Reviews: Call Us The Enforcers

telecommuting compliance VPN IPsec SSL

A VPN typically establishes the remote client as a node on the protected network; an SSL VPN extends secure access to protected resources for remote users. While IPsec VPNs require client software to be installed on each computer connecting back to the network, SSL VPN products use a standard Web browser and do not require any specialized software to connect to the network. This means remote users can use any networked device, such as Internet kiosks or a borrowed laptop, to access the network. Since SSL over Port 443 is generally allowed everywhere, remote users likely would be able to access the corporate network.

SSL VPNs follow the first rule of security control: everything is off-limits unless expressly allowed by the administrator. SSL VPNs make it easy to access data and applications while still enforcing authentication rules to ensure that only trusted users are given access.

CRN Test Center engineers put several SSL VPN appliances through their paces on its test network. Engineers originally researched and compiled a list of 16 VPN offerings with similar feature sets that can be deployed in small or medium businesses. From that list, five companies with comparable products were invited to participate: Array Networks, Cisco Systems, NeoAccel, SonicWall and Stonesoft. Cisco and Stonesoft declined, saying they could not accommodate the testing time frame. That left three products: Array Networks' SPX2000 Universal Access Controller, NeoAccel's SSL VPN-Plus SGX-1200 Gateway and SonicWall's Aventail EX-1600.

As third-generation products, all three SSL VPN appliances reviewed here would fit in small corporate offices or companies with simple network configurations. While some models from these vendors can support as many as several hundred to several thousand concurrent users, these particular boxes could support customers needing as few as 10 concurrent users.

They all support up-to-date, modern browsers and provide secure access to both Web and non-Web applications over SSL. Along with robust management interfaces and reporting capabilities, they all have a way for non-HTTP applications to tunnel over to an SSL VPN.

Unlike IPsec, SSL-based VPNs don't create an open tunnel. It was essential that these appliances grant access to non-Web applications. The products all supported some form of authentication, such as LDAP and Microsoft's Active Directory. Finally, each of these boxes offers some form of dynamic access control based on the user's group membership.

The products differed from each other in the way remote end points are managed and the level of granularity available for access control. The solutions reviewed here have basic end-point control interrogation capabilities. The appliances perform end-point security audits to determine how trustworthy the remote machine requesting access is. If the remote machine fails any test, the appliance denies entry or offers limited entry, depending on policy.

Next: Methodology Methodology
Test Center engineers configured and installed SSL VPN appliances from Array, NeoAccel and SonicWall. Engineers created an internal network within the Test Center lab and put each VPN appliance between the internal network and the rest of the Test Center network. The VPN connected engineers on Test Center machines to the internal network to access the servers plugged into the internal network. The machines used to make the VPN connection ran a mix of operating systems and browsers. After installing the appliances, engineers tested three common usage scenarios: browsing a Web application, accessing a network drive and running a non-Web application. The applications resided locally on the server, and network share was a standard Windows share.

When examining the products, engineers also considered the types of access control available, the existence of any virtualization features and the ability to support multiple browsers and platforms. Finally, engineers looked at the information collected by the boxes and the reporting tools available to detail the logged data.

While the three vendors provided a wide array of possible configurations to highlight what the boxes are capable of, engineers placed greater value in their scoring on ease of deployment and ease of management. In order to properly rank the solutions, engineers also considered each company's channel partner program to identify revenue opportunities available to solution providers.

SonicWall Aventail EX-1600
SonicWall's Aventail EX-1600 received the first-place crown for its comprehensive management interface, simple installation and its intuitive method to create and implement access control policies.

Before SonicWall acquired Aventail this summer, Aventail had already established its SSL VPN appliances as a solid product line. SonicWall says it plans to keep both the Aventail SSL VPN and its own legacy SSL VPN product lines since they target different markets.

Engineers deployed the EX-1600 over a Windows network to take advantage of Active Directory, but also tried username/password authentication over a Linux-based network. For unusual network configurations or unsupported browsers, the appliance uses Native Access Modules for Microsoft Terminal Services and Citrix Systems deployments to offer remote access. The box also has three built-in ways of connecting users: the WorkPlace Portal, WorkPlace Mobile for mobile phone browsers and Connect Tunnel to access TCP-based applications.

The EX-1600 can support 25 to 250 concurrent users. Endpoint security features, such as antivirus, personal firewall and antispyware, are available as add-on features. Pricing varies by number of users and starts at $5,995 for five concurrent users.

The appliance's management application was strangely the feature engineers liked most and least. The interface was powerful, offering all kinds of tools in one screen—including configuration, management and system checks. Access control was granular, supporting policies based on user and groups, source IP address, service and port, destination URL, host name and IP address, IP range, subnet and domain. A handy checklist at the right helped keep track of which tasks remained to complete configuration of the system, such as getting the public certificate, configuring IP addresses and setting access controls.

However, its sheer power was also very confusing and distracting. With everything jammed in, there was a sense, as a user, of overlooking something. There's just too much available at the fingertips.

Solution providers must achieve certification to sell and service the Aventail EX-1600. While Web-based training is available for free, there are some costs associated with the classroom courses. Advanced support and certain discounts come with certification.

SonicWall partners can expect average margins between 15 percent and 38 percent, depending on their level within the vendor's channel program. However, there are other possible revenue streams, such as renewable subscriptions. There's also an MSP program for partners offering managed services based on the vendor's technology.

In addition, solution providers can offer related consulting services that can begin with pre-deployment and continue after deployment to handle application integration and security updates. Pre-deployment, solution providers can look at the existing network infrastructure and ensure that all essential components, such as the firewall, gateways and other security features, are in place.

Deployment includes training and some maintenance. Post-deployment services include license management, enabling access to parts that were originally closed off and tweaking access control lists. Support for business applications, such as mobile devices, can be added after deployment as well. SonicWall says there is an even 50/50 split between hardware and software profits vs. associated services.

SonicWall's Medallion Partner Program has five groupings— DMR (Direct Market Resellers), VAM (Value Added Merchant), Gold, Silver and Approved.

At minimum, solution providers must register as partners on the SonicWall Web site. At higher levels, they need to have two CSSA and one certified GMS expert on staff, complete at least $100,000 in annual sales, handle pipeline forecasting, hold two local marketing events per quarter and submit quarterly business reviews.

Next: NeoAccel SSL VPN-Plus SGX-1200 Gateway NeoAccel SSL VPN-Plus SGX-1200 Gateway
Engineers ranked NeoAccel's SSL VPN-Plus SGX Gateway in second place. Its clean interface made administration and deployment a breeze. The SSL VPN-Plus also offers a thin client and a full client (Java applets and ActiveX controls) to mimic the IPsec functionality for non-Web applications. The gateway product supports both remote access and site-to-site SSL VPN.

The SSL VPN-Plus SGX series can range from 10 to 10,000 concurrent users. The model Test Center engineers examined, the SGX-1200, supports 50 concurrent users. The VPN-Plus can be deployed in a dual-arm or single-arm configuration, and also parallel to a DMZ or firewall.

All features can be enabled or disabled and easily extended through the NeoAccel Management Console. The interface is well organized and has options to manage, monitor and modify gateway configurations. Users' privileges, access control policies/rules and user administration are also possible through the interface. The management options, while thorough, were not as feature-rich and packed as the SonicWall offering.

Unlike SonicWall's Aventail solution, the end-point security features (antivirus, antispyware) are built into the product. This VPN solution also pro-actively prevents attacks by checking each client machine to ensure the definitions and patches are up to date and that there are no spyware or keylogger applications installed.

NeoAccel's partner program has three levels with annual sales volume goals: Gold at $100,000, Silver at $50,000 and Bronze at $25,000. Authorized resellers have to sign an agreement, but they are not restricted to a goal. Partners at higher levels are also required to have NeoAccel-trained salespeople and systems engineers on staff. NeoAccel shares all leads generated from trade shows and Web forms with channel partners based on geography and vertical market expertise.

Partners can expect average margins between 20 percent and 30 percent. They also can count on yearly maintenance contracts for additional revenue. Solution providers are invited to participate in beta test programs and can request features, which are granted high priority. Solution providers can get discounts of up to 60 percent on new units for demonstration purposes, as long as they agree to not resell the demo unit.

About half of NeoAccel's products are sold through the channel. NeoAccel also sells its products through OEMs.

Array Networks SPX2000 Universal Access Controller
Array Networks' SPX2000 Universal Access Controller placed third. It offered a comparable ease of deployment and similar access control features, but its management interface was not as impressive as those of its peers.

With support for up to 500 simultaneous users, the appliance is a scaled-down version of the vendor's enterprise-ready product, which supports up to 64,000 users. Array Networks says multiple SPX boxes can be tied together to get more capacity. Test Center engineers did not try this since the scope of the test was only 500 users.

The SPX2000 is flexible, as it can be configured with up to 128 portals for groups with varying levels of access restrictions and authentication requirements. Having multiple portals makes it easier to implement some group-level security policies.

The virtualization feature was the most attractive on this appliance. The remote machines connect through a secure desktop that is set up for the duration of the session. Once the session is closed, the desktop is wiped out so that the remote machine doesn't cache or have a record of the sessions or of any files accessed. This is particularly attractive if many of the connections will be made from public machines.

Ingram Micro is the exclusive distributor for Array Networks in North America and will remain so for the foreseeable future to avoid price pressure and maintain margins, the company says. Solution providers interested in partnering with Array need to demonstrate core competency in network and network security. Solution providers can expect margins between 25 percent to 30 percent on hardware and software and 11 percent on support contracts. Like SonicWall partners, Array partners can offer managed services and consulting services to customers from pre-deployment to maintenance. Higher margin levels are available through annual sales volume of $250,000 and certifications.

Next: The Bottom Line Bottom Line
While deployment and the ability to implement varied access control profiles was more or less the same experience across all three appliances, the management experience was very different.

The sheer volume of options in the management of SonicWall's Aventail EX-1600 seemed overwhelming, but it was by far the most comprehensive, which helped it garner the top spot over its peers.

NeoAccel's SSL VPN-Plus SGX-1200 Gateway offered a more organized look than those of its rivals, but it didn't offer as much detail as SonicWall.

The interface on Array Networks' SPX2000 Universal Access Controller, while usable, suffered in comparison in both look-and-feel and organization. While engineers were impressed with SPX2000's virtualization capabilities, the product felt more like it would be deployed in an enterprise's remote location, as opposed to a small to medium business, which hurt its rankings.

While all three SSL VPN appliances reviewed here would fit in small corporate offices or companies with simple network configurations, SonicWall has a leg up.