SSL VPNs Start Making Sense

SSL-based VPNs have flexibility and control, but they may not be ready to supplant IPSec for remote access.

eWEEK Labs tests of four SSL-based VPNs showed the technology is a sensible alternative to IPSec for securing remote access to enterprise resources and data.

With Secure Sockets Layer-based VPNs, remote workers can easily and securely access critical enterprise applications, often using only a Java- or Active X-enabled Web browser. IP Security VPNs, in contrast, force administrators to install and maintain client software on every remote users machine, incurring significant ongoing maintenance costs.

SSL VPNs also provide administrators with better and more granular controls, as well as comprehensive insight into usage patterns. Because SSL VPNs terminate encryption before proxying the connections to back-end services, the devices can perform packet inspection functions that allow administrators to control access to resources based on identity, destination and application type.

/zimages/3/28571.gifPharmaceutical company Alexza Molecular Delivery Corp. replaced its IPSec VPN with an SSL-based VPN. Click here to read the full story.

However, SSL VPNs will not fully supplant IPSec-based VPNs for remote access—at least not in the short term. IPSec VPNs may be a better fit for applications that utilize multiple dynamic ports or that require an IP address on the local subnet. (SSL VPN vendors are working feverishly to add support for these capabilities in their products.)

There was a brief consolidation in the SSL VPN marketplace last year, but the number of available products —from both well-established and little-known vendors—has multiplied in the last few months.

Stepping up to provide oversight and compliance testing of these products is ICSA Labs, an independent division of TruSecure Corp. that is known for its certification of anti-virus, firewall and IPSec VPN devices. ICSA Labs announced late last month the results of its first round of SSL VPN certification tests.

Two of the products we review here, Juniper Networks Inc.s NetScreen-SA3000 and NetScaler Inc.s 9400 Secure Application Switch, have been granted ICSA certification. We also reviewed Symantec Corp.s Clientless VPN Gateway 4420 and AEP Systems SureWare A-Gate AG-600.

/zimages/3/28571.gifClick here to find out how we tested the appliances.

To reflect an enterprise customers high-availability needs, each vendor sent us a clustered pair of devices. We were pleased to see that all the vendors provided this clustered option, but we found significant differences in the amount of labor needed to keep the clusters updated and intact.

Each product capably integrated with RADIUS (Remote Authentication Dial-In User Service) and Active Directory (via LDAP) authentication servers, and each was able to leverage existing group information as the basis for access policies to specific resources. We found subtle differences in the granularity of control over these access policies, with the Juniper and NetScaler products providing leading-edge capabilities.

There was wide variation in the ways each vendor supported our test applications, and we found that administrative access on the remote machine was often still necessary. This automatically shuts out access from untrusted computers or kiosks but adds an administrative burden for trusted machines.

There also was a wide variation in support for client operating systems and browser environments.

Technical Analyst Andrew Garcia can be reached at andrew_

/zimages/3/28571.gifCheck out eWEEK.coms Security Center at for security news, views and analysis.
Be sure to add our security news feed to your RSS newsreader or My Yahoo page: