SSL VPNs come of age
We see how six leading appliances measure up to one another and to IPSec
Remote users can authenticate against Active Directory, LDAP, RADIUS, Netegrity, digital certificates, or a local database, and each authentication realm can use multiple authentication servers. User roles map authenticated users into specific groups. These groups define what forms of remote access have been granted to a user, as well as any session-specific details such as inactivity time-out or session persistence. For example, an admin can create one role that includes Web access, Windows file shares, and Terminal Services and another that allows only Web access.
The NetScreen-SA 5000 provides all the standard remote-access methods, including Web, TCP-based, and layer 3. For Web applications, the granularity with which an administrator can define access policies is amazing, with settings to control all sorts of features, ranging from caching policies to HTML rewriting to compression. Despite all this perceived complexity, defining a Web policy turned out to be relatively simple. Web-based Windows, Unix file browsing, and Telnet support are also included.
TCP-based applications get routed through SAM (Security Access Manager), software that is available in Windows and Java versions. SAM can be configured to automatically launch based on a user’s role.
Layer 3 tunneling is handled by Network Connect, Windows-only software that installs a virtual PPP adapter on a remote PC. Administrators can assign IP addresses to Network Connect clients from a private DHCP pool. Full and split tunneling are available, as are custom DNS settings. Admins aren’t given as fine-grained access controls on the tunnel as for other services, but what they get is definitely superior to what is available with IPSec. Juniper says Network Connect will be available for Mac OS X and Linux in the next major release.
The SA-500’s end-point security mechanism, JEDI (Juniper Endpoint Defense Initiative), works with InfoExpress, McAfee, Sygate, and Zone Labs client software. The only downside is that JEDI works only on Windows.
At first glance, the administration UI looks awkward and confusing. Because of the sheer number of options and features available, GUI fatigue is inevitable. In practice, context-sensitive links quickly take you to related functions. Logging and reporting are first-rate, including real-time usage graphs.
Other than F5’s FirePass 4100, the NetScreen-SA 5000 is the only appliance in our roundup that is available in a FIPS 140-compliant model. In addition, the NetScreen-SA 5000 handles high availability in an Active-Passive mode and can scale to eight nodes in a single cluster. VLAN support is not currently available, although Juniper says it is in development.
Nokia Secure Access System 3.0
The NSAS (Nokia Secure Access System) provides everything you need for secure remote access without overwhelming you with its administration UI. It supports Web portal, file share, TCP application support, and layer 3 tunneling. Web application access is first rate and is very easy to define and maintain. A Web resource can be added to the NSAS portal in a matter of a few clicks, which is not possible with some of the other appliances in this roundup.
Another difference is that the NSAS defines authentication schemes on a global scale and doesn’t allow for multiple virtual sites, although the appliance does support multiple authentication schemes. Options include LDAP, Active Directory, NTLM (NT LAN Manager), RADIUS, PKI certificates, and use of local user databases. For high availability, NSAS can cluster two nodes with no additional hardware.