This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
But reality is quite different. In fact, many corporate IT departments that start down the SSL VPN path because of minimum client requirements discover that the requirements aren't so minimal, especially to support a heterogeneous network. SSL products still require a great deal of administration, configuration and support, as was evident in Information Security's extensive tests of five leading products.
We tested four hardware solutions--Aventail's ST EX-2500, Cisco Systems' ASA 5540, F5 Networks' FirePass 4100 and Juniper Networks' Secure Access (SA) 6000 SP--and one software product, Check Point Software Technologies' Connectra NGX R61 (Check Point also sells its product as an appliance).
About this review
Information Security invited 17 SSL VPN vendors to apply for consideration for testing, and selected the five best responses based on a combination of pre-eminence in the security market and our judgment about features and the ability to support a large, complex network such as Stanford University's network. Nokia declined to apply without giving a reason, Symantec did not submit a product because it is focusing on the UTM market, and SonicWALL passed because of its SMB focus.
We set up a test lab on the Stanford campus, using the university's production network and tapping into resources on its enterprise backbone. Stanford has an older IPSec VPN configuration and was interested in an SSL VPN gateway.
All of the VPN gateways were placed on a separate server network, along with a Windows Server 2003, a Linux server, and an RSA SecurID ACE appliance that was used for two-factor authentication with its key fobs. We also set up an Avocent DSR 1031 KVM switch that allowed us to control all of these servers via a Web browser, and was used to test the ability of each VPN to support complex Web applications.
All of these servers were placed behind a firewall that blocked all access, with the exception of a client coming from one of the VPNs. A separate network contained four client PCs running Windows XP with SP2, Windows 2000, Windows 98 SR2 and Mac OS X v10.4, each with the latest patches and updates applied.
Each Windows client ran both IE v6.0 and Firefox v1.5 browsers. The Mac ran IE v5.2, Firefox v1.5, and Safari v2.0.3. The test lab also connected to a production Microsoft Active Directory server that was also running RADIUS and LDAP services, and an Exchange 2003 server that was configured for IMAP, POP and Outlook Web Access.
This was first published in September 2006