Product Details
Product Rating
VPNs (2003)
Safe remote access to company systems is the reason for virtual private networks. But how easy and how secure are these appliances? By Rene Millman
The virtual private network (VPN) has come a long way from the clunking efforts of years ago. And in this month's Group Test we will be focusing mainly on VPN appliances that use the secure sockets layer protocol to untie themselves from the VPN client.
The SSL VPN can give users working away from the confines of the enterprise network infrastructure access to internal web servers and web-enabled applications, while all traffic between server and secured browser remains encrypted. It differs from VPNs that use IPsec. These normally require client software, and this needs to be managed, configured and regularly updated, thus pushing up the cost.
Secure connections
SSL VPN differs by having a standard 'client' that is present on virtually everyone's computer, the humble web browser. Thus, a remote user points a browser to their organization's VPN gateway appliance and a secure tunnel is set up over an SSL connection to the VPN. After some form of authentication, this traffic enables them to access internal resources.
We tested how easy it was to set up an appliance to act as a gateway between a remote user and internal resources. Some took no time at all and were quite impressive in the way they handled the process of setting up users, policies and access to resources.
Top honors for this went chiefly to Aventail, whose years in the business of SSL VPN managed services have paid off handsomely in a finely crafted piece of kit. An honorable mention must go to the Neoteris product for its comfortable handling of installation tasks. It was one of the easiest to manage and deploy across an enterprise.
We also looked at how much load each appliance could take. Sometimes appliances can be difficult to upgrade due to their proprietary nature. We found that Aventail and AppGate gained top honors for managing to cope with heavy loads without even breaking a sweat. Part of the job of the appliances in this test is to take the load of SSL encryption off the servers so that these can deal with their own tasks.
The right data to the right people
Access to internal web servers and web-enabled applications is one thing, accessing a file system we found to be another. Some products did not seem to take to the task of taking data from a file server and putting it into a format that can be read and manipulated by an end user too well, and we found for most of the products we were left wanting an easier ride.
Others, like Neoteris, managed to do this straight out of the box with sophisticated enough protocol translators between the client's HTTP over SSL and whatever protocol was inside. This left us to figure out the best way of making sure that the right data went only to those in an organization who were allowed access to it.
Security was another aspect we looked into in the test. There are schools of thought that claim that the model for security in SSL VPNs is inherently weaker than those used in IPsec VPNs. Thus, the greater opportunity for outside attack as the cryptography and authentication are less stout. We found that all the boxes in the test were capable of keeping out unwanted visitors with ample security without (most of) the pain of setting up a full IPsec remote access gateway.
This is not to say that SSL VPN manufacturers have abandoned IPsec or the access client. The Aventail client gave us the option of clientless, semi-clientless and full client access to the same box. Semi-clientless meant that a small Java applet could be downloaded to act as a client from the VPN's home page.
AppGate also more or less had a small client that could be downloaded from the VPN portal to access the network, with a full client included on disk. This hardly makes for ubiquitous access but at least the road warrior could get onto the network without too much fuss by clicking on a link and following a couple of simple instructions.
Finding the right product
The RouteFinder went down the more traditional IPsec road and could act as both IPsec server and client. It had a greater range of features that would appeal to the small or medium-sized enterprise, such as firewall capabilities and a broadband router. The A-Gate from AEP also boasted a range of functions diverging from the pack.
Overall this is another mixed bag of results, but with a couple of clear winners. It does seem that you have to go with the appliance that does one job very well, and some of these products do match up to that specification.
As more and more products come online with an ever-burgeoning set of features, other products in this Group Test may need to sharpen up their respective acts if they are to survive an increasingly crowded market. It will be an area that is worth watching closely in the months and years ahead.
