SSL VPNs come of age
We see how six leading appliances measure up to one another and to IPSec
Endpoint Control 2.0, probably the best end-point security mechanism of any appliance reviewed here, has been added since I last reviewed Aventail’s platform. When users connect to the appliance, Endpoint Control places them in specific security “zones” based on their device profiles. A zone is a grouping that defines policy details such as whether to use a cache cleaner on the client’s browser or to allow remote access (deny/allow all). This system makes it easy for administrators to create and maintain security policies that change as the user changes locations.
Endpoint Control relies on client-side software from WholeSecurity or Zone Labs to perform preauthentication host scans; either product must be purchased separately. Without these add-ons, Endpoint Control can still determine where a client is connecting from but cannot determine details about running processes and so on. For even more protection, the EX-1500 also works Aventail’s cache cleaner and either Aventail Secure Desktop or Sygate On-Demand (also purchased separately).
The EX-1500 comes with excellent Web application support. It rewrites HTML on the fly and comes with some default Web application profiles to handle special applications such as Outlook Web Access -- although none of the appliances in this roundup had trouble with either of the Test Center’s Outlook Web Access 2000 and 2003 servers.
Thin-client support is Aventail OnDemand’s job. Not to be confused with Sygate On-Demand, Aventail OnDemand is a Java application that downloads on request to your browser and provides TCP application support.
Although good, Aventail’s logging features aren’t as comprehensive as those of the F5 FirePass 4100 or the Juniper NetScreen-SA 5000. The EX-1500 comes with support for Syslog, SNMP, and internal text logging but offers no built-in graphical reports.
One big drawback is that, as opposed to the other appliances reviewed here, the EX-1500 lacks any facility for true layer 3 tunneling. The included Aventail Connect utility almost makes up for this shortcoming, however. Aventail Connect is a Windows application installed on the remote PC that provides “network-level” access to back-end resources. It is not a true layer 3 tunnel -- remote users can ping in but not out -- but it does provide full TCP and UDP inbound support. Aventail promises to deliver full bidirectional tunnel capabilities in a future release.
F5 Networks FirePass 4100
Many features found in F5’s FirePass 1000 -- which InfoWorld reviewed in October -- carry over to the FirePass 4100 but in an updated, more powerful way. The 4100 also includes some less common features among SSL VPNs, such as content filtering and anti-virus scanning, both of which are implemented using open source software. The FirePass can even terminate site-to-site IPSec tunnels, although it isn’t designed to handle client-to-site IPSec.
The FirePass offers the standard portal-based access for Web applications, application access via TCP-only AppTunnels, and a layer 3 connector called Network Access. It also allows thin-client access to native host applications such as Citrix MetaFrame, Microsoft Terminal Services, X Windows, and “green-screen” legacy applications via special connector software. I tested the Terminal Services support against one of our Windows 2000 Servers and was surprised at how quick and smooth it was. The FirePass 4100’s layer 3 tunnel allows for both split and full tunneling and includes built-in VLAN support.