Product Group Tests

SSL VPN

Group Summary

There is one important thing to remember about SSL. SSL does not authenticate the user. It only authenticates the session.

Scroll To Full Group Summary Below

Click for a side by side comparison of products
Click for a side by side comparison of products

Full Group Summary

We started out looking at this month's crop of SSL VPN products with a yawn. Ho-hum...just another bunch of SSL gateways. But then we looked a bit closer. Whoa, Hoss...things have started to get quite creative in this product space. I guess the users and developers are beginning to look at what can be crammed into a simple SSL gateway.

One thing we really liked was the move from one vendor to evolve a former open source product. Like us, many of you have used SSL Explorer, especially back in its open source days. The product then became a commercial success and now it has been subsumed into our Best Buy. Great decision in our view. This product has one of the most desirable characteristics an SSL VPN can have: ease of use for the end-users who need to connect to it. More on that in a moment.

How do you select an SSL VPN product?

SSL VPNs have one overriding characteristic that seems to drive their architectures: they need to be accessible easily and reliably from end-user computers. These products are, more often than not, gateways into a system. So, one's first step is to assess how you plan to use the gateway. One of the typical limitations is that there needs to be an agent on the end-user's computer. The agent communicates with the gateway and sets up the tunnel.

The agent isn't necessary for everything, though. For example, if all one needs to do is connect to a website, the user probably can do that without an agent. However, if you are extending the tunnel to some device such as a server, you may need the agent. That can pose a logistical problem if you have a large user group. It is much more difficult if you don't have a stable community of users. This takes us to my earlier comment about SSL Explorer.

One of the things we liked about that product - even the open source version - was the dissolvable agent technology it used. That technology has persisted into its current incarnation. The agent deploys only if you need it. After you are finished with it the agent dissolves. This is the optimum approach - usually agentless, but with a dissolvable agent when necessary.

Another important function is the way the gateway integrates with such services as Active Directory. If it is necessary to create a unique database, it may be impractical to deploy in many environments. Some products are considered unified access gateways instead of simple SSL VPN gateways. In these cases, the functionality should match your environment, or your planned environment. Beyond these obvious features, some products add in other functionality, such as scanning and network access control.

How we tested
This was a straightforward set of tests. In some cases, the vendor provided the complete environment and we constructed a network that could be accessed from our test bed. In other cases, we set up a test bed that emulated a typical enterprise with an SSL gateway - the product under test - and examined such things as ease of use, functionality and performance.

What we found
In general, we found that this year's crop of SSL VPN products was a pleasant surprise. We expected a rather dull review. After all, what can one do with a simple SSL VPN? It turns out that one can readjust one's thinking from a simple gateway to the potential functionality of an access control system for remote users of all types.

There is one important thing to remember about SSL, though. SSL does not authenticate the user. It only authenticates the session. While I'm sure that we all know that, sometimes we forget that we need to have some additional authentication mechanism for the users.

Most of these products offer ID and password and some can be used with stronger authentication. I recommend that if you are planning to use this to access your network from the internet, you consider some form of strong authentication. When used internally - on an intranet - this may be less important. The problem, of course, is that deploying strong authentication to a large user community can be both expensive and difficult to do. Some form of PKI might be a solution but, as always, examine your requirements and develop your architecture to support them.

That said, this month's product group, while a bit smaller than usual, is a real pick of the litter. Look through these and I am sure that you'll find what you need if you are thinking about deploying an SSL VPN or a gateway that uses SSL VPN. These products all are very competent.

All Products In This Group Test