Review: SSL VPNs

The number of mobile and remote workers will grow to more than 150 million worldwide by 2006, according to IDC. That's good news for cube dwellers yearning to be liberated, not so good for IT managers who must scramble to provide secure remote access tailored to a variety of user groups while meeting regulatory requirements. No matter where an employee connects from, critical resources must be protected. The days of providing a point solution for each access requirement are long gone.

Coincidentally (or not), the SSL VPN market has exploded in the past three years, with Frost & Sullivan forecasting continued growth at an annual rate of 49 percent through 2010 with sales exceeding $2.46 billion. Why an SSL VPN? Because permitting users to connect over the Internet through TCP Port 443 using any Web browser, rather than requiring installed client software as with IPsec, will make your life easier with no reduction in network security. SSL VPNs can traverse firewalls and handle NAT (network address translation). IPsec

VPNs can handle NAT as an optional component of IKE (Internet Key Exchange) version 2, but not without added complexity. In addition, with SSL VPNs access occurs at the application layer, enabling granular access control, and they're highly scalable to boot.

Now, we don't expect companies with large investments in IPsec VPNs to do forklift changes to SSL. In fact, IPsec and SSL each have their place in the enterprise and can co-exist nicely. IPsec VPNs are the ideal solution for long-term, static connections between remote sites and are a manageable way to grant small user populations secure remote access. But make no mistake: An SSL VPN is our top choice for providing access to large numbers of mobile employees and for extranet environments.

We invited 20 vendors to participate in our tests of SSL VPNs. To be eligible, products had to:

• Support 1,000 users; for our testing we scaled to 500 concurrent users with varying access and application needs.

• Work with up-to-date browsers, specifically Netscape Communicator, Internet Explorer and Apple's Safari browser; and support T3 services.

• Support non-HTTP applications; SMB/CIFS file sharing; and the following authentication methods: local user ID/password, LDAP, AD, RADIUS, Windows NT Domain and RSA SecurID.

• Provide granular access control and authorization: user- and group-based memberships, role-based access, LDAP/AD attributes, and source and destination addresses/ports.

• Support SSL tunneling and limited caching on remote devices (for example, user credentials) and block session cookies.

• Perform client-side integrity checks to determine access level.

• Support passive or active high availability.

Array Networks, Aventail, Caymas Systems, Check Point Software Technologies, F5 Networks, Juniper Networks, Nortel Networks, Permeo Technologies and Whale Communications agreed to participate. Cisco and Citrix declined. NetContinuum told us that though its products offer SSL VPN capabilities, its focus is on providing application-level and Web services security. PortWise's offering is strictly software-based and the company didn't consider it a fit. Nokia's and Symantec's release cycles didn't mesh with our time frame for testing and publication. Menlo Logic agreed to participate, but it pulled out; at press time representatives said the company was in the early stages of being acquired. We never heard back from AEP Networks, NetSilica and WRQ.

Check Point's Connectra SSL VPN is available as an appliance or software for open servers, while Permeo's Base5 is software installed on a box running a hardened operating system called PISA (Permeo Instant Secure Appliance). All other products are straight appliances.

Security Workhorses

As you might have guessed by our requirements, the SSL VPNs we tested provide a lot more than just Webified e-mail--remote access to applications, file shares and network services all are available. Most share common feature sets, with each providing a unique combination of capabilities

(Click here for our detailed features chart). Don't rule anyone out--a small player may have the exact mix of features on your checklist.

Before going shopping, understand how an SSL VPN can meet your secure remote-access needs. First, develop a detailed list of applications that must be accessed, and by whom. Don't forget in-house-developed apps and legacy systems. Once you've narrowed the choices to the top three or four, ask if you can keep the products for a month or so to pilot test integration into your network and functionality with all your applications. This is a competitive market, so buyers have some leverage. In-house testing will also help you evaluate what's included in base cost and quality of technical support.

The average per-user list price, for 500 concurrent users, of the SSL VPNs tested range from $50 to $120, with Aventail and Juniper charging extra for their non-HTTP clients and Nortel adding charges for its tiered licensing. Also, though each product offers some level of host integrity checking, it's often limited. Advanced features require the purchase of an endpoint security product, such as Sygate's OnDemand or WholeSecurity's Confidence Online Enterprise Edition. Check with each SSL VPN vendor for a list of partnerships. And don't be jolted by sticker shock: Increased mobility and productivity plus decreased helpdesk support and IT maintenance costs make the SSL VPN products we tested worth consideration.

What Users Want

Remote users need access to many applications that are not Web-enabled, including those using common mail protocols like SMTP, POP3 and MAPI, and remote shell programs like telnet and VNC. This access causes remote desktop support and networking problems. Typical VPNs, both IPsec and SSL, let admins deny external access to those applications or use encryption technology to protect the traffic passing over untrusted networks.

The statement that SSL is clientless is only partially true. Providing access to non-Web applications requires a client program or that you download to the remote user's computer an ActiveX control or Java applet that redirects network traffic from its intended destination to the SSL VPN gateway. Thus, ActiveX or Java support is required, along with elevated privileges to run them. Expect problems when users try to access the Internet from noncompany computers.

We expected the products to support our existing Active Directory and RSA ACE/Server for authentication, but there were a few surprises. Authentication against AD was accomplished through Microsoft's NTLM (NT LanMan) or through LDAP. Authentication against ACE/Server using SecurID tokens was through a native ACE client or RADIUS. Surprisingly, the systems from Caymas and Check Point don't support NTLM, and Permeo's Base5 supports it by using an embedded RADIUS/AD configuration. All the other products could pull in group membership when authenticating against our domain using NTLM. Permeo's product also doesn't support X.509 digital certificates for client authentication.

Once a user attains a secure connection, he or she should be bound by access restrictions. All the products we tested provided basic functionality using authentication and group memberships. But access control is all about granularity--giving admins more choices for controlling entree to network resources based on predefined variables, like source or destination IP address, URL, user name or group membership, time of day and other items relating to a session. The products from Juniper, F5, Nortel and Whale really stood out here. Conversely, the systems from Array and Check Point don't provide time-of-day access options, and Check Point's Connectra 6000 doesn't support source or destination IP address. In fact, it seems that Check Point is still ramping up its SSL VPN offering. Its latest release, which was not available during our testing window but should be out when you read this, offers many improvements.

Host integrity scanning, where the system searches for files and/or processes on a user system prior to authentication, is winning lots of attention lately, so SSL VPN vendors have been adding these features to their products or forming partnerships with established players. Say a user doesn't have a virus scanner installed; with granular control he or she may not be allowed to upload files to a file server--that adds an additional layer of protection to internal resources. Unfortunately, our tests showed that access-control policies can become quite complex, and it's all too easy to accidentally deny or, worse yet, grant access. Permeo's Pilot Mode helped considerably by letting us decide whether to actively enforce a security profile. If we turned Pilot Mode on, profile violations were logged but not enforced. We could review logs to see the impact of a change before rolling anything out. Juniper also let us choose between "evaluate policies" and "require and enforce," which will enforce the policy at log in.

For those who must support PDAs, the systems from Array, F5, Juniper, Nortel and Whale support client-server applications on PocketPC devices, and Nortel even offers a built-in PDA portal page. Permeo offers this capability via its Secure Reverse Proxy, and Aventail's Java agent offers client-server support for Windows Mobile PDAs. F5 is especially advanced here. Its FirePass 4100 provides e-mail, file and intranet access from mini-browsers on PalmOS and PocketPC PDAs, BlackBerrys and iMode phones. And, for those who do business globally, F5 and Juniper provide the best multilanguage support. Tres bien.

Tag, You're It

Only Array, F5, Juniper and Nortel support VLAN tags. Whale says its e-Gap Remote Access Appliance does VLAN support, but you're limited to the capabilities in Windows Server 2000.

We awarded Juniper's Secure Access 5000 appliance with its IVE 5.0 platform our Tester's Choice award. Juniper led the pack with its fine-grained access-control capabilities, superb authentication services, wealth of configuration options and solid application support. But the competition is improving--all these products can grab customers away from Juniper. The products from Caymas and Permeo, for example, deserve attention for their aggressive pricing. Both vendors also seem committed to expanding their feature sets, which makes them appealing for those enterprises with tight budgets.

For pricing comparisons, we asked for as-tested list price based on 100, 500 and 1,000 concurrent users. See chart for this info.

The SA-5000 appliance runs on Juniper's Instant Virtual Extranet platform. This product has a well-thought-out design and offers abundant configuration options, from network installation to pre-authentication checks to portal design. IVE's extensive user and group definitions went far beyond those offered by the other products we tested. In fact, there are so many enhancements in version 5.0 that it's impossible to cover them all.

Juniper takes full advantage of existing systems for authentication and group membership data--the 5000 should integrate with just about any authentication methodology you'll find in a data center. Enhancements to Juniper's End Point Defense Initiative (yes, that roughly spells JEDI), coupled with its ability to create granular access policy-enforcement rules, put a lot power into our hands. One of the biggest highlights in this release is Network Connect, a downloadable agent with a dual-mode feature that can switch between IPsec and SSL transport modes automatically.

Only the products from Juniper and Array required part of the initial setup to be done using the console port. In both cases that involved connecting to the serial port for initial configuration of the internal port. Once that was done, we configured everything else with the Web interface. All the other products we tested have a built-in management port with a defined IP address, or initial connectivity is done through the eth0 port using a device on the same network as the appliance.

To connect to our AD server, we clicked on the "Authorization Servers" tab, selected "Active Directory," chose "New Server" and entered a name, the server's IP address and an NT domain. It was that easy. Array also has a simple method for connecting to AD.

Next, we created two roles: telecommuter, for those signing on from known IP addresses, and kiosk, for everyone else. We elected to limit telecommuter access to Web and Windows file shares and e-mail. After our roles were defined, we set restrictions based on source IP, digital certificate attributes, a host-checking policy, browser type, OS, day/time of week and internal/external interface. A host-checking policy let us perform scans on remote systems before authentication is attempted--for example, we could define that a PC must be running antivirus, determine if specific ports are open, and check for a specific file or running process.

Configuring host-checking policies on the SA-5000 was easy, but check-box options were limited to Sygate Universal Enforcement API, Sygate Security Agent, Zone Labs ZoneAlarm Pro and Zone Labs Integrity, McAfee Desktop Firewall 8.0 and InfoExpress CyberGatekeeper Agent. However, we could configure rules that grant or deny access based on whether a specific process is running, open ports or the presence of files. For example, we set up a rule for our kiosk users that denies access if Port 80 is open.

Next, we mapped our telecommuter and kiosk roles using rules like user name, user attribute and custom expression. Custom expressions let us assign users to different roles based on the location attribute within AD. For example, we created a mapping rule that assigned the kiosk user role to those using Internet Explorer and the telecommuter role to all others.

Realms define which URL a user accesses during sign-on. For example, to allow OWA (Outlook Web Access) connections, we configured a new sign-on URL /exchange/*. Admins also can add a bookmark or URL link to the portal page for specific users. Windows and NFS file sharing is defined in a similar fashion.

The IVE portal has been enhanced as well. For example, we could control how the new panel bookmarks are organized, in a single or double column format, and we could hide preferences on the framed home-page toolbar.

For those enterprises struggling with offering any remote combination of Web, file shares and telnet services to Apple Macintosh OS 10.4 and/or Sun Solaris 8 or 9 users, your prayers have been answered. With the SA-5000 these employees will be able to securely access Web applications, file shares and telnet/SSH sessions. They'll also be able to run client-server applications through the appliance without installing a VPN client using JSAM (Juniper Secure Application Manager)--but this requires a license. We created a "Mac" role for those signing on from a known IP address--in this case, our Macintosh device. After creating the role, we assigned it access rights to just telnet to our Extreme switch. Then, we mapped this role to a rule to authenticate to our AD server. It worked like a charm. One note: You must set up a basic policy for your Macintosh and Solaris users because the default is "access deny."

The administrator UI has a feature to roll back to the factory default setting--let's hope you never need to use it. To better guard against DoS (denial of service) or password-guessing attacks, Juniper has enhanced its lockout algorithm for failed logins. Now, admins can configure for a certain number of failed attempts, the trigger for failed attempts and the lockout period to suit their network environments.

One quibble with the SA-5000: Even though the administrative console is well-conceived, it offers almost too many options and can be overwhelming for an administrator to handle. Think through how you want to set up your security policies before jumping into configuration on the IVE. A larger problem is that, Juniper charges separately for JSAM and Network Connect features, so determine if you'll need these in your environment and budget accordingly.

Secure Access 5000 with IVE 5.0. Juniper Networks, (888) JUNIPER, (408) 745-2000. www.juniper.net

F5's FirePass 4100 controller appliance gave Juniper a run for its money in our tests--and we expect it will compete for market share.

During our initial phone briefing, the company stressed that it would take even nontechnical users no more than half an hour to install the product. The initial box sent to our lab was DOA, but F5 provided another box the next day. And yes, it was up and running in half an hour.

The FirePass consists of four physical ports to support segmentation based on trust zones. Additional logical segmentation can be done based on VLAN tags as well as IP subnet configuration. One of the first things we noticed about the FirePass was that whenever we made network configuration changes, like configure/modify/delete new VLANs, configure new routing tables or new routes in routing tables, change DNS entries or add/delete/modify the IP address of an existing interface or VLAN, we had to take the "Finalize" option. This rebooted the controller, which would take a few minutes to come back online. F5 said a hot fix will be incorporated into the next release.

The FirePass supports access to terminal servers, client-server and Web applications, legacy hosts, mobile devices and Windows desktops without our having to pre-install client software. For example, many vendors will tell you they support legacy applications, but in reality, they support only TCP/IP connectivity to those systems. Terminal emulation software, like IBM Client Access for a 5250, must be loaded on the computer. F5 and Juniper can deliver emulation using applets.

For endpoint security, the FirePass uses what it calls endpoint inspectors, programs that gather information about a user's system. A pre-login sequence determines which inspectors to activate; they then scan the system trying to connect and determine whether to allow the logon to continue.

A neat cache cleanup feature provides an ActiveX control that clears the browser's cache of all temporary files at the end of every session. From the Post-Logon Actions screen, we simply checked "inject ActiveX/Plug-in" to clean up our client browser Web cache. If the browser was not enabled for ActiveX, we could still block e-mail, Web application access and file downloads by checking the respective boxes. In addition, we could create custom string policy checks combining any of the following: antivirus, system registry entries, OS, personal firewall and last signature update.

F5 provides a handy feature called the Fallback Secondary Settings that let us apply a second set of policies to those users who failed the first set. This second policy set can grant a user access to a restricted subset of the network. The FirePass performs a scan even before login credentials are entered to prevent malware from capturing credentials, and the systems also are periodically scanned after authentication.

Although F5 supports Macintosh and Linux as remote clients, it doesn't support policy checks on these platforms.

The FirePass has the simplest and most useful reporting and logging features we've seen. It tracks user account and session information on the server, and we could generate reports or export them to an Excel spreadsheet for further analysis. In addition, alerts on security incidents can be sent to a syslog server and/or e-mailed to an administrator, and they're all recorded in the FirePass logs. Audit tools include full-session audit trails, drill-down queries and customizable reports and queries. FirePass also excels at displaying real-time information. We especially liked the attack notification and prevention options to guard against repeated logon failures as a possible attack. For example, we defined an attack as 20 consecutive failures in five minutes and could deactivate the account and set a maximum time-out on failed logons.

FirePass 4100. F5 Networks, (888) 882-4447, (206) 272-5555. www.f5.com

Whale swims in a different direction with the design of its SSL VPN appliance. While other vendors use some form of a hardened Unix variant, e-Gap Remote Access contains two separate Windows 2000 servers that use a SCSI RAM disk to transmit data through the e-Gap appliance.

For testing, we needed to configure both an internal and external server, but it was a simple process. After adding our e-Gap Windows 2000 internal server to our domain, we immediately received full access to all users and groups defined in AD without the need for LDAP. This was, by far, the easiest connection to our Active Directory server. Note that connectivity to AD is polled: Whale doesn't pull in the directory and store a copy, so changes to AD are noticed immediately. Whale also provides strong authentication and single-sign-on features and an excellent application support model.

Whale says its appliance separates the internal network from the outside world. The e-Gap takes data packets into its server, strips off the TCP headers and passes the TCP payload onto the SCSI RAM disk. The other side reassembles a new TCP packet after reading the data and determining where it should go.

From e-Gap Services, we could configure both HTTP and HTTPS connections. We elected to create a new HTTPS connection to OWA 2000 SP3 for those users who only need to check e-mail. After doing basic setup, we were prompted to select servers for session authentication, and we could select multiple authentication servers. Also on the same display, we could define granular access methods. For example, we stated that users must provide credentials for each selected server and could choose whether to let users select from a list of servers and whether to show server names.

Our internal Web site info was pulled in to the system automatically, and we could have applications automatically reply to application-specific authentication requests, such as 401 Request or HTML Form. We also set endpoint policies to control access to the trunk.

Whale earned a perfect score for its host-integrity checking. We created a custom Secure Enterprise policy and were impressed with the variety of compliance variables, including e-Gap components, antivirus, personal firewall, VPN client, OS (supports Win95 on up), user type and software components, using Boolean expressions AND, OR and NOT.

Happily, our timing was such that we could take a look at Whale's newly announced SP3. This service pack adds numerous features and updates. A few high points: If an endpoint does not comply with an application's access policy, we could determine if the link on the portal page should be grayed out or invisible. And Whale's built-in portal now supports folders, so that administrators can distribute the home page by breaking it into logical folders, with each folder containing an unlimited number of applications--similar to the Caymas product. Policy compliance features can now detect the presence of spyware and eyeball search engines and browser types. A new "relaxed policy" option let us elect not to enforce a security policy on a computer where the e-Gap Endpoint Detection component cannot run. Finally, a Java-based client-side SSL Wrapper enables access to non-Web applications on client computers where the ActiveX component cannot run--handy for Macintosh and Linux users.

Whale e-Gap does offer a lot of flexibility and customizability, but much of it is realized by editing files. If you don't have a VB programmer on staff, plan to rely on Whale's services group.

The e-Gap's weak spot was logging and reporting, accomplished using syslog on the server. To move beyond the typical information that Windows provides, you must tie into an SNMP system such as Tivoli. Those without advanced monitoring systems will be stuck with basic Windows logging and troubleshooting and will find auditing difficult.

e-Gap Remote Access Appliance 3.1.3. Whale Communications, (877) 659-4253), (201) 947-9177. www.whale communications.com

Simply put, Aventail's EX-1500 provides very good unified policy management and Web application access. Aventail has added a setup wizard for initial installation and configuration of the appliance--smart move. The wizard is particularly helpful when defining initial access control rules and resources.

After making and saving our changes, we selected the "Pending Changes" option and elected to apply our changes. Sadly, we didn't see a list of the changes waiting to be applied from the management console, though Aventail says this feature is on a list of planned enhancements. For now, an audit trail of all management console changes is available in the policy_audit.log file, found in /var/log/aventail.

The Aventail management UI was a bit cumbersome to navigate at first, but it got easier as testing progressed. Aventail provides handy quick-start menus throughout.

The EX-1500 provides three access methods. Using a standard SSL Web browser, admins can secure access to Web applications and file shares. Aventail OnDemand uses a Java agent, which is integrated into the Aventail WorkPlace portal to provide secure access via an SSL-encrypted connection through the EX-1500 to thin client and client-server applications. The OnDemand agent runs on Windows, Macintosh and Linux without requiring admin privileges; however, dynamically redirecting connections using the OnDemand agent works only on the Windows platform with admin-level rights. Aventail Connect delivers a Windows client to provide complete network access to applications with additional network and desktop protection, such as split-tunneling control and personal firewall detection. This requires admin privileges the first time it's run and will work with Internet Explorer or Firefox with Sun JVM or ActiveX.

A key new feature in version 8.5 is Smart Tunneling, which takes advantage of Layer 3 connectivity with full application access combined with Layer 4 through Layer 7 policy control. Aventail uses Smart Tunneling to provide back-connect access to applications like a remote helpdesk and voice over IP, and provides site-to-site functionality similar to an IPsec VPN, without the issues of NAT or firewall traversal. And Smart Tunneling can start automatically when a user connects, using the OnDemand or Connect Tunnel to add a link to the WorkPlace user portal for client download.

Managing user authentication required that we define one or more external authentication servers in the management console. These servers are then referenced by realms (user populations that map to defined external authentication servers) for users to log in to the appliance. We easily created multiple authentication realms that reference separate user populations in a single repository. Setting up connectivity to our AD server was a snap, and Aventail provides a test-connectivity button for troubleshooting. The EX-1500 had no problem pulling in our defined users and groups for management within access rules.

During our tests, we created a new group and user in our AD server but could not see them on the Aventail Management Console. Aventail explained that within the console, there is an LDAP browser that lets admins see new groups and users. Once a group is defined, every time a user authenticates, membership is dynamically pulled in.

From the Access Control tab, we could edit the access control rules we set up during testing, a functionality often lacking in SSL VPN products. For example, we easily configured a new access rule and network resource and assigned them to users. This tab and its contents--unique to the Aventail product--saved us from having to click through various screens to determine what a user/group has access to.

By default, endpoint control is not turned on, but by checking "Enable Endpoint Control" we could configure endpoint control agents for client integrity data protection, create a device profile, define an endpoint control zone, reference the zone in a realm and then optionally reference the zone in an ACL. Thankfully, Aventail offers a quick start that highlights each step of this process. The downside is that endpoint control agents require you to point to the URL where either the Whole Security Confidence Online or Zone Labs Integrity Clientless Security agents are hosted. Both are a separate--and potentially pricey--purchase.

Aventail does provide built-in, configurable device and zone profiles--this is the true strength of its endpoint control product. We defined access rules based on the trust level for an endpoint and created multiple zone profiles, such as trusted, semitrusted and untrusted. This makes it easy to update security policies as users move about various business locations and roles within an organization. Although the system is designed to make endpoint control easy to modify, the built-in endpoint controls support only Norton and McAfee antivirus. And, though we could select multiple values, only one was accepted--a device profile can contain only one AV attribute.

Aventail EX-1500 Smart SSL VPN 8.5. Aventail Corp., (877) AVENTAIL, (206) 215-1111. www.aventail.com

Caymas' approach to SSL VPN technology is to control access and security decisions via user credentials; resources such as Web apps, file servers, user directories, applications and Citrix; and access devices for both internal and external users. The IDAG provides four varieties of universal access on a per-resource basis. Secure Proxy uses URL rewrite functionality for in-browser access for HTTP, HTTPS and file shares--no client software required. Secure Tunnel is an ActiveX control or Java applet that tunnels TCP or UDP (User Datagram Protocol) for access to client/server applications such as Citrix and telnet. Secure Connect is a network driver that provides network-level connectivity over SSL. Finally, Caymas' proprietary Web Relay supports complex Web applications by creating a secure connection between authorized users and applications.

The Java-based management system provided the most maneuverable UI of all the products reviewed, and Caymas IDAG offers many support options for Web- and TCP-based applications in addition to a lengthy list of supported network services. If you can't find what you need, it's easy enough to add a resource. For example, we added a network service simply by right-clicking on "Network Services" and selecting "New Network Services." Give the service a name, set the protocol and transport mode to be used, set an inactivity time-out value, and be sure to allow client- and server-initiated connections. Click "Apply" and you're set.

IDAG was the only product we tested that required a two-step process to configure OWA. It was easy enough to define the OWA application on the Web/File Resource tab with the IP address of the Exchange server followed by /exchange/*, but we also had to go back to the Web/File Resource tab, create a hidden OWA application and uncheck "Show in Launchpad." According to Caymas, this is necessary to provide access to Web folders not located in the default Exchange location.

In addition to serving as a stateful firewall that is enabled and active by default on each encrypted tunnel, the Caymas gateway provides an intrusion-prevention configuration security option that we could apply at the application layer on a resource-by-resource basis. Although Caymas uses its own hardware enforcement engine, it uses the SNORT database and naming convention for signatures.

We were pleased that Caymas extended security with its application state signing, which placed a digital signature on HTTP data to detect allowed and suspicious behavior in application logic. We could set basic thresholds, such as TCP SYNs per second, to help defend against DoS attacks. Still, don't mistake this built-in application protection as a replacement for a dedicated application firewall; consider it another layer of safety.

Caymas' integrated host-integrity tools helped validate the state of our endpoint machines. From the Host Checker tab, we could create powerful, complex host-checker policies using AND/OR logic. For testing, we created a policy that checks for Windows XP Service Pack 1 and a personal firewall, but we could have selected port, file, process and registry checks. Unfortunately, IDAG does not scan after authentication.

Another nicely integrated endpoint feature is the cache cleaner's ability to monitor resource access and clean any data associated with a Web application off the computer. We could choose to make cache cleaner mandatory for endpoints in all networks, or leave it optional for some IP addresses and subnet masks. Host checking and cache cleaning are available only for Windows 2000 or XP machines, which hurt it in our scoring.

IDAG provides excellent logging and auditing of all user activity and requested resources on a per-user and per-resource basis. We especially liked the User Summary Report, which displayed successful and failed logins and authorizations, IDS security events, maximum session length and peak hour of usage for all users.

Caymas Identity-Driven Access Gateway 525 2.5. Caymas Systems, (707) 283-5000. www.caymas.com

The Nortel 3070 is an enterprise-class SSL VPN appliance that delivers both IPsec and SSL VPN support in one box. Nortel's existing customer base will like the smooth migration path from IPsec to SSL VPN technology.

Nortel offers three secure access options: clientless, enhanced clientless and Net Direct. Clientless mode uses a browser to access Web applications and files. Enhanced clientless mode requires Java-port-forwarding for access to non-Web TCP applications. At logoff, the Java agent is uninstalled from the client machine. Net Direct downloads an ActiveX agent that is delivered to the user's device to provide full network access. This agent is removed from the client PC at logoff and is limited to the Windows platform; however, it provides for full bidirectional TCP traffic and supports both full and split tunneling.

The main interface, whose design is similar to Windows Explorer, gave us three tabs to work from: Setup, Normal and Expert. Of course, we jumped directly to the Expert tab. To ensure the integrity of our SSL VPN setup, we locked the GUI when making changes, then unlocked it when finished--the VPN lock is owned by the user profile. Surprisingly, this feature is lacking in most SSL VPN products we tested; Juniper's and Caymas' offered levels of admin access, like read-only. Configuring connectivity to our AD server required a user profile that was part of the Schema Admin group. Nortel does provide an option to authenticate in order: From Expert/VPN Gateways/Auth Order, we could see our available authentication methods and then select the order for credential match-up.

Users are mapped to one or more access groups, and the access rules associated with the group define the user's access rights on the intranet. One of three user types determines which portal tab will be displayed: Novice displays the Home tab; Medium adds the Files and Access tab if enabled; Advanced displays all tabs. When defining a portal link set, the user will see only the link text, not its URL. We strongly recommend you use descriptive link text that clearly indicates the provided resource.

Nortel's endpoint security for both SSL and IPsec VPNs is based on a Nortel application called Tunnel Guard. We weren't totally won over. When we clicked on the option to create security rules, we were presented with a system configuration of the device we selected that option from. Nortel let us provide granular AND/OR expressions by selecting from components like DLLs and executables that are either active or running on a remote computer. For example, for a test laptop running Symantec Corporate Edition 9, we could base our endpoint policy on those antivirus files. We also could grab file information from another machine on the network to add to our endpoint policy. However, we prefer built-in lists combined with the ability for admins to add their own host-integrity checks without having to pull information from another machine.

Nortel's remediation offerings include denying or allowing access to a restricted site, and its cache cleaner will remove proxy downloads and temporary files associated with a user session upon termination.

Nortel VPN Gateway 3070 5.0. Nortel Networks, (800) 4Nortel. www.nortel.com

Base5 works at the session layer--an applet is downloaded to remote computers when they connect and removed at the end of each session. Permeo was spun off from NEC, and its PISA (Permeo Instant Secure Appliance) hardened OS hosts the Base5 Gateway, the Base5 Connector and the Base5 Manager.

The Base5 Gateway provides the SSL, secure SOCKS proxy and HTTP reverse proxy functions--the pipes through which the Base5 processes information, authentication and user access requests. It's also the warehouse for login and Connector rules, host-integrity checks and Connector software.

The Base5 Manager is a streamlined Web management console that enables easy definition and security-policy enforcement. We could be choosy about what network resources users are allowed to access--if a resource is not defined on a user's list, the packets will never get beyond the Base5 Gateway.

Base5 Connector is an on-demand agent that's provisioned every time a user connects from the Gateway. The agent inserts itself at Layer 5 and lets users access any application on the network, not just Web apps; system calls are captured for network resources and redirected to Base5. The Connector is the piece of the pie that provides connectivity and endpoint security during the VPN session. But to take advantage of it, users need Windows 2000 SP3 or Windows XP SP1 or better and Internet Explorer 6 or later. Macintosh and Linux users require Permeo's secure reverse proxy for file sharing and intranet browsing; however, secure reverse proxy users are not subject to endpoint security checks. We found that the Connector leaves behind no client-side software after a user logs off.

Users can access only authenticated applications from one of two rule types--login and connector. Login rules can match any combination of URLs used to access the gateway, user group membership and/or network sources from which users connect. Secure reverse proxy users can access only the resource links and file shares we defined--no endpoint security will be enforced. For testing, we created a secure reverse proxy access login rule, called Partners, containing links to file shares that only our business partners needed to access, then created a Base5 Connector login rule, called Corporate, for access by our internal employees, so that we could define information controls and host-integrity checks to further grant or deny access.

Login rules also let us enforce information controls on clients, including removing the ability to save, copy, paste and print information during the VPN session. Various limiting actions also can be set for Internet Explorer, Citrix sessions and systemwide requests, and we could define specific Web site access limits for each login rule match. Although this approach provides granular security, it will require extra administrative work because address and domain changes must be updated as they happen.

Permeo has incorporated a wealth of endpoint security features into Base5. Built-in host-integrity checks can be defined to scan any required combination of minimum OS service packs and antivirus and personal firewall products, as well as admin-defined options like files or settings.

Host-integrity checking is granular as well. For example, we could provide more network access for users with real-time virus checking enabled. For users without real-time checking, we could create a lower access level instead of denying them entry altogether. Creating custom security definitions requires the Host Integrity Check Utility, which we found on the Base5 installation CD.

Although the Permeo product was easy to navigate, many operations must be executed in a specific order, and this stipulation isn't always clearly explained. We typically don't ding vendors on documentation, but for Permeo we're making an exception. The company must beef up its reference material. Until then, we recommend you keep a record of your processes--they'll come in handy if you must make a change and it's been months since you've touched Base5. Other nits: We could not find an option in the management UI for high availability, or to kill individual or all active sessions, though the company says that shortcoming should be remedied by the time you read this.

Base5. Permeo Technologies, (512) 334-3600. www.permeo.com

The SPX5000 is a whopper of a 3U device. Once we got a hand racking it, we dug into the Array Pilot interface. Although it was a little rough around the edges, we found Pilot easy to maneuver around in. We liked the Flight Deck graphical display of system usage, active sessions and session statistics (SNMP must be turned on to use the graphs). However, while Array has made great strides in the past couple of years--beefing up the SPX5000 with a Layer 3 tunnel, site virtualization and client-side host checking to make it more competitive in the SSL VPN market--the SPX5000 doesn't support access control for time and date access or as a result of host-integrity checks. In fact, many of the features we were looking for were AWOL or sub-par. Array's policy enforcement is decent, offering two-stage security, but it's not quite as granular as rivals, and no post-authentication scan is conducted (this is on the road map, according to Array). We could set client access levels to low, medium or high and then edit the privileges for Web resources, file shares, TCP applications, thin client support and VPN access. But host checking and cache cleanup are handled using Sygate's OnDemand and Secure Desktop products, an additional cost to customers. Array does OEM the Sygate product, providing for one-stop shopping.

On the bright side, service providers will like Array's VLAN and "virtual site" support, which can be created from the VPN page. The Service Management tab let us set site administrator accounts, each with its own access level and authorization settings, and assign them to specific virtual sites. In addition, each virtual portal can be set up to do full or split tunneling to enable IPsec tunneling. We could assign IP addresses dynamically or use DHCP.

Array allowed us easy access to file shares located on Windows or NFS (Network File System) servers through its Web gateway. Access to client-server resources can be handled in two ways: The Application Manager Java applet connects TCP applications to back-end services, such as terminal servers, while the Windows Redirector is a standalone application available only for Windows PCs running Internet Explorer but offers greater control over access to specific resources.

When working from an Array portal page, we found that our links were opened within the same page--there is no admin or user option to open in a different page.

SPX5000. Array Networks, (866) MYARRAY, (408) 240-8700. www.arraynetworks.net

heck Point must leverage its position as a security industry heavyweight if it hopes to wrest market share from rival SSL VPN vendors. Although version 2.0 of Connectra adds what are fast becoming standard product features, like cache cleaning, session data encryption and endpoint host-integrity checking, the product did not stand out in any of our scoring categories. Connectra doesn't have granular access control, and Check Point doesn't support authentication via ActivCard Pack or Windows Domain Login (NTLM).

The administrative interface isn't loaded with options, but we got around easily. Connectra offers two modes of remote access--native access to Web applications, file shares and e-mail, or TCP, UDP or ICMP services through Check Point's SSL Network Extender Active-X-based VPN client. A check-box option let us decide whether to have SSL Network Extender launch automatically.

By default, the option to use the Integrity Secure Browser, which encrypts session traces on the remote endpoint and deletes everything on logoff, is off. Even after we enabled it, users were given the option to use this secure browser. The Integrity Secure Browser needs at least power-user rights to load; otherwise you'll receive the message: "Integrity Secure Browser Warning: Installation path is invalid! Please enter valid path and try again." Oops.

We tested with different browsers and found that Web applications like OWA work great with Internet Explorer, Mozilla Firefox and Apple's Safari; however, file sharing and services using the SSL Network Extender require up-to-date Internet Explorer on the remote client. We couldn't get an older version of IE (5.0) to work.

Connectra boasts built-in defenses against DoS attacks, firewall capabilities to grant or deny data connections to defined services' ports, and native application-layer intelligence to protect Microsoft file and print shares against worm patterns like Nimda and opaserv. There's also protection for DNS (UDP Protocol Enforcement).

Endpoint security features use Check Point's Zone Labs technology. We found it granular and configurable. We could select antivirus rules and malware behavior, and scan for the Integrity firewall client--but only this firewall client. Admins can provide remediation attempts by adding custom text or forwarding to a specific URL.

When testing, we elected to activate Integrity Clientless Security scan for all applications from the Scan Settings tab, scan for all malware types from the Malware Protection page and require Symantec Norton AV to be running. We defined remediation text for a user to follow. Working with a desktop that we knew had malware on it, we were denied access, as expected. However, we then activated the option to disable found malware. Upon reconnecting, we found that the malware wasn't all disabled. A third-party tool, like Lavasoft's Ad-Aware, is needed to rid the device of malware.

Using the same definition defined above, the Integrity Clientless Security for Connectra could not support the browser version on our Macintosh using the Safari 2.0 browser. Same deal for a Linux client running Mozilla's Firefox 1.0.3. In essence, the devices could not be scanned for harmful software, and we were locked out.

One notable mention about Connectra's endpoint security is that we could not find a way to add any custom security checks ... so you must depend on what Check Point provides or tie into an existing endpoint security product. For host-integrity checks, Check Point uses only ZoneLabs' Integrity, which it owns. However, we tested the ZoneLabs product, and Check Point is not using all the bells and whistles, plus this version doesn't have a Java agent. The real-time security updates service did work as advertised.

Other beefs: AD integration was far from effortless, and we found little in terms of troubleshooting logs and help text to resolve these AD integration problems. And Check Point doesn't support Lotus iNotes. We also were disappointed with Connectra's logging and reporting capabilities--they're basic, with no graphical dashboard. We were especially troubled by the lack of information in logs to help troubleshoot connectivity problems to our Active Directory server. We had to e-mail the vendor asking for instructions--we hate when that happens. SmartCenter server customers can take advantage of central logging and upload their logs to the SmartCenter.

As we went to press, Check Point unveiled its NGX product, which has many new features such as native support for Citrix and Lotus iNotes. The SSL Extender will support TCP applications, additional language and real-time statistics.

Connectra Web Security Gateway. Check Point Software Technologies, (800) 429-4391, (650) 628-2000. www.checkpoint.com

Joanne VanAuken is a technology editor for Secure Enterprise. She has 14 years' experience in computer operations and systems administration. Write to her at [email protected].

To help their organizations stay ahead of the competition, security pros must provide anytime, anywhere secure remote access to various user types (employees, contractors, business partners, even customers) from multiple locations (home PCs, customer networks, hotels and airport kiosks) on a cornucopia of devices (laptops, PDAs and smartphones). To accomplish this, many enterprises are turning to SSL VPNs.

Product Category: SSL VPNs differ from IPsec VPNs in that they do not require client software to enable full LAN access for site-to-site connections. SSL is application-independent, included in all standard browsers, and enables flexible remote access to Web applications and client-server and file-sharing resources.

Must-haves: Insist that your SSL VPN vendor provide superior endpoint security, two-factor authentication and powerful policy-management capabilities with an easy-to-use administrative user interface and a simple portal experience for end users. Make sure initial access is granted to only those hosts passing integrity checks. Your VPN should then provide another level of authentication so internal resources are accessed only by those with the appropriate rights.

Products Tested: We tested SSL VPNs from Array Networks, Aventail Corp., Caymas Systems, Check Point Software Technologies, F5 Networks, Juniper Networks, Nortel Networks, Permeo Technologies and Whale Communications.

Who Won and Why: Juniper's Secure Access 5000 appliance with its IVE 5.0 platform took our Tester's Choice award. It met all our requirements and is loaded with fine-grained configuration options. We especially liked its broad support for Apple Macintosh and Sun Solaris users. But rivals are closing in, and that's good news for enterprise customers.

We installed each SSL VPN appliance in a reverse-proxy configuration where the external interface was on the 128.xxx.xx.0/24 network and the internal interface was on the 192.168.2.0/24 network. All our intranet resources were on the internal network.

We configured a Windows 2000 Active Directory and populated it with user profiles. We also created several custom groups, which were used to assign access rights. For our internal servers, we used Microsoft Exchange 2000 Service Pack 3 for both Outlook/Exchange e-mail and Outlook Web Access. Citrix MetaFrame Presentation Server 3.0 was used to test integration. We also supported straight HTTP pages and terminal services.

We authenticated all users against our Active Directory, and all our back-end servers were in the domain. We also tested two-factor authentication support using an RSA SecurID Server running RSA Authentication Manager 6.0 software and SecurID tokens. Testing used native ACE/Server authentication if supported, or RADIUS.

Our client configurations consisted of Windows XP Pro SP2 with Internet Explorer 6.1 and Mozilla Firefox 1.0.3, as well as Windows XP Pro with SP1 and with SP0, both running Internet Explorer 6.1. These two not-fully-patched XP Pro devices were used as part of our host integrity testing. We also tested a Macintosh running the Tiger operating system and the Safari 2.0 browser, and a system configured with Red Hat Linux 9 running the Mozilla Firefox 1.0.3 browser.

Testing involved pointing clients at the destination pages and verifying that the pages rendered properly and that port forwarders worked. We tested the level of integration with existing back-end servers, including support for non-HTTP protocols, like Citrix and terminal services, and single sign-on capabilities. Ideally, the SSL VPN portal provides single single-sign-on capabilities so that users must authenticate only once to the portal. Logging into servers once to cache credentials on the appliance for use between session logins was considered acceptable.

High on our list of testing criteria were the flavors of host integrity checking each product offered. We were particularly interested in whether any built-in endpoint security was offered and, if so, the extent of its granularity. Partnerships with endpoint security vendors like Sygate and WholeSecurity represent an additional cost to customers. We also wanted to know which remediation options are available to admins.

All Secure Enterprise product reviews are conducted by current or former IT professionals in our Real-World Labs® or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Secure Enterprise schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.

R E V I E W

SSL VPNs

Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.

Once launched, enter your own product feature weights and click the Recalc button. The Interactive Report Card ® will re-sort (and re-grade!) the products based on the new category weights you entered.

Click here for more information about our Interactive Report Card ®.