Secure Sockets Layer (SSL) virtual private network (VPN) products, or SSL VPNs, provide encrypted tunnels that...
protect the network traffic that passes through them. SSL VPNs support the confidentiality and integrity of communications. They are most often used to enable secure remote access for end user devices, including desktops, laptops, smartphones and tablets. Secure remote access to selected organization resources can be a critical need for a wide variety of users, including the organization's employees (using either organization-issued or personally owned devices, bring your own device (BYOD)), contractors, business partners and vendors.
There are several ways to procure SSL VPN products. An organization can purchase a standalone appliance that functions solely for SSL VPN, or a bundled device -- such as a next-generation firewall (NGFW) or unified threat management (UTM) product -- that performs many functions, with an SSL VPN capability being just one of them. Yet another option for some organizations is to purchase their SSL VPN as a virtual appliance. Regardless of the form the SSL VPN capability comes in, its functionality and other major characteristics are basically the same.
This article focuses on evaluating dedicated SSL VPN products: standalone appliances and virtual appliances. This is not meant to imply that these are superior to bundled products. Each product, regardless of its form, needs to be evaluated on its own merits. It would be foolish for an organization to simply ignore an existing bundled SSL VPN capability just for the sake of having a dedicated SSL VPN product, without sufficient justification for making this decision. That being said, the dedicated SSL VPN products are often the same ones found bundled with others, so the evaluations presented in this article may also be relevant to organizations seeking bundled products.
This article covers the following commercial SSL VPN products: Barracuda SSL VPN, Check Point Mobile Access Software Blade, Cisco IOS SSL VPN, Dell SonicWall Secure Remote Access (SRA), Juniper Networks SA Series (now Pulse Connect Secure), and OpenVPN Access Server.
Each of these has been evaluated against a set of four criteria: VPN client software options; operating system (OS) support; simultaneous users support and network access control. Organizations considering the acquisition of an SSL VPN product should use these criteria as one part of their overall product evaluation process. That's because each organization has unique characteristics that need to be taken into account, so the findings of this article should not be considered comprehensive or exhaustive -- they comprise one piece of a larger puzzle.
Criterion #1: VPN client software options
As discussed in the previous SSL VPN article, there are four approaches to SSL VPN client software:
- Clientless (relies solely on the web browser, no software installation)
- Browser plug-in (Java applet, ActiveX control run within browser)
- Standalone executable for desktop and laptop OSs
- Mobile app for smartphones and tablets
The table below shows the major differences between these four approaches in terms of relative client deployment effort, resource access, client device support and network access control support. These indicate that there is no "best" client approach; in fact, there are significant tradeoffs with each. For example, a clientless approach involves no deployment effort, but it also gives access to the fewest resources. For another, the browser plug-in and standalone executable approaches won't work for mobile devices. And not all of the approaches offer network access control capabilities.
Table 1: Four approaches to SSL VPN client software
|Clientless||Browser plug-in||Standalone executable||Mobile app|
|Client deployment effort||None||Minor||Major||Major|
|Resource access||Websites and web-based applications||Virtually all||Virtually all||Virtually all|
|Client device support||All||Most desktops and laptops (needs supported browser)||Major desktop and laptop OSs||Major mobile OSs|
|Network access control||No||Yes (may be limited)||Yes||Yes|
So in the end, what most organizations should be looking for is the approach or combination of approaches that meets its full set of requirements. All products support multiple approaches, as shown in the table below; however, note that it is unlikely that a single organization will require support for all four approaches.
Table 2: The client approaches supported by the top SSL VPN products
|Clientless||Browser plug-in||Standalone executable||Mobile app|
|Barracuda SSL VPN||Yes||Yes||No||No|
|Check Point Mobile Access Software Blade||Yes||Yes||No||Yes|
|Cisco IOS SSL VPN||No||Yes||Yes||No|
|Dell SonicWall Secure Remote Access (SRA)||Yes||Yes||Yes||Yes|
|Jupiter Networks SA Series||Yes||Yes||No||No|
|OpenVPN Access Server||No||No||Yes||Yes|
Criterion #2: VPN client OS support
The third and fourth SSL VPN client approaches discussed above -- the standalone executable and the mobile app -- can be referred to as "heavy" because they require installation of full-fledged software (as opposed to a lightweight browser plug-in). This software is necessarily OS specific, so organizations need to carefully consider which OSs they need the SSL VPN clients to support. Remember that clientless and browser plug-in based approaches will work regardless of OS. With the exception of the open source OpenVPN Access Server, each product covered in this article supports the clientless or the browser plug-in approach.
So, when evaluating SSL VPN products, don't just automatically look at the specific OS that its client software may support. There may be "light" options (clientless or browser plug-in) available that truly do support virtually any OS. However, these light products may also offer reduced access to resources -- particularly clientless products -- and some lack network access control, increasing the likelihood of misconfigured, compromised or otherwise undesirable devices being able to connect to the organization's resources.
Assuming that an organization wants to use a "heavy" client-based approach, the first and obvious step in evaluation is cataloging which desktop/laptop OSs and mobile OSs need to be supported. This may prove difficult, especially if the organization allows the use of BYOD or if the organization allows contractors, business partners, vendors and others outside the organization to use remote access.
The table below shows OS support provided by the heavy clients. Of the products supporting heavy clients, the Dell SonicWall SRA and OpenVPN Access Server products support the greatest variety of OSs. Ultimately, however, the heavy clients provided by any product are not going to be able to support every version of every OS that might be used. So carefully consider using a heavy client for the most common versions and a light client for less common OSs.
Table 3: OS support by the top SSL VPN's "heavy" clients
|Standalone executable||Mobile app|
|Barracuda SSL VPN||N/A||N/A|
|Check Point Mobile Access Software Blade||N/A||iOS, Android|
|Cisco IOS SSL VPN||Windows||N/A|
|Dell SonicWall Secure Remote Access (SRA)||Windows, Mac OS X, Linux||iOS, Android, Windows 8.1, Kindle Fire|
|Jupiter Networks SA Series||N/A||N/A|
|OpenVPN Access Server||Windows, Mac OS X, Linux||iOS, Android|
Criterion #3: Support for simultaneous users
Licensing for commercial SSL VPN products is typically based on the number of simultaneous users of the VPN. There are exceptions to this, such as virtual appliances that may offer unlimited scalability, but generally it is true. Some commercial products only support a flat number of users, while others have the hardware capacity to support a larger number of users but allow organizations to purchase a smaller number of simultaneous user licenses.
Some vendors offer several models of SSL VPN appliances. For example, the Barracuda SSL VPN is available in six hardware appliance models supporting between 15 and 1000 simultaneous users, and four virtual appliance models supporting between 15 and 500 simultaneous users. Similarly, the Cisco IOS SSL VPN, which is geared toward small organizations, provides support for 10 to 200 simultaneous users on a variety of hardware platforms.
For midsize to large organizations, the Juniper Network SA Series (which was spun off to Pulse Secure and renamed as Pulse Connect Secure) offers three models of appliances handling up to 10,000 concurrent users, as well as a virtual appliance that can support an unlimited number. The Dell SonicWall SRA has three hardware appliance models that support between 25 and 20,000 concurrent users, and a virtual appliance that can support up to 5,000.
In addition to these licensing schemes, some products, such as Juniper Networks SA Series, offer surge licensing, meaning that the number of simultaneous users can be increased temporarily under emergency conditions; for example, for a week during a natural disaster. Surge licensing can also be normally purchased and provisioned immediately, which makes it an ideal aid for disaster recovery and contingency planning -- assuming that the SSL VPN hardware is robust enough to support that many simultaneous users.
The OpenVPN Access Server follows a significantly different licensing model than the other products in this article. There is no hardware appliance available; all OpenVPN Access Server servers are virtual. This virtual server component can be downloaded for free, but organizations with a minimum of 10 users must pay an annual licensing fee for each simultaneous user. As of this writing, it's possible to purchase a 10-user concurrent license for under $100 per year. On the other hand, there does not appear to be a maximum limit to concurrent users, although -- obviously -- the hardware the server is deployed to will effectively limit simultaneous usage at some point.
In general, there is no right answer as to which of these licensing models is best for specific organizations. Smaller ones may be interested in nearly any of the offerings, while larger organizations would likely tend toward products that support massive enterprises, such as Dell SonicWall SRA, Juniper Network SA Seriesm and OpenVPN Access Server.
Criterion #4: Network access control
A final criterion for SSL VPN product evaluation is support for network access control. This refers to a wide variety of features that involve checking the characteristics of the client device to confirm compliance with the organization's security policies. Examples include verifying the presence of current antivirus software and authenticating a client-side digital certificate.
Most products -- even those with only light clients, such as Barracuda SSL VPN -- do provide at least some support for network access control. Vendors are generally reticent to detail exactly how their network access control products work; many of which are likely to operate significantly differently on various OSs. So it is recommended as part of any evaluation to first identify the relevant desktop/laptop and mobile OS versions, then consult with the vendor to see which network access control features -- system health checks -- the products support on each platform.
An example of robust network access control support involves the Dell SonicWall SRA product. It can verify whether mobile devices have been jailbroken or rooted; check if various security controls have been installed and configured properly, and examine client certificates and identifiers to ensure that the device itself is authorized for enterprise remote access use. Other products that advertise network access control support include Cisco IOS SSL VPN and Juniper Networks SA Series.
There is no clear frontrunner among the SSL VPNs covered in this article. So much is dependent on an individual entity's needs in terms of client software support and OS support, simultaneous user licensing, and network access control.
For example, an enterprise that allows BYOD may determine that it absolutely needs network access control to assure some degree of security among its remote access clients. In that case, it might favor products such as Dell SonicWall SRA and Juniper Networks SA Series that offer particularly rigorous network access control. Meanwhile, an organization that does not allow BYOD may find network access control superfluous for these devices.
For smaller companies, all of these products offer some sort of acceptable solution. The Cisco IOS SSL VPN is best suited for organizations that already have another security product in place for their mobile devices; for example, a mobile device management system. The Check Point Mobile Access Software Blade is appropriate for those already having Check Point security products deployed. Other products are well suited for a wider variety of small and medium sized organizations because of the resource access they grant, the range of client devices they support and their ability to provide network access features.
For larger entities (thousands of concurrent users), definitely consider the Dell SonicWall SRA and the Juniper Networks SA Series, with the Check Point Mobile Access Software Blade and the OpenVPN Access Server following close behind.
Find out how to mitigate VPN security issues in the cloud
Learn how to prevent VPN security risks for mobile employees