SSL VPNs come of age

Traditionally, providing road warriors and business partners with access to back-end servers and resources has meant deploying an IPSec VPN. For site-to-site communication, IPSec remains the only game in town, but for client-to-enterprise links, it is falling out of favor precipitously. The administrative overhead associated with deploying IPSec client software has become overwhelming given the ever increasing number of clients to support. There is also the potential that IPSec tunneling will allow an untrusted device to punch a hole through the firewall -- and directly into the heart of the network.

These kinds of basic problems with IPSec are why SSL VPNs are showing up on more and more IT radar screens. With an SSL VPN, there is no client software to install, let alone maintain. Not only does this cut down on IT labor, but it also means remote users aren’t limited to specified locations. Public Internet kiosks, partner sites, a borrowed laptop -- they all work.

More importantly, with an SSL VPN there is no open tunnel to the enterprise. SSL VPNs enforce security policies on each connection, allowing access only to specific

resources based on user, location, and/or device. As with any good security control, everything is off-limits unless expressly allowed by the administrator.

I explored the mechanics of SSL VPNs and explained how these appliances differ from their IPSec cousins in a similar roundup a year ago. This time around, I put six different SSL VPN appliances to the test to find out whether they’ve matured enough to replace enterprise-class IPSec deployments -- and to determine which ones, if any, stand out from the rest.

Packed with features

The SSL VPN playing field gets more level with each product release cycle. Many of the appliances in this roundup are in their third generation and are technologically mature. The main features differentiating the products from one another are the way in which they implement security policies, how they handle remote end points, and how transparent the overall experience is to the end-user.

The granularity of their access policies is where SSL VPN appliances really shine. All the solutions reviewed here allow administrators to implement policies that change based not only on who is logging in but also on where they are logging in from.

In addition, every SSL appliance in this roundup supports some kind of end-point security software, although some do a better job than others. End-point software analyzes a client device, determines the level of confidence in its security, and applies access rights based on predefined “trust zones.” For instance, the software might determine that a user’s laptop has anti-virus software and a personal firewall running on it, but because the laptop is attempting to connect via Wi-Fi from Starbucks, the appliance will only grant it proxied access, rather than full network access over an IPSec-style layer 3 tunnel. Currently no industrywide standard for end-point security control exists, but companies such as Cisco and Microsoft are working to change that.