Billion BiGuard S6000
Strengths: Very good value, Gigabit ports, WAN failover and load balancing, plenty of options for securing remote access to specific resources
Weaknesses: The OTP option will probably need a dedicated system
Verdict: The S6000 is offering an impressive range of SSL VPN features at a price the competition will have trouble matching
Billion is one of the few security appliance vendors that offers affordable SSL VPN for SMBs, but it now wants a piece of the enterprise action. It is making its move with two fresh BiGuard appliances. The S6000 targets medium-sized firms of 500-1,000 employees and a large remote workforce. The S3000 targets SMBs with 150-500 employees.
The S6000 looks good value, as the base price includes support for up to 50 simultaneous SSL VPN tunnels. Billion offers upgrade packs; an extra 50 tunnels costs £2,479. Performance gets a boost over smaller BiGuard appliances; the S6000 has a multi-core MIPS processor and 1GB of system memory, while all LAN and WAN ports are of the Gigabit variety.
Both the S3000 and S6000 offer a pair of Gigabit WAN ports which support load balancing and link failover. Billion offers an optional two-factor authentication solution which includes a Radius server and tokens to generate one-time passwords (OTPs).
The S6000's web interface is an improvement on the smaller models; the documentation is also more helpful. There are wizards for setting up the WAN links; they support static and dynamic addresses plus PPPoE. You get an SSL VPN wizard, but work will need to be done, as it only takes existing configurations and lets you add new users to them.
The S6000 uses the concept of domains, which each have a single authentication method. There are many choices: it has an internal user database, or you can use AD, LDAP, NT domain and Radius servers. A user can be a member of only one domain, ensuring they use the appropriate authentication.
The S6000 offers three access modes for clients. Network Extender uses an ActiveX plug-in to create an encrypted tunnel to all IP-based resources. If you don't want users to have full access, use the Transport Extender to define specific protocols and ports.
The Network Place loads a basic Windows Explorer-style interface which lists systems in the same domain or workgroup. It allows network shares to be browsed, files and folders to be downloaded to the client and, if permitted, files to be uploaded to systems on the LAN. Resources are gathered together in groups, making it easier to dish out the appropriate access. You can also define specific resources using application proxies. It provides a good range, which includes RDP, VNC, FTP, HTTP, HTTPS, CIFS and Citrix.
Access permissions can be granted at the group or user level, where you decide whether the Extender services and Network Place will be made available and which application proxies will appear in the login portal. Web cache cleanup is essential if people are using public internet services. A utility can launch at the end of a session to tidy the system up.
For testing, we gave the primary WAN port a fixed IP address and placed the appliance between our LAN and test clients. On the local network, we had a variety of Windows Server 2003 R2 systems providing web, FTP and file sharing services and we had no problems creating different application proxies for each one. We could use the Network Extender to give some people full access to all resources or use the Transport Extender to limit access.
The price for the S6000 includes a five-user OTP pack and it comes with the Authenex ASAS Radius server software preconfigured for the tokens in the box. You can add more tokens; a 10-user pack is a reasonable £281. The ASAS server is picky about its Windows host and for best results this should be dedicated.
SSL VPNs score highly over IPsec VPNs for providing mobile and remote workers with secure LAN access, as they are easy to configure and require minimal training. BiGuard S6000 is a prime example. It provides an impressive range of easily deployed security features but it costs a lot less than many enterprise-level solutions.