* A look at the new SSL VPN Module 1000 that slides into Nortel’s Contivity IPSec VPN boxes
Your end users may like the new SSL VPN Module 1000 that slides into Nortel’s Contivity IPSec VPN boxes because it provides easily navigable remote access to a wide group of LAN-based applications at decent speeds. However, be aware of both the lagging management interface and lack of fine-grained access control and end-point security features.
The SSL VPN Module 1000 blade – which started shipping last month – plugs into Contivity 1740, 2700 or 5000 v5.0 systems and comprises a dedicated co-processor running Alteon’s tried-and-true SSL accelerator code v4.2 and a configuration and management system.
On the plus side, the blade performs pretty well, Nortel’s portal page is easy to use and navigate, and the SSL VPN code works just fine with a range of applications including Exchange’s Outlook Web Access, Javascript programs, and HTML, FTP and CIFS servers.
Nortel’s SSL VPN implementation offers some rich application translation and proxy features. For example, this blade automatically detects and fills out form-based authentication processes on Web pages the way most browsers do. However, this single sign-on implementation only works if your username and password are the same for the SSL VPN device as for every other Web site. If you use any kind of one-time password mechanism for your SSL VPN, this feature won’t work.
The SSL VPN is managed with a different client than its IPSec counterpart. Access control defined on one side must be replicated using the other GUI. The SSL GUI is positively unfriendly. More troubling is the lack of fine-grained access controls in the SSL VPN. For example, while you can distinguish between things like source IP address and authentication method, you can’t give users different access based on filename, time-of-day, browser, or SSL security level.
Nortel’s own TunnelGuard, an end-point security checking and verification tool, has been in the IPSec Contivity box for years, but is not included in either the browser-based or client-based SSL VPN side. Nortel officials say it will be added later this year.
For the full report, go to https://www.nwfusion.com/reviews/2004/1011rev.html




