SSL VPNs best IPSec rivals

As as one of their many challenges, IT staffs must provide secure remote access to data and applications from outside the confines of the enterprise. IPSec-style VPNs are no longer up to the task, however. IPSec is just too inflexible and limited in device support to really work in many situations.

VPN appliances based on tried-and-true SSL are gaining popularity. You get all of the features of an IPSec VPN without the restrictions. All you need is a browser to connect to your resources, no matter what the client OS platform.

These appliances allow metered access to back-end servers and resources through a single open port to the Internet. All traffic, no matter what the destination, comes in via port 443, allowing network administrators to close up the firewall to all other ports yet retain full remote access connectivity.

We rounded up two SSL VPN appliances to see just how well these devices stack up. The Access 3000 Series from Neoteris and the Netilla Security Platform (NSP) Release 4.0 both provide secure access to data stored behind the firewall. You get reverse Web proxies, application proxies, and network-level access to resources.  Both come in rack-friendly 1U chassis with dual 10/100Mbps network interfaces, are Web manageable, and are built around a powerful policy engine.

Although both solutions fared well in our tests, the Neoteris Access Series 3000 boasted the best mix of features, functionality, and security, easily providing granular access control and policy management.

NeoterisAccess Series 3000

The Access Series 3000 proved more than capable of handling not only Web-based traffic but also thin-client, thick-client, and pure network-level access. Its Web-based administration was not as easy to navigate as Netilla’s, and the sheer number of available options when defining group policies slowed us down at the outset, but once I became more familiar with the system, policy management was not such a chore.

Configuration begins with the creation of one or more authentication servers. The Access Series 3000 will authenticate users against Active Directory or Windows domains, LDAP, Radius, ACE, or NIS servers; and it also has a local user database. You can mix and match the servers to meet your specific needs. The authentication servers feed to authentication groups. Here, you manage items such as browser and address restrictions, client certificate requirements, and session- specific settings.

User policies are further defined within the context of the type of resource to which you need to grant or deny access. For example, you can create a list of allowed or disallowed Web resources for the authorization group as well as permanent bookmarks. The solution would benefit from wizards-based policy deployment.

Instead of taking the “deny all unless explicitly allowed” approach like most security devices, Neoteris leaves Web and file resources accessible by default. To be truly secure, I believe all access should be denied unless allowed by an administrator.

Web resources on your network may be the primary type of traffic accessed through the appliance, but there are two other types of access that are just as important. The Secure Application Manager (SAM) is a very small download-on-demand application that allows you to create a client/server connection to a specific resource over TCP without opening up the entire network. SAM takes it a step further by certifying the validity of the application with an MD5 checksum.