Microsoft lands a winning SSL VPN in Whale

SSL VPNs provide access to all the enterprise applications that fat client methods do, including Web- and TCP-based apps; they also provide network-level access such as that found in IPSec VPN clients. SSL VPNs don't require a permanently installed client program to allow users to connect. Instead users connect to the corporate network via their Web browser and if a special "helper" program is necessary for access, it is downloaded on-demand to the remote user and destroyed on disconnect.

Not one to be left out of an emerging technology space, Microsoft is now shipping IAG (Internet Application Gateway) 2007, an SSL VPN solution based on technology acquired from Whale Communications  in 2006. IAG allows admins to explicitly define the who, what, and when of remote access: who can access what particular resource, and when the resource is available. Not only that, but IAG uses application-specific rule sets to monitor an application's behavior to make sure the users' level of access meets the current security policy. End point inspection is built in, and the client allows does a good job of determining the trust level of a specific remote device.

A Whale of a VPN
Only available as part of an appliance bundle, IAG sits on top of Microsoft ISA (Internet Security and Acceleration) Server, adding a full-featured firewall and threat management platform into the mix. My test unit was provided to me by Celestix. The WSA (Whale Security Appliance) 4000 comes with six Gigabit Ethernet ports and is recommended for as many as 2,500 concurrent users.

The initial configuration of the IAG is helped along through the liberal use of wizards, and begins with the definition of a trunk, Whale-speak for a grouping of applications. Three types of trunks are available: basic trunk, portal trunk, and Webmail trunk. The Webmail trunk provides access to a single Webmail application and a basic trunk only allows access to a single application. The most flexible method is to use a portal trunk. This type allows a single Web portal to provide access to multiple applications. This is the trunk I used in my tests.

Like other high-end SSL VPN appliances, IAG supports authentication server stacking, supporting nine popular methods, including ACE, Active Directory, Netscape LDAP, and Novell Directory. Admins can even define custom authentication schemes to meet a specific need, and support for single sign-on is built in.

When it comes to end point policies, the sky is the limit with IAG. The software comes with an extensive list of predefined policies, and admins can edit existing ones or create their own policies as necessary. The end point compliance engine uses ActiveX to do a deep inspection of the remote device to determine its security posture and into which policy bucket it falls. IAG can check for the presence of anti-virus (upward of 30 types), personal firewalls, version, and signature levels, as well as NetBIOS name, the existence of toolbars, files, and Registry entries.

IAG's end point control engine is one of the most capable I've reviewed, but it does come at a price. Because of its dependence on Internet Explorer and ActiveX, non-Windows platforms will not be able to participate in the deep inspection available in IAG. For non-Windows clients, end point detection will be limited to only what IAG can detect via the browser.

Positive thinking
The heart and soul of IAG is the access control policy engine. IAG uses a "positive logic rule set" to define each exposed application, and every aspect of the exposure is carefully detailed and managed. IAG comes with a large list (more than 60) of known applications admins can choose from to build their access policy on, such as Web applications, legacy applications, and file access. These exposed applications are wrapped in end point access control policies, upload/download polices, and URL scrubbing to ensure only valid paths are available to the end-user.

IAG's policy engine really does more than simply allow/deny access to applications: It acts more like an application firewall by inspecting each session and only allowing specific transactions to pass. For example if a remote user logs into the corporate mail portal from a laptop in Starbucks, the user's policy may not allow him or her to download attachments from the mail system.

But more than that, IAG can block specific transactions within an application based on end point security posture. As in our Starbucks example, IAG can block specific portions of the Web application, such as company contact lists, simply based on where the client is located.

Power trip
For power users who need network layer access, most methods of connecting require IE and ActiveX. IAG does include one method that uses either ActiveX or Java but it is basically an SSL wrapper. It creates a one-to-one mapping of application to local port, but this isn't true network-level access.

IAG's Network Connector requires ActiveX but provides a more traditional network-level access with routable IP addresses assigned to the virtual adapter. Users have access to any resource on the network (as allowed by policy) just as if they were logged on to the local network.

Reporting and logging in IAG covers the basics: system usage, user access, and session information. The Java-based Web Monitor provides a graphical view into user, application, and system activity, with easy-to-read, customizable graphs. Also included in Web Monitor is an event query tool to help admins dig out a specific error or status message. During my tests, I found the Web Monitor a handy tool for seeing the status of each connected client.

Microsoft made a good move in acquiring the Whale technology and merging it with ISA Server. The total package makes for one flexible yet secure solution for remote access to the enterprise. The end point control is one of the best going, but full functionality is limited to Windows and Internet Explorer clients. Same thing for network-level remote access -- it’s available for non-Windows platforms, but to get the total package it requires IE and ActiveX. I like the appliance form factor, and my test unit from Celestix is first rate. Along with Juniper and F5, admins should give Microsoft IAG a look when SSL VPNs come knockin' at their door.