Does a good SSL VPN provide good NAC?

A close look at F5’s FirePass shows that SSL VPNs can hit on most NAC points

When we developed our evaluation criteria for NAC, the similarities with the evaluation criteria for SSL VPN were very strong.

Is an SSL VPN by either definition or by circumstance a NAC device?

Both Caymas Systems and Juniper Networks would argue a resounding “yes”. The argument here would be that because the most recent iteration of SSL VPN products have been focused on authorizing users, controlling access and using end-point posture assessment, an SSL VPN is a natural fit into any NAC scheme. Just as the intrusion-detection system (IDS) vendors were ideally situated to start selling intrusion-prevention system (IPS) products, SSL VPN vendors are going to have a natural leg up in this market

Caymas, has repositioned itself into the NAC space using the same technology it originally sold as an SSL VPN device (see Caymas SSL VPN results). Juniper has also jumped heavily on the NAC bandwagon, repurposing the policy engine from its top-rated SSL VPN product into the Unified Access Controller (UAC) IC-4000 appliance we tested as part of the TCG/TNC framework.

For an objective answer to the questions of an SSL VPN’s role in NAC, we approached F5 Networks — which hasn’t yet entered the NAC marketing fray — and asked if we could assess its FirePass SSL VPN product as if it were in fact a NAC device.

Our first criterion for a good NAC device is a broad range of authentication methods and types. In the case of NAC, this process includes both the back-end authentication server — and the FirePass supports eight of these — and the way by which users convey their credentials to the device. For an SSL VPN in general, the latter process is limited when compared with a NAC-enabled environment. A good NAC framework can use various methods, such as an 802.1X process, a captive portal, or even sniffing some other authentication system while SSL VPNs tend to be limited to Web-based client authentication mechanisms.

The FirePass provides both Web-based username/password authentication (roughly equivalent to a captive portal) and a passwordless authentication based on digital certificates. The question then follows: Is there some way for an SSL VPN to do a more integrated authentication, such as with a client or by integrating directly with the Windows logon sequence akin to what is done in NAC? With FirePass (and other full-function SSL VPNs), that only happens when you use the product’s network extension tools, which link the SSL VPN user’s system at the IP layer to the central site’s network, similar to an IPsec VPN, rather than the Web-based parts of the product.

Our second criterion for a solid NAC framework is the ability to factor end point security assessment and environmental information into the access equation. With a very sophisticated end-point security assessment system in place within FirePass, the network manager can build a policy to check end-point security across a variety of platforms. At this point, FirePass is ahead of most NAC vendors, which rarely have cross-platform support, because it can detect and handle endpoints running Mac OS X differently than those running Windows.

End-point security assessment depends on the ability of the SSL VPN portal to push software down into the users’ browsers. In the case of the FirePass, this requires an ActiveX-compatible browser. Some NAC vendors, such as Juniper and Cisco, prefer a permanently installed client, rather than relying on the browser. FirePass doesn’t support the option of an installed client to do end-point security checking over its Web services portal.

One capability specifically missing from the FirePass is the ability to link to a vendor-supplied health check tool, such as the patch management and desktop security products we looked at in the CNAC and TCG/TNC frameworks. FirePass does let you integrate with Symantec’s WholeSecurity toolkit, but not more popular or generic tools. The other missing innovation is “continuous enforcement”, the idea that end-point security checking occurs continuously during the session, and not just at logon time.

The third criterion for a valid NAC product is access control enforcement. Here, FirePass provides access control and enforcement beyond what most NAC solutions offer. Because the SSL VPN generally allows or disallows access at the URL level, FirePass is able to control access more tightly than simple virtual LAN assignment, which is the most common form of access control within any NAC scheme. When operating in network extension mode, FirePass offers simple packet filters. In both CNAC and TCG/TNC, we saw high-end products from Cisco, Juniper and Vernier that apply full stateful firewall inspection along with in-line IDS and IPS measures. This aligns FirePass with the higher end of the NAC market.

Our fourth criterion for NAC is management capabilities. Here, the comparison between SSL VPNs and NAC is more difficult to draw. As an early innovator in SSL VPNs, F5 has garnered kudos for its management interface. If we were to draw a direct comparison with the products tested, FirePass would probably score higher than Cisco’s Secure ACS, and would be in the same ballpark as Juniper’s UAC.

Overall, the use cases for SSL VPN and LAN-based NAC don't overlap very much. SSL VPN is for remote access, while most people think of NAC for local, wireless and guest users.

The key to success with NAC is incorporating your SSL VPN remote access into your complete NAC strategy, so that compliance policies and access controls are as tightly integrated and consistent as possible. Right now, no vendor is combining its SSL VPN and NAC policy engines -- but that is likely to happen in a matter of time, and you want to be ready when it happens for an easy integration and transition.

Snyder is a senior partner at Opus One, a consulting firm in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.

NW Lab Alliance

Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.

< Return to main story: What can NAC do for you now? >

Learn more about this topic

Clear Choice Test: Largest public review of NAC products

Why Vista is missing from NAC landscape?

NAC all-in-one test on the horizon

Test methodology

NAC Buyer's Guide

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)