SSL VPNs come of age
We see how six leading appliances measure up to one another and to IPSec
Click for larger view.
Other features that will interest some customers include VLAN support and clustering. VLANs allow for segregated traffic on the same physical network, a handy feature for service providers or large enterprises. Clustering allows SSL VPN appliances to provide high availability through automatic fail-over and load balancing and can extend the number of concurrent users an appliance supports into the thousands. Given the relatively equal performance of the products in this roundup, it may be these and other niche features that ultimately tip the balance in favor of one particular product for any given customer.
AEP Networks Netilla Security Platform
When last I visited the NSP (Netilla Security Platform), it was missing some core features necessary for an SSL VPN appliance. Since then, Netilla merged with AEP Systems to form AEP Networks and released Version 5 of its Netilla Dynatrust operating system. The new offering builds on the strengths of the previous release by adding previously missing features such as LDAP support and end-point security checking.
As in its previous releases, the NSP uses “realms” to organize users, authentication schemes, and resource access policies into manageable groups and includes built-in support for Microsoft SMB (Server Message Block), Active Directory, SecurID, Kerberos, RADIUS, and local user authentication. The NSP also continues its tradition of using “authentication scopes” to pass user credentials to an application, enabling SSO (single sign-on). This method works but can lead to unnecessary administrative overhead when creating and managing links to Web resources.
As do all the appliances in this roundup, the NSP offers clients access to both Web-based and server-based applications. The NSP also offers layer 3 tunneling for direct IPSec-style network access, allowing TCP and UDP (User Datagram Protocol) traffic to pass through, and as do most appliances, it supports full or split tunneling. Full tunneling means that all traffic, local and nonlocal, goes across the tunnel to the enterprise and is routed from there. Split tunneling routes enterprise traffic over the tunnel while other traffic -- such as Internet traffic -- goes out through the remote user’s default gateway. The method you choose will depend on the strictness of your security policies.