Check Point and Nortel VPNs prove enterprise-worthy
Security strengths far outweigh shortcomings such as heavy IE reliance
I was, however, impressed with the Connectra's built-in application protection. Although it's basic, admins can choose to prevent cross-site scripting, SQL and command injection, and directory traversal. This protection is no match for an application firewall such as Imperva's SecureSphere , but it's a step in the right direction.
Overall, end-point security is well done and manages host checks, browser cache policies, and personal firewall status. Through Check Point's Integrity Clientless Scan, Connectra will check the remote PC for potential risks such as malware, but this feature is -- you guessed it -- limited to IE users. This scan also looks for Check Point Integrity Firewall, but no other vendors' firewalls. Also, as with VPN Gateway 3050, there is no way to define specific processes or Registry entries to scan for.
Connectra 2.0 warrants consideration, especially when compared with other enterprise remote-access solutions. It has all of the core features, plus solid end-point security. I don't like its heavy reliance on IE, and I would like to have more control over some security features, but it's still a stable and capable system.
Nortel VPN Gateway 3050
Nortel's VPN Gateway 3050 appliance scales well and has highly configurable SSL parameters. It comes with all of the SSL VPN services I've come to expect in a gateway and does most other SSL VPN vendors one better by including IPSec VPN client support. TunnelGuard provides the end-point security and management piece via a download-on-demand Java applet, but it takes some time to get up and running. Also, integration with Active Directory is a bit sketchy.
I tested the 3050 by installing it in my test LAN, which was recently vacated by six other SSL VPN appliances. After setting IP addressing for my LAN through a local serial connection, I logged in with Firefox and finished the configuration using the administration UI. I found the UI nicely organized, but locating specific menu options was not as intuitive as it is with the Connectra.
I created a couple of test user accounts in the local user database and added Active Directory as my source for user authentication. The 3050 comes with support for RADIUS, NTLM (NT LAN Manager), SiteMinder, LDAP, and Active Directory via LDAP, but creating a connection to Active Directory nearly stumped me. Similar to my experience with the Connectra, I had to ferret out LDAP syntax and enter it manually, but unique to Nortel is the requirement to also list the Active Directory group and user-attribute mappings.
Once in place, the LDAP/Active Directory authentication worked superbly and even allowed for the passing of expired Active Directory user accounts for password remediation. As with other SSL VPN gateways, administrators can stack different authentication services with a predetermined precedence to allow for flexible user authentication. For example, a user might first be checked against the local user database and, when no match is found, checked against the next authentication service -- RADIUS, for example.
The 3050 offers great flexibility in how it provides remote access. Service providers can virtually slice up the 3050 into many distinct sites, each with its own authentication schemes and resource definitions. Like F5's Firepass, the 3050 comes with VLAN support and, when clustered, scales very well.