By eweek  |  Posted 2006-08-21 Print this article Print

Juniper Networks Secure Access 4000 SSL VPN appliance provides robust remote access for users and neat management tools for IT administrators.

The SA4000 Secure Sockets Layer VPN is part of a family of security products that Juniper acquired when it bought NetScreen Technologies in 2004. The high-end SA4000 appliance also comes in a FIPS (Federal Information Processing Standard) 140-compliant model that meets the standards for cryptographic systems that handle sensitive but not classified data. New for the SA4000 software is Secure Access ICE, or In Case of Emergency, licensing.

The SA4000 configured for 1,000 users costs $59,995, a price that is nearly identical to that of competing SSL VPN appliances. An $18,000 ICE license allows a temporary increase in the number of remote access users who can come in over the SA4000, for a period of up to eight weeks.

In eWEEK Labs tests, the SA4000 matched competitors such as F5s FirePass 4100 and Aventails EX-2500 in ease and breadth of configuration. Meanwhile, the SA4000s level of remote access granularity was the best weve seen this year. (For eWeek Labs reviews of the FirePass and Aventail SSL VPNs, go to "FirePass 4100" and "Aventail EX-2500," respectively, at eweek.com.)

The Juniper SA4000 fits easily in spaces where more traditional IP Security solutions would be a tough sell: Unlike its more complex IPSec cousins, the SA4000 offers the kind of ease of use that is necessary for client systems that are not under the direct control of IT, such as systems used at business partners or suppliers. The SA4000 also will work well for IT managers who want to be able to provide granular access to road warriors using centralized policies. (For the Labs analysis of SSL VPNs increasing role in the enterprise, go to "SSL VPNs offer more control to IT managers" at eweek.com.)

Click here to read a review of FirePass 4100.

We began our testing of the Juniper SSL VPN by installing the 1U (1.75-inch), rack-mountable SA4000 in our wiring cabinet in "one-arm" mode. We assigned an IP address from our internal network to the SA4000 and used our firewall to port-forward SSL connections to the device.

The SA4000 offers a wide variety of user authentication and authorization choices. We integrated the VPN with our Microsoft Windows AD (Active Directory) running on a Windows Server 2003 Standard server. (While the AD server was running on a physical server, most of the other servers in our testbed were running on virtual machines courtesy of VMware.)

We had no problems connecting outside clients with our internal systems. The outside clients were all laptops running Windows XP and a variety of browsers (including Microsofts Internet Explorer 6.0 and the Mozilla Foundations Firefox

But this isnt to say that there werent some hiccups along the way.

For one thing, while SSL VPN appliance vendors make much of their products "clientless" nature, it turns out that sophisticated, secure access to applications, network file shares and other network resources requires that some client software be downloaded to the Web browser. The SA4000 is no exception.

The other bump in the road appeared during the proc-ess of creating policies for enabling user access to network resources.

During eWeek Labs tests of the SA4000, we created user groups that matched the organizations we already had set up in AD. For example, we set up editorial, sales, operations and facilities groups.

We made Web-enabled applications, such as our Microsoft Exchange Server system, available by creating resource profiles. The resource profiles specify the exact resource—such as a network file share or Web application—as well as the allowed users of that resource. We found that creating the resource profiles was the easy part of the process; it was the user management that was a little tough.

Click here to read a review of Aventail EX-2500.

As with other SSL VPN systems that weve recently tested, IT managers should devote a significant amount of time to setting up user access profiles, called "user roles" in the SA4000. This is especially true if the new ICE licensing is going to be used to accommodate large numbers of users in emergency conditions, when time will likely be in short supply to review user access rights. The nice thing about SSL VPNs in general and the SA4000 in particular is that resources are excluded unless specifically added by the administrator. In addition, the time devoted to creating these policies will pay off in reduced support costs.

In addition to defining end-user roles, we were able to set up restricted administrators of the SA4000 system. However, the SA4000 is more limited in this area than competitors, allowing administrators only to be either fully entitled or read-only. This paints administrators with far too broad a brush, and administrative access will thus need to be limited to a few trusted, well-trained operators. We would prefer to see more options so that the burden of granting and revoking user access can be spread more evenly.

Next page: Evaluation Shortlist: Related Products.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel