SSL VPNs come of age

We see how six leading appliances measure up to one another and to IPSec

Traditionally, providing road warriors and business partners with access to back-end servers and resources has meant deploying an IPSec VPN. For site-to-site communication, IPSec remains the only game in town, but for client-to-enterprise links, it is falling out of favor precipitously. The administrative overhead associated with deploying IPSec client software has become overwhelming given the ever increasing number of clients to support. There is also the potential that IPSec tunneling will allow an untrusted device to punch a hole through the firewall -- and directly into the heart of the network.

These kinds of basic problems with IPSec are why SSL VPNs are showing up on more and more IT radar screens. With an SSL VPN, there is no client software to install, let alone maintain. Not only does this cut down on IT labor, but it also means remote users aren’t limited to specified locations. Public Internet kiosks, partner sites, a borrowed laptop -- they all work.

More importantly, with an SSL VPN there is no open tunnel to the enterprise. SSL VPNs enforce security policies on each connection, allowing access only to specific

resources based on user, location, and/or device. As with any good security control, everything is off-limits unless expressly allowed by the administrator.

I explored the mechanics of SSL VPNs and explained how these appliances differ from their IPSec cousins in a similar roundup a year ago. This time around, I put six different SSL VPN appliances to the test to find out whether they’ve matured enough to replace enterprise-class IPSec deployments -- and to determine which ones, if any, stand out from the rest.

Packed with features

The SSL VPN playing field gets more level with each product release cycle. Many of the appliances in this roundup are in their third generation and are technologically mature. The main features differentiating the products from one another are the way in which they implement security policies, how they handle remote end points, and how transparent the overall experience is to the end-user.

The granularity of their access policies is where SSL VPN appliances really shine. All the solutions reviewed here allow administrators to implement policies that change based not only on who is logging in but also on where they are logging in from.

In addition, every SSL appliance in this roundup supports some kind of end-point security software, although some do a better job than others. End-point software analyzes a client device, determines the level of confidence in its security, and applies access rights based on predefined “trust zones.” For instance, the software might determine that a user’s laptop has anti-virus software and a personal firewall running on it, but because the laptop is attempting to connect via Wi-Fi from Starbucks, the appliance will only grant it proxied access, rather than full network access over an IPSec-style layer 3 tunnel. Currently no industrywide standard for end-point security control exists, but companies such as Cisco and Microsoft are working to change that.

Beyond access controls, all the appliances reviewed offer additional security measures. All support “secure browsing” clients such as Sygate Secure Desktop. These clients create virtual sandboxes in which SSL sessions run. When a user closes the secure browser, its temporary files and session information go to a binary black hole. What’s more, most SSL VPNs provide cache-cleaning software that covers users’ tracks by removing temporary files, cookies, and other session information from the browser. These measures are very important for users connecting from publicly accessible PCs, but they aren’t nearly as effective as using a secure browser because deleted files can often be recovered.

Click for larger view.

Other features that will interest some customers include VLAN support and clustering. VLANs allow for segregated traffic on the same physical network, a handy feature for service providers or large enterprises. Clustering allows SSL VPN appliances to provide high availability through automatic fail-over and load balancing and can extend the number of concurrent users an appliance supports into the thousands. Given the relatively equal performance of the products in this roundup, it may be these and other niche features that ultimately tip the balance in favor of one particular product for any given customer.

AEP Networks Netilla Security Platform

When last I visited the NSP (Netilla Security Platform), it was missing some core features necessary for an SSL VPN appliance. Since then, Netilla merged with AEP Systems to form AEP Networks and released Version 5 of its Netilla Dynatrust operating system. The new offering builds on the strengths of the previous release by adding previously missing features such as LDAP support and end-point security checking.

As in its previous releases, the NSP uses “realms” to organize users, authentication schemes, and resource access policies into manageable groups and includes built-in support for Microsoft SMB (Server Message Block), Active Directory, SecurID, Kerberos, RADIUS, and local user authentication. The NSP also continues its tradition of using “authentication scopes” to pass user credentials to an application, enabling SSO (single sign-on). This method works but can lead to unnecessary administrative overhead when creating and managing links to Web resources.

As do all the appliances in this roundup, the NSP offers clients access to both Web-based and server-based applications. The NSP also offers layer 3 tunneling for direct IPSec-style network access, allowing TCP and UDP (User Datagram Protocol) traffic to pass through, and as do most appliances, it supports full or split tunneling. Full tunneling means that all traffic, local and nonlocal, goes across the tunnel to the enterprise and is routed from there. Split tunneling routes enterprise traffic over the tunnel while other traffic -- such as Internet traffic -- goes out through the remote user’s default gateway. The method you choose will depend on the strictness of your security policies.

The NSP’s layer 3 tunnel is deployed as an ActiveX control, so layer 3 support is available only for Windows clients. This shortcoming is mitigated somewhat by the fact that the NSP handles thin-client access such as to terminal servers or “green-screen” legacy hosts in a way that’s different from that of any other appliance in this roundup. It uses Java client software and a proprietary protocol to connect the remote user to built-in proxy server software from Tarantella. The Tarantella server then makes the connection to the protected resource. This extra layer between client and server proxies all inbound traffic, regardless of its method of transport.

Also new to this release is support for Sygate’s On-Demand end-point policy enforcement software, which AEP Networks offers at additional cost. Client integrity scans can take place before and after authentication, and each realm can have its own specific host policy. The more advanced Sygate features are available only to clients on the Windows platform, but its cache-cleaning component will erase temporary files, cookies, and other session information for any Java-compatible browser.

When compared with those of other appliances, the NSP’s user interface is plain but easy to navigate. It still forces you to do some UI “link hopping” to create your realms, user authentication, and application definitions, but it could be worse. When I became comfortable with the UI’s organization, I had little trouble modifying or adding new applications and realms, although the NSP’s policy granularity is not as fine as that of some other products.

The NSP also has good internal logging and reporting capabilities, but it isn’t the best of the bunch in this regard. As do all the products in this roundup, the NSP supports both SNMP and Syslog logging. In addition, the NSP offers internally generated HTML graphs of basic system statistics.

Two-node clustering is part of the base NSP package, rounding out this solid offering. Clustering requires no additional hardware, although only a Hot-Standby configuration is supported.

Click for larger view.

Array Networks SPX3000

When I first reviewed Array Networks’ SSL VPN, I thought it needed to improve a bit to be a real player. In the past year, Array has enhanced its product through the inclusion of a layer 3 tunnel, site virtualization, and client-side host checking.

The SPX3000 provides all the modes of access that administrators have come to expect from an SSL VPN gateway. Policy enforcement is strong but not quite as granular as that found in the F5 FirePass 4100 or the Juniper NetScreen-SA 5000. As is the case with the other appliances in this roundup, Array’s Web Resource Mapping service rewrites content as it passes through the appliance to obscure resource URLs. As opposed to the other offerings, however, the SPX3000 works not only with HTML but also JavaScript, Cascading Style Sheets, cookies, and even Macromedia Flash.

Array allows for easy access to file shares located on either Windows or NFS (Network File System) servers via its Web-based gateway. For client/server resources, the SPX3000 provides access in two ways. Application Manager is a Java applet that connects TCP-based applications to back-end services such as terminal servers. Windows Redirector, on the other hand, is a stand-alone application that is available only for Windows PCs running Internet Explorer but which allows for even greater control over access to specific resources.

New to this release is full, bidirectional layer 3 tunnel support. Administrators can define multiple tunnel definitions per virtual site, each with its own unique settings. For instance, one definition might include full tunneling, whereas another might specify split tunneling; and each can hand out IP addresses from a completely different DHCP pool.

Lack of cross-platform support is the price you pay for many of the more advanced features of SSL VPNs. Currently, the SPX3000’s layer 3 tunnel is available only to clients running Windows, but Array says that Mac and Linux versions are in development.

Array’s end-point security, including host checking and cache cleanup, is handled via Sygate On-Demand and Sygate Secure Desktop. Although the end-point security component is tightly integrated in the SPX3000, it must be purchased separately. Host checking takes place only prior to authentication.

For large enterprises or service providers, the SPX3000 offers VLAN support, as well as “virtual sites.” These allow admins to provision a single appliance into minisites, each with its own authentication and authorization settings. In addition, the appliance supports Active-Active and Active-Standby clustering configurations for as many as 32 nodes.

The administration UI of the SPX3000 isn’t all that different from that of Array’s previous releases. It’s still a little bumpy, but it has improved. Similar items are grouped together to minimize UI fatigue, and each virtual site is self-contained. Delegated administration is well-supported; the appliance administrator assigns an individual user to administer a single virtual site, and only that virtual site. In all, I found that Array has successfully rounded out the SPX3000’s feature set to make it competitive with any other appliance on the market.


The EX-1500 is a good all-around performer for secure remote access. Aventail’s Unified Policy engine makes life much easier for VPN administrators. Resources and users are tightly coupled, making policy definitions similar to a set of firewall rules. Instead of hopping all over the admin UI, everything is neatly nested together, and a handy Quick Start menu helps get you going. In fact, I was able to create a new access rule, complete with new resources and users, from a single screen -- a small thing, perhaps, but one that busy IT managers will appreciate.

Each realm also includes access method and security zone definitions. Compatible authentication sources include LDAP, RADIUS, Active Directory, SecurID, and a local user database. Two-node clustering is available in an Active-Active configuration. Built-in load balancing and automatic fail-over require no additional hardware.

Endpoint Control 2.0, probably the best end-point security mechanism of any appliance reviewed here, has been added since I last reviewed Aventail’s platform. When users connect to the appliance, Endpoint Control places them in specific security “zones” based on their device profiles. A zone is a grouping that defines policy details such as whether to use a cache cleaner on the client’s browser or to allow remote access (deny/allow all). This system makes it easy for administrators to create and maintain security policies that change as the user changes locations.

Endpoint Control relies on client-side software from WholeSecurity or Zone Labs to perform preauthentication host scans; either product must be purchased separately. Without these add-ons, Endpoint Control can still determine where a client is connecting from but cannot determine details about running processes and so on. For even more protection, the EX-1500 also works Aventail’s cache cleaner and either Aventail Secure Desktop or Sygate On-Demand (also purchased separately).

1 2 Page 1
Page 1 of 2