SSL VPNs come of age
We see how six leading appliances measure up to one another and to IPSec
NSAS supports TCP-based applications through a Java helper program, but the overall UI needs a major face-lift. The user must query the portal to learn which local loopback address to connect to for each specific client program. All the other boxes we reviewed do a much better job hiding this process from the end-user.
Secure Connector, Nokia’s IPSec replacement technology, is built into NSAS and supports full and split tunneling. Secure Connector allows admins to create a private IP address pool for remote users, as is possible with the Juniper NetScreen-SA 5000. NSAS uses firewall-style allow/deny rulesets to define access controls within the tunnel. Administrators can specify address ranges, ports, and protocols for access to specific resources and can even deny access to clients that don’t meet anti-virus requirements. The Secure Connector client is available only for Windows PCs running Internet Explorer.
Secure Workspace is Nokia’s virtual sandbox, and it, too, is available only to Windows and Internet Explorer users. As does Sygate’s Secure Desktop, Secure Workspace deletes all temporary files, removes browsing history, and erases any session information. A floating toolbar allows you to switch between your local desktop and the secure desktop.
Nokia’s Client Integrity Scan checks the remote PC to asses its status either before or after authentication. Administrators configure the scan using a custom scripting language. This has the benefit of allowing admins to build scripts specific to their needs, but it is likely to be time-consuming.
The administration UI in the NSAS is fairly easy to navigate. The amount of logging and monitoring information is almost overwhelming, as it is with the FirePass 4100, but the use of filters helps keep it manageable.
Unfortunately, the NSAS offers no support for third-party host checkers such as those offered by Sygate or WholeSecurity. Third-party support must be added to the NSAS to allow for easier integration into existing client security infrastructures and to provide additional client-side management if it is to hold its own against the other appliances on the market.
Ready to switch?
To be fair, it doesn’t make sense to tear out all your existing IPSec gear and immediately replace it with SSL. It does make sense, however, to start deploying SSL and migrating users to it. IPSec and SSL can coexist and complement each other, allowing for a gradual move from one platform to the other.
Even for an enterprise that has an extensive investment in IPSec, migration to SSL is justifiable. The support cost per client is so much greater with IPSec than with SSL that the labor cost savings will offset the expense of the new hardware. Long-term administration is also much easier to manage on an SSL VPN because everything is centrally located. Any policy updates or changes to client-side applets are automatically pushed out on the next connect.
What’s more, SSL VPNs simply offer better security than IPSec appliances do. All SSL VPN connections -- even IPSec-style layer 3 connections -- have access control policies associated with them. This allows administrators to grant access to specific resources, rather than opening up the entire network as you would with IPSec.
Each of the SSL VPN appliances reviewed here provides an admirable range of features that make them worthy competitors against any IPSec equivalent. After the smoke cleared and all the results had been tallied, the Juniper NetScreen-SA 5000 came out on top. Although not perfect, the NetScreen-SA 5000 passed every test thrown at it, and it never failed to meet challenges. Still, none of the competitors in this roundup is a bad choice. As this market continues to mature, you’ll have more and more reasons to expect your next VPN to be an SSL one.