Price: Starts at $40,000
Array Networks' Array SPX5000 SSL VPN packs enterprise-class security and performance into a beefy appliance that takes up three slots of real estate in the rack. It carries an enterprise price tag, but features numerous security functions and the horsepower to support 64,000 concurrent users and 100,000 SSL sessions.
Beyond the SSL VPN features commonly found in competitive products--such as access control, cache cleaning, endpoint security and layer 3 VPN support for IPSec traffic--SPX5000 (we reviewed software v7.3) offers firewall and filtering capabilities. Administrators can create permit/deny rules for TCP, UDP and ICMP packets, and leverage the appliance's passive and active URL filtering.
SPX5000 supports 250 VLANs and up to 128 separate secured or shared virtual portals, and is enabled with full or split tunneling to facilitate IPSec. Security managers can delegate administrative rights to individual VLANs and portals.
This is a rich but complex feature set. To take full advantage of all SPX5000 has to offer requires a broad and deep understanding of networking protocols, architectures and the enterprise resources the box will broker.
Integration of firewall and content filtering services, access control, integrated policy configuration and management, and virtualized services--combined with the intricacies of client/server and legacy applications and file services--requires in-depth technical knowledge.
Fortunately, management is a strong point. Both Web and command-line interfaces are well-designed and easy to use, and the detailed documentation is excellent. A quick-start wizard walked us through creating our first basic virtual portal. Other management options include SSH or serial command-line interface, SNMP, XML-RPC and third-party integration with Hewlett-Packard's OpenView and Microsoft Operations Manager.
We encountered no major issues creating multiple virtual sites mimicking a large enterprise environment, including portals dedicated to wireless access, mobile users and customers. Elements of virtual sites--including SSL settings, virtual portals, authentication, authorization and accounting, or auditing (referred to as AAA), file sharing, VPN and client security--were enabled through drop-down menus and check boxes.
Endpoint security, an essential part of SSL VPN-based application access, is provided via support for Sygate's (recently acquired by Symantec) On-Demand and Secure Desktop products.
were satisfied with the client/server applications' performance, using both Java and ActiveX clients; we also performed various file access functions from remote workstations.
The Web-based GUI provides real-time and historical reporting, including the number of active sessions and unsuccessful, successful and denied logins. In addition, SPX5000 supports syslog. HTTP-logging can be delivered via Squid, Common and Combined formats. Alerts can be sent via e-mail when predetermined strings appear in a log entry (e.g., DoS attacks, unauthorized users).
SPX5000 requires a significant investment in expertise and resources, but large, complex organizations will find the cost and effort pays off with robust, secure remote access control.
This product review originally appeared in the December 2005 issue of Information Security magazine.