Although most remote access traffic is protected one way or another,many companies prefer the extra reassurance provided by a virtual private network (VPN). However, these can be tricky to deploy, particularly if you go down the internet protocol security (IPSec) route. This is why SSL VPNs, those based on the web's secure sockets layer encryption technology, have proved popular of late.
Less expensive, and easier to deploy, SSL VPN technology provides remote access to web applications such as email and corporate intranets. And, because access is browser-based, users can log on securely using almost any device. Other advantages include ease of deployment and use, elimination of network interoperability issues, easy maintenance and fewer changes to firewalls.
SSL solutions operate at the application layer and terminate at an appliance inside the firewall. Network administrators use a device, such as Billion BiGuard S10, to control user access to applications in conjunction with network authentication and authorisation services. The new S10 is aimed at small businesses with between ten and 50 employees, while a larger version, the S20 offers failover thanks to dual-WAN ports and can handle up to 200 users. However, the model number indicates the maximum number of concurrent VPN connections, so the BiGuard range only really addresses the smaller user end of the remote access market.
The BiGuard S10 itself is a perfectly straightforward, not to say rather unremarkable, piece of network hardware that looks like a common router.
A row of status LEDs grace the front panel, while four fast ethernet ports at the rear provide connectivity to your network and a single ethernet WAN port connects you to the outside world. In between the front and the back panels is a one-stop network security device, comprising an SSL VPN server with integrated router and SPI firewall, a unique combination according to Billion. This 1U device ships complete with mounting brackets and so can be rack-mounted.
Setting up the BiGuard does call for some technical expertise and as a result it's more than likely, given its target audience, that setup and management costs will exceed the purchase price of the hardware.
Although SSL VPNs are billed as "clientless", this isn't strictly true; some application support requires that the browser automatically (and transparently) download and run either an ActiveX or Java applet - this is true with the BiGuard with its transport and network extenders".
The BiGuard's WAN connectivity supports both point-to-point protocol over ethernet connections to your ISP or a static IP address. As is the norm, the BiGuard uses a web user interface, which is well-laid out and easy to follow. Incidentally, only a thin printed quick-start guide is provided; more meaningful text is tucked away in a PDF on the accompanying CD-ROM. On the VPN front, it's easy to set up your own web page for the login interface. Users can either be authenticated using internal data or by external authentication servers, such as Radius.
Is there any benefit to having the VPN gateway and router/firewall in the same box? There are certainly cost and management advantages to this arrangement, but no substantial performance benefits. The BiGuard's firewall is par for the course, comprising SPI firewall with intrusion detection and denial-of-service prevention. It's nothing special, but it's good enough for most needs. You can also apply content and URL filtering, if required, and block ActiveX and Java applets.
SSL solves almost all remote access issues except one: providing access to client/server or other applications not accessible from a browser. Unlike IPSec VPNs, SSL VPN appliances don't typically allow direct access to network file shares. The BiGuard gets around this limitation with a pair of ActiveX controls that users can download once connected:
Network Extender technology allows you to access your normal network folder shares, something you can't normally do with SSL VPNs. Secondly, Transport Extender technology enables specific remote users or groups to access additional network services, as defined by the network administrator. For example, you can use your Outlook email client remotely to transparently access Exchange Server via the SSL VPN, which is both a neat trick and a useful bonus.
One nice feature of the BiGuard is its support for quality-of-service traffic shaping. The ability to regulate network traffic is almost essential to prevent the SSL gateway being brought to its knees by errant applications. You can define rules for specific types of application, such as voice over IP, determining precisely when traffic shaping activates in order to avoid the connection grinding to a halt. Incidentally, the BiGuard firmware is updated regularly, I downloaded firmware v1.6a and installed it without a glitch.
The BiGuard S10 is an attractive piece of kit. Its individual elements don't stand out, but together they make a lot of sense. It offers a unique combination of security and VPN gateway at a low price. Once set up, it works as described. The BiGuard S10 is a very capable tool