Caymas Systems Inc.s Identity-Driven Access Gateways provide fine-grained access controls and hardware-accelerated encryption and packet inspection that allow IT administrators not only to simplify remote access to critical data resources but also to add identity-based access controls within the corporate network. At their heart, the Caymas 525 and Caymas 220 IDAGs are SSL (Secure Sockets Layer) VPNs on steroids. Integrated hardware-based encryption and inspection accelerators boost the number of possible concurrent connections and improve secure throughput performance enough to warrant internal deployment.eWEEK Labs tested the Caymas 525 and Caymas 220, each running Software Release 3.0, which shipped in July. Release 3.0 introduces the Security Zones feature, which lets administrators create differing access policy restrictions depending on where a user connected from. We placed the Caymas 525, designed to accommodate 2,500 concurrent users, in front of our data center resources. We installed the Caymas 220, designed for 100 concurrent users, at the network perimeter. Using Security Zones, we configured for both appliances a single access policy that dictated much more stringent authentication and validation steps for remote users. Unlike other SSL VPN vendors, such as Juniper Networks Inc. and Aventail Corp., Caymas does not muck up its pricing by layering additional licensing costs for more users or features. Instead, each appliance comes with a flat price: The Caymas 525 costs $44,995, while the Caymas 220 costs $14,995. Click here to read Andrew Garcias comparative review four of SSL-based VPN appliances. The IDAG appliances provide several access methods: Secure Proxy is the standard reverse proxy for Web-based applications and file shares, while Secure Tunnel provides access to other TCP or UDP (User Datagram Protocol) network resources via either Java or ActiveX-based host redirector applets. Secure Connect is a driver-level control that provides full network access for Windows-based clients. The IDAGs also offer a Web Relay feature for redirecting more complex unencrypted Web applications. Security Zones allowed us to provide SSL VPN-based access to data center resources for internal users as well. We required internal users to provide log-in credentials to access resources in the data center, but we did not require end-point assurance scans or encryption. This let us easily track each users access to resources without taxing the gateways resources for largely trusted users. We could also deploy the Caymas appliances to isolate a public LAN segment. The Caymas gateways provide a captive portal, endpoint assurance checks and limited access rights for guest users. Software Release 3.0s new follow-me IP capability let us assign guests a static IP address via DHCP (Dynamic Host Configuration Protocol) relay. The endpoint assurance tests are powerful, but they require a lot of manual customization. Next page: Evaluation Shortlist: Related Products.
Stateful and deep-packet inspection engines control access to network services and examine allowed traffic for suspicious payload. The IDAGs, when used with integrated endpoint assurance tools, combine to sanitize network traffic and connecting hosts.