Review: Juniper Tries to Put Network Disruption On ICE

Being able to conduct "business as usual," remotely, in times of emergency or natural disaster can make or break a company or government entity. Giving employees access to corporate networks when they cannot physically be on-site is a core component of a well-developed, business continuity strategy.

Virtual Private Networks provide a way to give access to network resources remotely -- but not all VPNs are created equal. Sifting through what type of VPN to implement can be daunting; IPSec, PPTP or SSL? Hardware or software-based? The type of VPN to choose depends on a lot of factors; an organization's size, security needs, budget, and number of remote users are just a few.

Sunnyvale, Calif.-based Juniper Network's Secure Access line of SSL VPN appliances provide that ability to add additional connections "In Case of Emergencies" (a feature that Juniper gives the apropos name ICE.) Juniper recently announced the release of the company's next-generation Secure Access products. Test Center reviewers took the enterprise-level Secure Access 6500 for a test run.

The SA 6500 is an IVE (Instant Virtual Extranet) SSL VPN appliance and supports from 2,500-10,000 users. This is a machine built for fault tolerance with dual hot-swappable SATA drives setup with RAID 1, and dual hot-swappable fans and power supplies. Additional hardware includes 4 GB SDRAM, 4 Ethernet ports and a hardware-based SSL acceleration module.

Setup was no more rigorous than connecting the device via a serial connection, defining internal network addressing information and setting up an administrator account.

The device can then be accessed through the Web-based management interface. The Central Manager's left pane tabs are in a hierarchal designation indicating the order of configuration steps needed to fully get the IVE up and running. For example, the top-most tab is "System." This is the area in which internal and external interfaces are input. Underneath is "Authentication." A variety of authentication servers are supported; LDAP, NIS, ACE, AD and others. For testing, reviewers used local authentication.

User settings are configured through "user realms," resource profiles and policies. Through the management interface, it was easy to setup a default user realm to specify authentication method and role mapping. Resource profiles allow an administrator which Web applications, file shares, and services (like Telnet or Terminal services) to give a user upon connection. More detailed policy control is done through resource policy. Under Web resource policy for example, caching options for user connections to Web"based applications are defined. ACL and Compression are among the options that are configurable for both Windows and Unix/NFS files in the File Access Policies window.

The IVE also supports multiple Instant Virtual Systems (IVS). One IVE can support up to 240 virtual systems, each capable of being administered separately and with no evidence or visibility of any other IVS that may reside on the device. Setting up an IVS entails a few mouse clicks in the "Virtual Systems" section of the management interface.

With ICE -- emergency licenses are activated easily through the management interface. An ICE license must be purchased (still more cost-effective then adding additional user licenses) and clicking "Enable" on the ICE entry in the licensing list enables emergency licenses for up to 8 weeks or until disabled. The SA 6500's management interface offers a level of detail that is comprehensive and straight-forward. The interface does not get bogged down in layers of windows. Changes made to user settings were instantaneous and took effect on the user side by simply restarting the user's connections.

A trivial detail one may think, however a surprising number of appliances (from UTMs to VPNs) often need a restart for changes to go into affect, adding overhead to the time it takes to carry out administrative duties on them.

Metrics done on the SA 6500 were on par with the interface. 180 GB of data was uploaded to a connected client from the remote LAN and vice versa. Each operation took less than two minutes. Data can be compressed, and the minimum amount of data that can be pushed through at one time is 500 MB.

The SA 6500 is a powerhouse of a VPN. Scalability, management and performance are touted by Juniper with their newly revamped Secure Access products. These products deliver. Priced at a starting list of $43,995 (100 concurrent users) the SA 6500 may be overkill for smaller businesses, as it is designed for enterprises, managed service providers and large data centers. SMBs can opt for the SA 2500, with starting list price of $4995 (10 concurrent users) or the SA 4500 starting list price of $16,895 (50 concurrent users.)