Building the perfect SSL VPN
- 04 January, 2006 07:00
After looking up, down, and around 11 SSL VPNs for three months, we created a list of the top features within each product to build the uber-SSL VPN. Think of it as fantasy football for extremely narrow-minded geeks.
Case: You'd start with SonicWall's case, but stick F5's faceplate on it. Compared with monstrous behemoths such as Array, SonicWall has managed to build an SSL VPN in a trim, quiet and simple container. Of course, everyone wants a spare flashlight in their machine room, so you'd definitely call up F5's hardware engineers for their faceplate. Complete with two hinges, an array of ultra-bright LEDs, and an LCD panel you never look at, it's possible that the cost of F5's front panel is higher than SonicWall's entire chassis.
Underlying operating system: It's a toss up between Check Point and Nokia on this front. With Check Point's Secure Platform technology, all you need is its CD, a license code, a spare server and you've got an SSL VPN device. However, it's all built on top of a very accessible Linux core, and while Check Point discourages you from fiddling with the underpinnings, at least you have the option. Nokia's IPSO platform, which is BSD-based, has a ton of features that have nothing to do with SSL VPN, ranging from full dynamic routing to IPv6. If you're willing to edit a file or two, you can run both Nokia's SSL VPN (a really good one) and Check Point's firewall (a really good one) on the same box. If you are going for a midsize deployment, that might be attractive to you.
End point security: Although no vendor hit a home run (or even a double for that matter) in this part of our tests, we think that any SSL VPN vendor could learn from F5's end-point security policy-development GUI. F5 also had the distinction of never failing in such a way that it blocked logins. That said, F5 is all about detection and not much about protection. Check Point's Integrity client has the chops with desktop firewall and host intrusion prevention and more.
Gateway security: Most SSL VPN devices don't look at the data coming through them, but Check Point does. It's perhaps Connectra's most distinguishing feature. We didn't test the built-in intrusion-prevention system (IPS) features this go around, but we've seen the Check Point technology in action in other tests, and they have a solid low-configuration, low-maintenance approach to adding IPS technology to their SSL VPN. Everyone should do as good a job as Check Point does, especially because end-point security checking works so poorly.
Virtualization: If you aren't a service provider, you won't appreciate the great job Array did virtualizing everything about its system. Array may not know how to design a GUI, but it does understand how to make stacks of boxes behave together.
Management: No one box takes the cake in the management sweepstakes. However, we can take pieces from each one and make a pretty good whole. We'd start with AEP's resource definition style: astonishingly simple, but stronger in many ways than any other. Combine that with Nokia's fine-grained access control and the simplicity of Check Point's Web-based GUI to make a pretty solid management system. Of course, you'd want to have every single knob and adjustment that Juniper gives you in there. How you're going to pack those bells and whistles on Check Point's sparse interface, we don't know. But this is fantasy product design.
Portal: The user portal would definitely have to come from F5. These guys have portals down pat with its Web-centered design and extensive customization capabilities. Of course, though, you'd want to add Aventail's user experience to the whole picture, magically and transparently upgrading users whenever they can to push out as many services as they're entitled.
High availability: Great high availability would start with Aventail's built-in load balancer and clustering technology, but scalability and multi-site support would be taken from Nortel, and the actual software would come from Juniper because of its range of options and the way its stuff actually works: active/active or active/passive high availability, with invisible (to the user) failover, no matter what the application or access method.
Pricing: US$2,300. SonicWall sets the standard here.