Product Group Tests
SSL VPN (2008)
Our Best Buy goes to SSL-Explorer: Enterprise Edition for its ease of use, extremely low price and its simple migration path from the free open-source version to a full-featured commercial version.
For its solid performance, ease of use and good feature set, we rate the SonicWall SSL-VPN 2000 Recommended
Full Group Summary
An expanding feature set combined with ease and speed of installation makes this kind of VPN an attractive proposition for large enterprises supporting remote workers. Peter Stephenson reports.
As a market grows and matures it looks for ways to secure its place in the overall market space it occupies. That certainly is true for SSL VPNs. As this category grows to find its identity in the overall network access management environment we see developers adding lots of functionality and converging with other product types while seeking the best deployment options. For example, we had one product that is at least as much firewall as it is VPN.
VPNs and firewalls as combined gateways into the network are nothing new. However, IPSec is usually the preferred venue for this type of implementation. But there is a lot of discussion that IPSec is less desirable than SSL, although that is really not entirely the case.
SSL VPNs have a special strength: low-cost (or no cost) client-side implementations that use a standard protocol to communicate with web portals. In this case, the capability on the server side is almost always there by default, usually on port 443. The use of one-time, or "dissolvable" client-side agents is practical on SSL VPNs and one of the best implementations of that technique is present in one of this month's products. IPSec client-side agents generally require more space, resources and effort to install, limiting their attractiveness for large-scale deployments.
On the other hand, IPSec VPNs make great point-to-point tunnels, often between two firewalls. These are implementations that are fewer in number but, arguably, need to be more robust since they are online 24/7 and carry far larger traffic volumes than smaller end-user deployments. They also tend to be mission-critical connections, which ad hoc end-user deployments usually are not.
So, what does that mean for our products this month? Virtually all of them terminate in some sort of portal. That portal is, to a greater or lesser degree, configurable as a convenient web entry point into the network. Access management capabilities range from internal to integration with Active Directory, Radius or similar. The trend here is a complete system on the edge of the network that can manage entry by authorised users and can be updated very rapidly and easily.
What to look for
The two key indicators that an SSL VPN might be a good option for your application are large number (and/or volatility) of client computers and short use (minutes or hours instead of days or months). If you have a lot of users such as road warriors, home office workers or customers who need to connect for session-based secure communications, you're probably a good candidate.
There is a difference between simply connecting on port 443 (HTTPS) and using an SSL VPN. SSL is its own secure protocol, quite distinct from HTTPS. As such, it is easy with today's products to tie access to an access management system such as Active Directory. This allows you to manage user access in the same way as if your users were on the network.
One area where this is becoming increasingly popular is wireless implementations. If the only way into the network over a wireless system is through an SSL VPN you have increased security while maintaining simplicity for the end user. You also are keeping things simple for administrators and that is the next criterion. Along with ease of deployment on the client-side, good access control, ease of building a portal with policy-based access control, look for ease of management.
Especially where management of a wireless network is involved, keeping the portal simple is a huge benefit, merging the security of the VPN with various security functions on wireless LANs.
How we tested
This was a case of gauging ease of use, deployment, level of performance and how feature-rich the product was. If it was easy to deploy, easy to use, easy on the client and easy to manage, it got our attention.
We set up a test bed that represented a typical enterprise with Active Directory and some applications. We then set up the VPN portal, paying close attention to how hard it was to configure the portal and integrate it into our access management system. In some cases the portal used its own access management system. Occasionally it did both.
We were concerned about how easy it was to add and remove users as well. This is one of the great potential strengths of SSL VPNs: while not quite pervasive computing yet, they allow a rough approximation by making adding and deleting users via group rights simple and fast.
- For details on how we test and score products, visit http://www.scmagazineus.com/How-We-Test/section/114/