SSL VPNs Start Making Sense

By Andrew Garcia  |  Posted 2004-05-10 Print this article Print

SSL-based VPNs have flexibility and control, but they may not be ready to supplant IPSec for remote access.

eWEEK Labs tests of four SSL-based VPNs showed the technology is a sensible alternative to IPSec for securing remote access to enterprise resources and data. With Secure Sockets Layer-based VPNs, remote workers can easily and securely access critical enterprise applications, often using only a Java- or Active X-enabled Web browser. IP Security VPNs, in contrast, force administrators to install and maintain client software on every remote users machine, incurring significant ongoing maintenance costs.

SSL VPNs also provide administrators with better and more granular controls, as well as comprehensive insight into usage patterns. Because SSL VPNs terminate encryption before proxying the connections to back-end services, the devices can perform packet inspection functions that allow administrators to control access to resources based on identity, destination and application type.

Pharmaceutical company Alexza Molecular Delivery Corp. replaced its IPSec VPN with an SSL-based VPN. Click here to read the full story. However, SSL VPNs will not fully supplant IPSec-based VPNs for remote access—at least not in the short term. IPSec VPNs may be a better fit for applications that utilize multiple dynamic ports or that require an IP address on the local subnet. (SSL VPN vendors are working feverishly to add support for these capabilities in their products.)

There was a brief consolidation in the SSL VPN marketplace last year, but the number of available products —from both well-established and little-known vendors—has multiplied in the last few months.

Stepping up to provide oversight and compliance testing of these products is ICSA Labs, an independent division of TruSecure Corp. that is known for its certification of anti-virus, firewall and IPSec VPN devices. ICSA Labs announced late last month the results of its first round of SSL VPN certification tests.

Two of the products we review here, Juniper Networks Inc.s NetScreen-SA3000 and NetScaler Inc.s 9400 Secure Application Switch, have been granted ICSA certification. We also reviewed Symantec Corp.s Clientless VPN Gateway 4420 and AEP Systems SureWare A-Gate AG-600.

Click here to find out how we tested the appliances. To reflect an enterprise customers high-availability needs, each vendor sent us a clustered pair of devices. We were pleased to see that all the vendors provided this clustered option, but we found significant differences in the amount of labor needed to keep the clusters updated and intact.

Each product capably integrated with RADIUS (Remote Authentication Dial-In User Service) and Active Directory (via LDAP) authentication servers, and each was able to leverage existing group information as the basis for access policies to specific resources. We found subtle differences in the granularity of control over these access policies, with the Juniper and NetScaler products providing leading-edge capabilities.

There was wide variation in the ways each vendor supported our test applications, and we found that administrative access on the remote machine was often still necessary. This automatically shuts out access from untrusted computers or kiosks but adds an administrative burden for trusted machines.

There also was a wide variation in support for client operating systems and browser environments.

  • Review: SureWare A-Gate AG-600
  • Review: NetScreen-SA3000
  • Review: 9400 Secure Application Switch
  • Review: Clientless VPN Gateway 4420 Technical Analyst Andrew Garcia can be reached at andrew_

    Check out eWEEK.coms Security Center at for security news, views and analysis.
    Be sure to add our security news feed to your RSS newsreader or My Yahoo page:  
    Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel