Price: Starts at $9,995
Aventail's EX-1500 SSL VPN combines secure remote communication to any network application or re-source with the enterprise-class muscle of load-balancing and high availability capable of supporting up to 1,000 concurrent connections.
Aventail boasts that the EX-1500 is all the VPN your organization will need, combining the strong suits from the IPSec and SSL worlds through its patented Smart Tunneling technology.
Smart Tunneling provides a network layer connection for robust and secure transport, and moves up the stack, bringing more granularity to policy and access control not only for HTTP and Web-based e-mail apps, but client/server TCP apps such as MS Exchange. It also supports and videoconferencing, streaming media, VoIP, Active FTP, remote control apps and others.
Smart Tunneling's virtual client IP addressing offers full bidirectional control, which alleviates the NAT traversal issues commonly encountered with IPSec clients behind firewalls.
The EX-1500 appliance has an intuitive Web-based console that supports both Internet Explorer and Firefox; the device can also be managed via SSH or serial connection. Enterprises will enjoy the flexibility of authentication and authorization, including server- or client-side digital certificates and passwords, and support for RSA SecurID, Active Directory, LDAP and RADIUS.
The tabbed management environment lets administrators easily set up and manage resources, which are defined as network objects and can include applications, URLs, IP address ranges, domains and drive mappings.
The only downside to the management console is that the controls are so granular, many of them feature controls hidden under "Advanced" menus and can be easily missed by those unfamiliar with the extent of available options.
There's a lot of substance behind that interface, with flexible groupings and policy settings, and well-planned security capabilities.
The EX-1500 defines levels of access to resources and methods for authentication in terms of realms, which are based on individual authentication servers--if you have multiple authentication servers, you will have multiple realms. For example, one realm may be a RADIUS server using token-based authentication, and another could be AD using username/password.
Within realms, user communities are defined to deter- mine levels of authorization and to enforce access based on security policy, either through integration with third-party endpoint security providers, or a clientless technique for those devices without agent-based security.
The clientless method supports multiple zones of trust based on the remote device's level of risk.
In our lab, we set up separate zones for trusted and untrusted devices. At logon, the EX-1500 attempts to match "fingerprints" (applications such as personal firewalls, AV software or registry keys) to those defined by policy. Our Palm device and public PC were denied access to critical Web apps and file shares because they didn't have the requisite security apps.
The EX-1500 features robust monitoring, logging and reporting. Performance and event alarms can be monitored through the console and SNMP. Crystal Reports is supported, in addition to Aventail's packaged templates for auditing, technical and management reporting.
Despite a fairly steep price, the EX-1500 deserves serious consideration as a replacement to IPSec, and a space in the enterprise security appliance rack, thanks to its robust security features, application support and easy administration.
This product review originally appears in the September 2005 issue of Information Security magazine.