This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
The products were tested in a purpose-built lab on the Stanford University campus in California (See "About This Review," above), with the help of the backbone networking group that runs the main university data center and operates the major network infrastructure on campus. We analyzed and graded their capabilities (See "Making the Grade," at right) for enterprise management and control, client support, applications support, and authentication and access control.
Enterprise Management and Control
Anyone who will deploy an SSL VPN will have to spend a lot of time getting accustomed to its administrative interface. The issue for these products is that because they touch a lot of different places in the network, you will have different people assigned to different roles in their administration. Juniper and F5 seemed to understand this situation the best.
These are complex products. There are so many knobs to turn, especially with so many admins doing the turning, it's easy to make a serious mistake. In all cases, it was easy to check the wrong item on one particular screen and render a working system useless. For example, with a few misplaced mouse clicks we could easily destroy a lot of hard work performed setting up the entire endpoint security subsystem, or ruin our authentication connections. (For example, when setting Juniper's configurations, you need to be careful to save your changes before you navigate to another menu--it doesn't save changes automatically.)
All the products except Cisco's use a Web server to set up and control configuration parameters; Cisco requires its ADSM client for this purpose, which seems outdated. We examined how multiple boxes can be administered, whether administrators can see who is logged in at any given moment and kill that particular user's session, and what auditing, reporting and debugging features were available.
Cisco's administrative tools were the worst, and F5's were the best.
The biggest differentiator among the five products was the ability for multiple users with different administrative roles to manage the box concurrently. This is critical in large-scale deployments, where multiple people will be adding users, changing access policies and setting up individual portal pages.
We especially liked the ability of F5 to specify the particular menu choices each admin can use. Its Administrative Realms page offers complete granularity when it comes to assigning particular admin rights to different subsets of the overall functionality. In contrast, Check Point allows only a single administrator to log in at any given moment. Cisco also lacks the ability to assign different roles to multiple administrators.
Aventail isn't much of an improvement; it comes with three administrative templates that offer some granularity to allow multiple people to manage its software.
Layouts of administrative menus are subjective, but we found ourselves coming back to Juniper's whenever we wanted to get something done quickly. They're set up very logically for VPN management and have clear-cut menus to control Linux, Mac and Windows clients, which we found easiest to work with. We were able to handle multiple administrators easily.
The various functions and menu layouts made F5's admin interface the best of the five. It is clean and well laid out. While some of the menu choices are a bit obscure, most are displayed in a manner that makes it easy to add policies and set up your applications.
Cisco's ADSM administrative interface is so miserably designed that it presented problems for its support engineers; often, they couldn't quickly locate the appropriate screen. ADSM has multiple hierarchies of menus within menus, making it easy to get lost several screens down.
Each of these products could do a better job with debugging tools, especially when it comes to setting up authentication servers (discussed later). Nevertheless, we liked F5's feature that allows an admin to log in to the gateway as a user. If something isn't working, the admin can go directly into the configuration console to make changes without having to log in with a separate browser session. The other products were more cumbersome in switching between administrator and ordinary user.
Aventail has a nice initial installation routine that steps you through the process, but its administrative interface lacks the "breadcrumb" display to show the complete path you took through its sometimes convoluted menu trees, something we found useful among its competitors.
This was first published in September 2006