SSL VPN gateways

Our fourth set of tests looked at how these devices handled Microsoft, FTP and NFS file servers through application translation. Scoring this was tougher because not every device claimed to support all protocols. But we found products too smart for their own good. F5's snazzy tool for browsing file servers wouldn't work properly on our Safari browser; Netilla's tool wouldn't work properly on anything but Internet Explorer browser on Windows; and Whale couldn't handle older versions of Internet Explorer or Netscape.

We also managed to catch up both Nokia and Symantec with FTP server compatibility problems. When tested against a standard Unix FTP server, both worked perfectly. But when we aimed them at our OpenVMS server, neither could hack it.

Our last series of tests looked at the port forwarding and network-extension capabilities. We maintained a strict rule about technical support: None was allowed.

Macintosh users be warned: Even the products that claim to work with Macintosh systems (NetScreen and Nokia say they support Mac OS X for port forwarding) don't fully hit the mark. We got NetScreen to work with one of our three Macintosh browsers, Safari, but we never could get Nokia to start properly.

For Windows users, port forwarding - where supported - works pretty well. We had no problems getting F5, NetScreen, Nokia and Symantec to forward single-port and multi-port applications. Whale hiccuped, refusing to run in the Netscape browser and claiming that a user needs to be a "Power User" to start the port forwarder. That would be reasonable, except that we were logged in as Administrator.

We hit glitches on the network extension front, too. While NetScreen and Netilla ran flawlessly, AEP wouldn't support the User Datagram Protocol (UDP)-based application we tried. F5 worked sometimes but other times we got a blue-screen on Windows 2000. Symantec's VPN also had problems, largely because there's no documentation and no client.

Based on our interoperability testing, we conclude that these products fall short of the promise of an easy-to-use universal gateway to enterprise applications. Simple Web pages and basic JavaScript seem to work pretty well in the better products, but we were disappointed that Java, Flash, file services, port forwarding and network-extension support were haphazard, difficult to work with and not interoperable.

Access control counts

As security appliances, these products need to provide fine-grained control of security of applications.

All products included the ability to enable and disable access to applications using groups. At the simplest end of the spectrum are AEP, F5 and Netilla. Netilla lets the network manager define a Web application as a series of URLs. Once the application is defined, users and groups are given or denied access to it. AEP has a similar level of control. F5 comes at the access control from the group level, but because of the way the interface is designed, you are actively discouraged from having more than a small number of groups, and users can be in only one group. In some environments, just saying "yes" or "no" at the application level is fine, but you can run out of options quickly.

With Symantec, rather than apply access controls to applications, you can apply access controls to groups and users. Thus, you say what a group has access to and easily manage many different groups and their access controls. In Symantec's hierarchical model, it's easy to say that engineers can read and write files from the file server, but QA testers only can read those same files. That sounds easy, but only Symantec and NetScreen let you think that way. Symantec's model is powerful. There are a lot of complexities to what you can do, but the product doesn't make it hard to get started as it has a good GUI front end.

Another dimension to access control is going further than just group or user. In this regard, Nokia is the undisputed champ, although NetScreen and Whale also have some pieces of the big picture. For Nokia, the fine variations lie in what resources you have access to and what you can do with those resources. If you want to use a coarse control, you can pick groups that are permitted or denied access to a resource. But amazing control is just a click away. For example, you can permit access to a particular file if someone has authenticated using a Lightweight Directory Access Protocol (LDAP) server and his virus scanner is up to date.

Whale throws a change-up when it comes to access control. While providing simple access controls, the strength of this product lies in its application-level firewall. Whale lets you dissect individual URLs and provide a high level of error checking and validation. For example, in a URL that submits data to a form, Whale can check each attribute that should be in the form for length, blocking malformed data. It sounds tedious, complicated and hard to use, and it is. Whale helps out the network manager by prepackaging some of the most popular applications with pre-built rules sets. Unfortunately, for the applications we tested (Outlook 2003 and iNotes), neither rule set was current or correct. The only way we got those applications to work was by disabling the firewalling the product offers. Whale offered to fix its rule sets, saying that it would do this for any customer and any application.

A major disappointment in access control is how SSL VPNgateways control access to file servers. Whale and Netilla had unacceptably poor control of access. With these products, once a user is let in to a share on the Windows network, the SSL VPN gateway offered no additional control over where he could go or what he could do. In contrast, NetScreen, Nokia, and Symantec let you define read and write access at the individual file level. F5 also impressed us by including a virus scanner, which lets you scan files for infections during upload.

Authentication integration

Identifying users and putting them into groups is a critical part of any SSL VPN deployment. We tried to consider large businesses and the infrastructure they would already have in testing these products. We focused on LDAP and RADIUS as the most likely candidates for authentication and turned up good and bad designs (see graphic, below).

RADIUS was an easy choice because of widespread availability of RADIUS servers and the common use of RADIUS to authenticate against Windows, Unix and token-based systems such as RSA Security's SecurID, but we found that some vendors haven't done their homework on RADIUS. We linked all the products to our RADIUS server without problems, but only NetSscreen and Nokia were flexible enough to get group information out of the RADIUS server. In other products, RADIUS users had to be mapped to groups via some other method. In the worst case, Whale and AEP require you to manually map RADIUS users to the groups.

For many vendors, LDAP support is synonymous with Active Directory support. We had so many problems with AEP, Symantec and Whale that we had to replace our existing LDAP server for an Active Directory server to make them work. Even then, we continued to have problems with Symantec's LDAP implementation, including poor connectivity and obscure error messages.

If you are using LDAP in any other form, you'll want to go with F5, NetScreen or Nokia. We managed to trip up NetSscreen and find an LDAP configuration it couldn't handle, but technical support had a fix for it. All three of those products had sufficiently generic LDAP implementations to work with a variety of environments and schemas.

Because SSL, in general, is based on certificates, we expected these products to be excellent in their support of public-key infrastructure (PKI). But we were disappointed because only Nokia supported certificates for authentication (and even then didn't include support for Certificate Revocation Lists, which are required for any good PKI implementation).

F5, NetScreen and Whale did make use of client-side certificates for additional authentication, but not as a primary authentication method. For example, Whale has the concept of a "trusted endpoint," a user who not only authenticates but also presents a certificate. In defining access control in Whale's configuration, you can differentiate between users who have a certificate and those who don't. The idea is that a user will log on from home, at his home PC, and have his certificate; because he is trusted, he can be given a higher level of access than when he logs on from someone else's PC or an Internet kiosk, where his certificate won't be present. F5, NetScreen and Nokia all offer a similar configuration option.

Reporting and logging

As security appliances, we expected these SSL gateways to have strong auditing, logging and reporting features. We wanted to see audits of every change to the configuration. We wanted session data, showing when users logged on, logged out and how much resource they had consumed. And we wanted transaction data, every single Web page going through the system, if not for accounting then at least for debugging and usage analysis.

F5 exceeded our expectations. In addition to all the logging we wanted, the F5 gateway also was smart enough to automatically push its logs up to a server somewhere else, using FTP, SMTP or a secure copy. NetScreen, Nokia and Symantec all gave acceptable levels of logging with some associated bells and whistles. Nokia had more than a dozen subsystems that you could individually change logging on, or you could pick particular users and applications and increase the level of logging either for debugging purposes or just to keep a closer eye on parts of the system. This was a nice enterprise-level feature, where it might not be practical to turn up high logging on a production system just to help catch one problem.

Getting the log files off of the SSL VPN gateway is always going to be a bit tricky. We were disappointed that no one included RADIUS accounting, even though everyone used RADIUS for authentication. Some systems, such as NetScreen and Symantec, naturally wanted to push logs up using SYSLOG. Without careful planning, this would overwhelm a normal SYSLOG server, mixing error messages with accounting information. Symantec has a good answer: It lets you pick different SYSLOG hosts for different services. Network managers might prefer to simply pull accounting data off the appliances themselves using a script, which is how Nokia and Whale serve it up.

We were also interested in real-time information. Although F5 had an excellent showing in this area, Symantec also won our admiration for its graphics and reporting, not only showing who was logged on, but also how the system itself was performing. A dashboard showing multiple graphs would have been a nice addition, but knowing what the CPU, memory and I/O load are will be great for any network manager who has to worry about performance. Netilla had a similar graphing capability for performance data. Whale caused us some concern because its real-time information tools didn't seem to work correctly. Even during the light load our testing presented, we could see that some events were being lost out of the real-time displays.

Picking a product

It's difficult to pick an obvious favorite. While we were not overly excited by the AEP, Netilla or Whale offerings overall, each has its own strengths. Whale includes a sophisticated application layer firewall. Netilla has the most extensive set of application translation functions. However, these products looked more like they had been wedged into the SSL VPN gateway space and will be most appropriate when application requirements call for their specific strengths.

F5 holds our admiration for its easy-to-use interface and strong product. But it seems particularly weak in access control, something the product management team told us it is working on for future versions.

The NetScreen, Nokia and Symantec development teams all had done serious thinking about SSL VPNs from scratch, and their products are sprinkled with bits and pieces showing that they have spent a fair amount of time in the trenches getting this to work and understanding the tough issues.