Microsoft lands a winning SSL VPN in Whale
Internet Access Gateway 2007 allows secure access with plenty of app support
SSL VPNs provide access to all the enterprise applications that fat client methods do, including Web- and TCP-based apps; they also provide network-level access such as that found in IPSec VPN clients. SSL VPNs don't require a permanently installed client program to allow users to connect. Instead users connect to the corporate network via their Web browser and if a special "helper" program is necessary for access, it is downloaded on-demand to the remote user and destroyed on disconnect.
Not one to be left out of an emerging technology space, Microsoft is now shipping IAG (Internet Application Gateway) 2007, an SSL VPN solution based on technology acquired from Whale Communications in 2006. IAG allows admins to explicitly define the who, what, and when of remote access: who can access what particular resource, and when the resource is available. Not only that, but IAG uses application-specific rule sets to monitor an application's behavior to make sure the users' level of access meets the current security policy. End point inspection is built in, and the client allows does a good job of determining the trust level of a specific remote device.
A Whale of a VPN
Only available as part of an appliance bundle, IAG sits on top of Microsoft ISA (Internet Security and Acceleration) Server, adding a full-featured firewall and threat management platform into the mix. My test unit was provided to me by Celestix. The WSA (Whale Security Appliance) 4000 comes with six Gigabit Ethernet ports and is recommended for as many as 2,500 concurrent users.
Click for larger view.
Like other high-end SSL VPN appliances, IAG supports authentication server stacking, supporting nine popular methods, including ACE, Active Directory, Netscape LDAP, and Novell Directory. Admins can even define custom authentication schemes to meet a specific need, and support for single sign-on is built in.
When it comes to end point policies, the sky is the limit with IAG. The software comes with an extensive list of predefined policies, and admins can edit existing ones or create their own policies as necessary. The end point compliance engine uses ActiveX to do a deep inspection of the remote device to determine its security posture and into which policy bucket it falls. IAG can check for the presence of anti-virus (upward of 30 types), personal firewalls, version, and signature levels, as well as NetBIOS name, the existence of toolbars, files, and Registry entries.