Getting scalability, high availability from SSL VPN wares

Most vendors tested keep things up and running.

Review  By Joel Snyder, Network World, 12/19/05

Any network architect building a production SSL VPN service will want to make it as reliable and scalable as possible. We took a whirlwind pass through the high-availability and scalability capabilities of the 11 products in our test to get an idea of the spectrum of options.

F5 Networks was unable to participate in this portion of our test because of logistical problems, and because SonicWall and Check Point do not have built-in high availability, they also were not tested. However, we did evaluate the features of all three in this section.

We found several types of high-availability and scalability features in our testing. High availability included both active/passive (commonly called master/slave) and active/active support. To support scalability, a few products included internal load-balancing technology, but most required external load balancers. Products requiring load balancers generally supported scalability with some form of configuration sharing.

High availability is a simple idea: The service should survive loss of some component, typically the SSL VPN gateway itself. But high-availability measures present a few complications to SSL VPN deployments. It's not rocket science, but it's not easy to do right, either, as our testing showed. In high availability (and in scalability), one of the problems to be solved is configuration sharing, making sure that any change on one device is then propagated to all of the devices so that the configuration is completely consistent.

High availability is usually handled with a virtual IP address, one that represents the highly available service. The virtual IP address usually is shared across a pair of SSL VPN devices; one of the two is the active master responsible for all traffic to that address, and the other is the passive slave, in communication with the active device and ready to take over the virtual IP and traffic in case of failure of the master. In a single data center, high availability focuses on dealing with the failure of either a single device or connectivity to that device. You start by making sure that the virtual IP address is always available by building a capability to move the virtual IP from one system to another when there is a problem.

Chart: HA and scalability is not one size fits all

In the event of a failure, moving a virtual IP one node to another is pretty basic stuff, as is the configuration sharing between the master and slave needed to make it work reliably.

What's more difficult is making any failover seamless to the end user. As with any high-availability scenario, the problem lies in how to maintain the state of the end-user's session in the event of a device failure. With SSL VPN devices, there are two main types of sessions - Web-based SSL VPN and network extension/port forwarding SSL VPN - with different high-availability issues to consider.

Web-based applications tunneling through an SSL VPN have two types of state associated with them that are important to high availability. All SSL VPN devices generate a cryptographic cookie - usually called a session ID or session cookie - that is used to reauthenticate a user's browser every time it comes back for another Web page or image. Without that state information, the SSL VPN device would have no secure way to keep track of the user. This is why cross-site scripting attacks are so frightening to SSL VPN devices, if someone can steal your session cookie, he may be able to impersonate you until your session ends.

The second type of state information is the cookies (such as an Amazon.com shopping spree or, more commonly, an Outlook Web Access session) that are part of a user's session. Web sites doing any kind of session-oriented application (such as a Web-based e-mail session) use cookies to keep things in order. For example, when you use Outlook Web Access, a cookie called "sessionid" is stored in your browser, so that as you go from page to page, the Outlook Web Access server knows who you are and what you have been doing. Secure SSL VPN boxes don't actually pass those cookies directly to the end user's system, because they might then be left lying around for the next user to use or abuse. Instead, they are maintained on the SSL VPN device. Not all SSL VPN devices do that, but the most security-focused use this technique.

When a high-availability event occurs (such as an involuntary power cord attenuation), the user's cryptographic cookie needs to be in place on the backup SSL VPN device for everything to work smoothly. In our testing, Aventail, Caymas, Fortinet, Juniper and Nokia all handle this correctly. With AEP, Array and Nortel, the user must reauthenticate to the SSL VPN after a high-availability event occurs. (Nortel says it is solving this problem in its 5.5 release, due in January.)

IT Tools & How To's, Just Posted

Security convergence equals network security cost savings

IBM ISS X-Force Threat and Risk Report

Achieving Network Payment Card Industry Data Security Standard (PCI DSS) Compliance with Netcordia's NetMRI

Top 5 Network Performance Management Mistakes & How to Avoid Them

Guide to Open-Source Identity Management Software

Most Popular IT Tools & How To's

Backup and Recovery Options in a Multi-Platform Environment

Taking Virtualization Up a Notch

Webcast: Next-Gen Load Balancing: A Guide to Exploiting the Latest Technology

Getting to Know You: Managing Identity and Network Security

Forrester Research Total Economic Impact Study of WAN Optimization - Multi-Company Analysis: Forrester takes an in-depth look at cost and productivity benefits you will realize with WAN Optimization

About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW

Copyright, 1994-2008 Network World, Inc. All rights reserved.