Reviews: Call Us The Enforcers

With the rise in the number of business users that are telecommuting or regularly working from the road, a secure VPN solution is critical to a company's day-to-day operations. With a VPN, the IT department can enforce security and compliance policies as well as allow access to internal applications. Traditionally, VPN solutions used IPsec protocols, but SSL VPNs have gained in popularity as the products matured to support thousands of users and various types of connectivity. SSL VPNs also bring a bevy of security features, including extensive host checking and the application of dynamic security policies.

A VPN typically establishes the remote client as a node on the protected network; an SSL VPN extends secure access to protected resources for remote users. While IPsec VPNs require client software to be installed on each computer connecting back to the network, SSL VPN products use a standard Web browser and do not require any specialized software to connect to the network. This means remote users can use any networked device, such as Internet kiosks or a borrowed laptop, to access the network. Since SSL over Port 443 is generally allowed everywhere, remote users likely would be able to access the corporate network.

SSL VPNs follow the first rule of security control: everything is off-limits unless expressly allowed by the administrator. SSL VPNs make it easy to access data and applications while still enforcing authentication rules to ensure that only trusted users are given access.

CRN Test Center engineers put several SSL VPN appliances through their paces on its test network. Engineers originally researched and compiled a list of 16 VPN offerings with similar feature sets that can be deployed in small or medium businesses. From that list, five companies with comparable products were invited to participate: Array Networks, Cisco Systems, NeoAccel, SonicWall and Stonesoft. Cisco and Stonesoft declined, saying they could not accommodate the testing time frame. That left three products: Array Networks' SPX2000 Universal Access Controller, NeoAccel's SSL VPN-Plus SGX-1200 Gateway and SonicWall's Aventail EX-1600.

As third-generation products, all three SSL VPN appliances reviewed here would fit in small corporate offices or companies with simple network configurations. While some models from these vendors can support as many as several hundred to several thousand concurrent users, these particular boxes could support customers needing as few as 10 concurrent users.

They all support up-to-date, modern browsers and provide secure access to both Web and non-Web applications over SSL. Along with robust management interfaces and reporting capabilities, they all have a way for non-HTTP applications to tunnel over to an SSL VPN.

Unlike IPsec, SSL-based VPNs don't create an open tunnel. It was essential that these appliances grant access to non-Web applications. The products all supported some form of authentication, such as LDAP and Microsoft's Active Directory. Finally, each of these boxes offers some form of dynamic access control based on the user's group membership.

The products differed from each other in the way remote end points are managed and the level of granularity available for access control. The solutions reviewed here have basic end-point control interrogation capabilities. The appliances perform end-point security audits to determine how trustworthy the remote machine requesting access is. If the remote machine fails any test, the appliance denies entry or offers limited entry, depending on policy.

Next: Methodology