Nortel's Contivity picks up SSL

Your end users might like the new SSL VPN Module 1000 that slides into Nortel's Contivity IPSec VPN boxes because it provides easily navigable remote access to a wide group of LAN-based applications at decent speeds.

Your end users might like the new SSL VPN Module 1000 that slides into Nortel's Contivity IPSec VPN boxes because it provides easily navigable remote access to a wide group of LAN-based applications at decent speeds. But administrators won't like the lagging management interface and lack of detailed access control and endpoint security features.

The SSL VPN Module 1000 blade plugs into Contivity 1740, 2700 or 5000 Version 5.0 systems. A dedicated co-processor running Alteon's tried-and-true Secure Sockets Layer accelerator code, Version 4.2, and a poorly designed configuration and management system are its base.

A decent SSL performer

SSL VPN terminology

How we did it

Archive of Network World reviews

Subscribe to the Product Review newsletter

The blade performs pretty well (see "A decent SSL performer"), and Nortel's portal page is easy to use and navigate. And the SSL VPN code works well with a range of applications, including Exchange's Outlook Web Access; JavaScript programs; and HTML, FTP and Common Internet File System servers.

But when we tested the product with Java- and Flash-based applications, we ran into interoperability issues. Nortel's prescribed fix is a downloadable Java applet that runs on the workstation and serves as a proxy to tunnel traffic to the Contivity system. This fix gave us access to applications, but hampered our access to the rest of the Internet and required a complex, manual rewrite of the browser's proxy configuration file.

Nortel offers some rich application translation and proxy features. It detects and fills out form-based authentication processes on Web pages the way most browsers do. However, this single sign-on implementation works only if the username and password are the same for the SSL VPN device and for every Web site.

Nortel implements a unique dimension to its user profile, letting you create multiple types of users within the same user group that then affects the appearance of the portal to those users.

Contivity users can choose from standard browser-based SSL VPN applications or a true network extension client, using IPSec or SSL transport, all nicely bundled together. But this bundling belies the lack of underlying coordination. Nortel describes its SSL VPN as "tightly integrated" with IPSec, but the only thing tight about the integration is that they share the same power cord.

Contivity 1740 with SSL VPN Module 1000 OVERALL RATING
Company: Nortel Cost: Contivity 1740: $7,000. SSL VPN Module 1000: $8,000, includes 50 user licenses. Pros: User- friendly portal; decent performance; good application support; rich application translation and proxy features. Cons: Weak management tools; lacks detailed access control; subpar endpoint security; no integration between IPSec and SSL VPN tools.
The breakdown    
Application support/interoperability 30% 4
Access control 30% 3.5
Performance 25% 3.5
Authentication 10% 4
Logging and reporting 5% 3
Scoring Key: 5: Exceptional; 4: Very good; 3: Average; 2: Below average; 1: Consistently subpar

The SSL VPN is managed by a different, decidedly unfriendly, GUI than its IPSec counterpart. Access control defined on one side must be replicated using the other GUI. If you want to support multiple groups with overlapping access control rules, the amount of information you have to manually reproduce is astounding. Some critical features, such as auditing information, are not accessible via the GUI.

More troubling is the lack of detailed access controls in the SSL VPN. While you can distinguish between source IP address and authentication method, you can't give users access based on time of day, browser or SSL security level.

Nortel's TunnelGuard, an endpoint security checking and verification tool, has been in the IPSec Contivity box for years, but is not included in the SSL VPN side. Nortel officials say it will be added later this year.

Learn more about this topic

Newman is president of Network Test. Snyder is a senior partner at Opus One. They can be reached at and, respectively.

NW Lab Alliance

Newman and Snyder are also members of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.