SSL VPNs come of age
We see how six leading appliances measure up to one another and to IPSec
Array allows for easy access to file shares located on either Windows or NFS (Network File System) servers via its Web-based gateway. For client/server resources, the SPX3000 provides access in two ways. Application Manager is a Java applet that connects TCP-based applications to back-end services such as terminal servers. Windows Redirector, on the other hand, is a stand-alone application that is available only for Windows PCs running Internet Explorer but which allows for even greater control over access to specific resources.
New to this release is full, bidirectional layer 3 tunnel support. Administrators can define multiple tunnel definitions per virtual site, each with its own unique settings. For instance, one definition might include full tunneling, whereas another might specify split tunneling; and each can hand out IP addresses from a completely different DHCP pool.
Lack of cross-platform support is the price you pay for many of the more advanced features of SSL VPNs. Currently, the SPX3000’s layer 3 tunnel is available only to clients running Windows, but Array says that Mac and Linux versions are in development.
Array’s end-point security, including host checking and cache cleanup, is handled via Sygate On-Demand and Sygate Secure Desktop. Although the end-point security component is tightly integrated in the SPX3000, it must be purchased separately. Host checking takes place only prior to authentication.
For large enterprises or service providers, the SPX3000 offers VLAN support, as well as “virtual sites.” These allow admins to provision a single appliance into minisites, each with its own authentication and authorization settings. In addition, the appliance supports Active-Active and Active-Standby clustering configurations for as many as 32 nodes.
The administration UI of the SPX3000 isn’t all that different from that of Array’s previous releases. It’s still a little bumpy, but it has improved. Similar items are grouped together to minimize UI fatigue, and each virtual site is self-contained. Delegated administration is well-supported; the appliance administrator assigns an individual user to administer a single virtual site, and only that virtual site. In all, I found that Array has successfully rounded out the SPX3000’s feature set to make it competitive with any other appliance on the market.
The EX-1500 is a good all-around performer for secure remote access. Aventail’s Unified Policy engine makes life much easier for VPN administrators. Resources and users are tightly coupled, making policy definitions similar to a set of firewall rules. Instead of hopping all over the admin UI, everything is neatly nested together, and a handy Quick Start menu helps get you going. In fact, I was able to create a new access rule, complete with new resources and users, from a single screen -- a small thing, perhaps, but one that busy IT managers will appreciate.
Each realm also includes access method and security zone definitions. Compatible authentication sources include LDAP, RADIUS, Active Directory, SecurID, and a local user database. Two-node clustering is available in an Active-Active configuration. Built-in load balancing and automatic fail-over require no additional hardware.