February 18, 2005
$9,495 US / $10,445 US in EMEA for 25 users
- Ease of Use:
- Value for Money:
- Overall Rating:
Easy installation and configuration, good hardware specification, powerful security measures, client scanning capabilities.
More costly to implement than IPsec VPNs.
A very powerful SSL VPN solution offering an impressive range of network access controls and minimal client configuration.
The battle for secure remote access to the corporate network is dominated by two contenders – in one corner are IPsec VPNs and in the other SSL VPNs. IPsec VPNs are frequently included with general-purpose security appliances and so are relatively cheap to implement. But they can be complex to operate and this is where SSL VPNs win out; a key feature is the minimal client configuration – users simply connect via a standard web browser.
Aventail moved into the SSL VPN market two years ago and now offers a pair of appliances. The EX-1500 on review is aimed firmly at enterprises and supports up to 1,000 concurrent connections.
In hardware terms, the EX-1500 does not disappoint. It is built around a good-quality Intel rack server package comprising an SR-1300 chassis and SE7501WV2 server motherboard. Processing is handled by a single 2.4GHz Xeon module, partnered by 1GB of PC2100 memory. You also get a fast Ultra320 SCSI storage sub-system and a triplet of Intel Gigabit Ethernet ports.
Aventail's well-designed administrative browser interface is simple enough to use and provides easy access to functions including configuring commercial or self-signed certificates, encryption methods and network parameters.
The EX-1500 determines how users are authenticated and the type of access they are allowed via realms. Each realm requires an authentication server; during testing, we used a Windows Server 2003 domain controller, which worked fine with the appliance. Adding users simply required us to use the search facility from the web interface, select our Active Directory users and groups and import them into our realm.
You can use multiple realms, in which case users will be asked to select one from the client interface before logging on. Administrators can also hide realms so that only users with prior knowledge of the realm names can log on to them.
All resources that are to be made available to clients must be first declared to the appliance as network objects. These can be anything from a web URL, IP address range or domain. You need to provide a full UNC path if you want to offer shared files or folders on a server. The EX-1500 requires specific application profiles when you declare resources, but it can pass user's details directly to an application via a single sign-on feature.
Alternatively, administrators can use static credentials that pass on the same details to an application for all users. The EX-1500 also requires access control rules to be set up for each user or group – the appliance defaults to denying access to all declared resources.
The EX-1500 runs Aventail's latest ASAP 8.0 operating system, a key feature of which is Smart Access. This determines the most secure access method for the user by scanning the user's system and checking for specific software components or applications. If the user is within a secure environment, Smart Access will permit basic web browser access. If a user is logging on via a Pocket PC, for example, then Smart Access will prompt the download of Aventail's lightweight OnDemand Java agent to use instead. In even less secure environments, the Aventail Secure Desktop can be used.
The Aventail VPN uses End Point Controls to check security requirements are being met before it will allow access. System administrators can create device profiles containing attributes such as personal anti-virus or firewall software, specific applications, a directory or file or even a registry key. When it has authenticated a user, the appliance scans the user's system to determine whether the user is allowed simple web browser access or requires an agent to be deployed.
For standard browser access, users will find Aventail's ASAP Workplace simple to use and administrators can provide shortcuts to all permitted resources. If required, the OnDemand component can be fired up from within Workplace, while closing it will automatically log you out of any active applications.
Using the Connect utility requires a little more work because this must be installed on a user's system before a connection is made. However, we found this simple enough because Aventail provides plenty of assistance.
Another handy feature is Cache Control, with its time-out function that closes inactive connections after a certain time. It can also clean out locally-stored temporary files, history, cookies and passwords.
While it's true that the initial outlay for SSL VPNs is higher, we have always found them a lot easier to set up and manage than most IPsec VPN solutions. Aventail's EX-1500 is fine example of SSL technology and it brings into play an impressive range of new security features that make SSL VPNs even more versatile and desirable in the enterprise.
SC Webcasts UK
Information Security Manager
Infosec People - Hammersmith, West London
Junior Penetration Tester, Hertfordshire, to £35k + benefits
Infosec People - England, Hertfordshire
Cyber Security Architect
CYBER EXECS - London (Greater)
SOC Analyst, Aldershot, £47-56k + package
Infosec People - Hampshire, England, Aldershot
Senior Security Engineer
Loveworklife Recruitment - United Kingdom
Sign up to our newsletters
SC Magazine UK Articles
- Tesco Bank allegedly ignored warnings of hack from Visa
- Investigatory Powers and Digital Economy Bills could threaten economy
- Updated: A million German routers knocked offline by failed Mirai botnet attack
- Gooligan ad fraud malware infects 1.3M Android users, installs over 2M unwanted apps
- Microsoft update left Azure Linux virtual machines open to hacking
- SC Awards Europe 2016 winners announcements!
- ISIS radicalises 'lone wolves' through strong social media presence
- Updated: How will Brexit affect the cyber-security industry in UK and Europe?
- ICYMI: CEO Sacked; MS Zero-day; Passwords dropped; Ransomware wild, charging hack
- 9.2 million medical records for sale on darkweb
- ICYMI: Tesco warned; IP Bill threatens economy; German routers offline; Azure trojan; Gooligan fraud
- Data centres are on the move - where will they end up?
- 90% of ITDMs believe IAM is crucial to digital transformation success
- Research: Hacked companies could see customer exodus if breached
- Misconfigured drive exposes locations of explosives used by oil industry