
Check Point Connectra 2.0
The Check Point Connectra Web security gateway should easily fit into your existing network infrastructure, especially if you already have Check Point products in place. It provides access to both Web and TCP/IP applications, adds an application firewall and malicious-code-detection engine, and offers improved integration with Check Point's SmartCenter management platform. It lacks a TCP/UDP (User Datagram Protocol) port-forwarding service, present in other SSL VPN gateways, but it circumvents that with its layer 3 tunnel.
I installed the Connectra 2.0 without any problems. The underlying OS detected my hardware and installed itself in less than an hour. I logged in to the Connectra using Internet Explorer 6 (IE is the only supported browser for administration) and defined authentication servers and protected resources.
The Connectra's list of authentication sources is not as extensive as it is for other vendors' SSL VPNs, but for most situations LDAP, Active Directory via LDAP, RADIUS, local database, and digital certificates will suffice. I created a connection to Active Directory for my users, but not without a little effort. Make sure you know your complete LDAP log-in information. This part could use a little wizardry to make the process more straightforward.
By using Network Extender, Check Point's layer 3 service, I defined links to Web and file resources and to TCP/IP application access. Network Extender allows granular control over bidirectional TCP and UDP layer 3 tunneled traffic. Disappointingly, it is only available for IE users.
Specifying Web resources and SMB file shares proved straightforward. However, accessing file shares requires Microsoft WebDAV. This delivers a Windows Explorer look and feel, but, again, it limits you to IE.
A unique feature in Connectra allows admins to create mail services for remote users. As Nortel does with its VPN Gateway 3050, Check Point includes templates for OWA (Outlook Web Access) and standard SMTP, POP3, and IMAP to make defining the resources quick and easy. I had no trouble creating links to my OWA servers.
Connectra focuses heavily on network and end-point security, putting in place services that protect the enterprise at the network and application level. The product advances application-level security by checking traffic for known worms, plus it inspects all HTTP traffic through its Web Intelligence service. Additionally, Connectra allows administrators to enforce some validation on the HTTP traffic, such as denying unsafe HTTP methods, but the list of available choices is vague and doesn't allow for any tweaking of the rules.