AppGate has based its VPN products not on IPsec or SSL, but on SSH v2 instead. This offers huge advantages that will become immediately apparent to anyone who has struggled to get a traditional IPsec VPN working from a remote network using network address translation (NAT).
The AppGate solution works without difficulty in that scenario. Because of the underlying SSH technology, client-to-server traffic can navigate through any firewall, NAT scheme, or any other network component.
Protected traffic can even sit on top of standard IPsec VPN traffic. The only requirement is the remote user must be able to connect via SSH. If it is behind a firewall that enforces egress filtering and blocks port 22, the server can be configured to work on other ports (like 443) and SSH traffic can be routed via a http proxy in the firewall.
It supports a plethora of authentication methods. As well as traditional password authentication, users can utilize certificates, public keys and two-factor tokens like SecurID and smartcards.
The connection between client and server can be encrypted using a variety of algorithms, including Triple-DES, AES, Blowfish and RC4, while taking advantage of the compression features of SSH allows access to be enhanced over slower networks where bandwidth might be more at a premium.
The AppGate Security Server is supplied as an appliance product running on a Sun Fire V100 family box that is 1U in size. Initial configuration can be done from the serial console and, after that, the administration console supplied on the disk can be installed.
The console window is split into two panes, with the left one showing an Explorer-like tree of options to configure and monitor. There is also a series of wizards to assist in initial configuration.
It is a simple matter to define roles for users and set rules governing access to internal services. A high level of granularity is achievable in setting user access rights, restricting access to particular services or applications by time and location, for example.
Users can be simply assigned roles or moved between defined roles at the click of a mouse. Users can also be assigned to a number of roles, and each role can have different access rights and conditions. When users connect, they can then select the appropriate role for that particular session.
Administration can be scripted so that large numbers of users can be readily assigned to existing roles. When using the administration console it is a simple matter to select a user and then drill down to see the role they are assigned to, and then down to the individual services assigned to that role.
Alternatively, one can select a service and click through to find which particular roles are granted access to that service, and then drill down further to find out which users have access to the service and under what conditions.
At times, the console can seem a little confusing, but a back button enables administrators to step back through their configuration panes to reach their starting point.
The deeper one looks into the administration console, the clearer it becomes that the AppGate is designed, above all else, for ease of administration. For example, the administrator has complete control over both user authentication and access, and the administrator can even customize the user's experience of using the VPN client. In addition, there are options to start applications on authentication and options to hide applications from users altogether.
On the client side, unlike the more traditional IPsec VPN solutions, we found that there was no need for installation of any client software.
There are different clients to choose from with different user interfaces, each suited for different needs. Clients are written in Java and are therefore compatible with any java enabled platforms, including telephones and PDAs.
The Applet client makes it possible to download the client software from a web server if needed – for example, when using computers that do not have the full client software installed. The user simply points their web browser at the appliance and is then presented with a home page that offers an option either to download the client or to connect to the server using a Java applet.
This means that it is a simple matter to sit down at any internet-connected PC (or Mac, Unix box, PDA or phone – in fact any device that supports Java) and create a secure, encrypted link back to the office network just by connecting to the appliance via a browser, authenticating and downloading the applet.
There is a full client available, downloadable from the server home page that enables users to connect to multiple AppGate servers at the same time. This offers a simple interface with icons for the applications that are available through remote connections.
Clicking on the icon you want opens the application – the SSH connection runs transparently in the background.
When you remember that the administrator is able to configure exactly what appears in this console and what applications will run on authentication, you will appreciate the power of the AppGate solution.
The AppGate Security Server is ideally suited for those administrators who need to provide secure authenticated access for a large number of users and who wish to retain complete control over their remote clients.
Because no configuration is required on the client side, and no software needs to be installed, calls to the helpdesk should be minimal and this is an advantage.
AppGate was recently tested under the Checkmark scheme and is the only solution available that carries Checkmark VPN and Personal Firewall certifications.