This article can also be found in the Premium Editorial Download "Information Security magazine: The power of SIMs for visibility and compliance."
Download it now to read this article plus other related content.
The most important part of any SSL VPN is how it supports users of the product. We tested Firefox and Internet Explorer browsers (and Safari on the Mac) on a variety of operating systems, as well as each product's endpoint security checking and remediation routines.
Each SSL product supports Windows XP/2000 and recent versions of Internet Explorer to connect to their gateways, and all except Aventail offered solid support for Firefox browsers.
All of the products have a network extension client for Windows and IE, but none of them have a network extension client that completely works with Windows 98 or completely supports the Mac OS. At the time of our tests in June, only Aventail had a Mac OS network extension client that worked on the newer Intel-based Macs. Aventail's Mac network extension client is a bit cumbersome in that users must authenticate twice--once in the browser, and then once in the client preferences.
Juniper had the best overall client support, including the best support for Windows 98, provided it was running the latest version of Internet Explorer, but not all applications worked completely, such as the Java-based SSH client.
All of the products required administrative access to the remote client machine
for the initial install of their network extension client. This could be a problem for corporations that lock down their machines with restrictive logins and don't allow users to install their own software. Speaking of locking down machines, endpoint security is an increasingly critical part of client support. But this area is still very much a work in progress. Some SSL VPNs--such as Check Point--offer endpoint security as an extra cost option, while others have partnered with a variety of suppliers to perform health assessments and remediation.
Support for antivirus products is the first, critical consideration. Both F5 and Juniper make use of the OPSWAT database of dozens of antivirus products. Cisco supports more than a dozen, while the others have more limited support.
The products offer varying degrees of control over what endpoint conditions they check for either prior to or just after login. Juniper and Check Point have the most granularity in terms of type of OS and conditions, such as whether particular antivirus, firewalls and other malware blockers are running. For example, Juniper's remediation measures include the ability to delete specific files or terminate particular processes, or to run custom scripts.
Network administrators who are comfortable creating firewall rule sets will find the process of crafting endpoint security policy very similar. We particularly liked F5's nifty visual policy editor, which works like a flowchart, and adds features such as the ability to check for particular IE versions and the presence of a Google Desktop indexing engine. However, testing and deploying the right series of policies is still somewhat cumbersome because of all the choices available.
Finally, all the vendors offer a desktop "sandbox" mode, in which a Windows user (no Mac or Linux support) can log in to a completely protected workspace that prevents users from saving files locally, and cleans up afterward, leaving behind no evidence of files or cookies. This is very useful in insecure environments, such as at an Internet café or other public computers.
Juniper has the most fine-grained control over what users can and can't do once they are inside this protected environment, such as permit access to printers, make changes to the Windows Control Panel, or allow particular IE browsers with particular encryption key strengths.
This was first published in September 2006