• United States
by Joel Synder

Clear Choice Test: SSL VPNs dissected

Feb 23, 20064 mins
HDTVsNetwork SecurityNetworking

* Network World test evaluates 11 SSL VPN products

Editor’s Note: Tim Greene is traveling. In place of his regular newsletter, we bring you a Clear Choice Test article from NetworkWorld.

VoIP is often written off as an application that will not work well over an SSL VPN link. To test that argument, we examined 10 SSL VPN products in four network scenarios to see how well VoIP calls were handled by the products’ network extension clients.

The news is generally good. In high-bandwidth, low-latency environments, there is virtually no difference in quality between an unencrypted VoIP call and the same call made over an SSL VPN. Even better news is our discovery that a VoIP call made over SSL VPN on a typical broadband Internet connection is of higher quality than an unencrypted call. The only bad news comes with truly awful network connections: ones with high loss and limited bandwidth. In this environment, neither unencrypted VoIP calls nor SSL VPN-protected calls will be considered acceptable (for example, below a mean opinion score [MOS] of 3).

Except for Fortinet’s Fortigate appliance, the vendors included in this test are the same as those that were tested for our blow-out SSL VPN test conducted last December. AEP Networks’ Netilla Security Platform, Array Networks, SPX-5000, Aventail’s Smart SSL VPN, Caymas Systems’ Caymas 525, Check Point’s Connectra, F5’s FirePass 4100, Juniper Networks’ Secure Access 6000, Nokia’s Secure Access System 500, Nortel’s VPN Gateway 3070 and SonicWall’s SSL-VPN 2000.

While our results do show some differences between products, small variations in the MOS should not be considered significant. What is more important, our testing demonstrates that SSL VPN and VoIP work together well over broadband networks, even in the face of some network loss and congestion. We also found that datagram-based SSL VPN techniques, such as those used by Nortel and Juniper (both optionally), do not appear to offer any real advantage for VoIP traffic and may give poorer results than TCP-based SSL VPN from the same vendors.

To test VoIP over SSL VPN, we used a product from GL Communications that measured the quality of voice calls using standardized testing procedures. To see how VoIP would behave in the real world of broadband ISPs, we used a Shunra Virtual Enterprise to inject latency, loss and other impairments, based on our measurements of broadband IP service at wireless hot spots, hotels and other temporary locations around the world. (see “How we did it”). We used common “soft-phone” Session Initiation Protocol software on the SSL VPN client side, with a SIP “hard phone” inside the SSL VPN server.

We examined four scenarios, ranging from a perfect 100Mbps network with a few millisec of latency, all the way to a poor-quality 100Kbps network with 60 milliseconds of latency and other impairments. We called these four scenarios “unimpaired,” “good,” “bad” and “bad/slow.”

Our first tests set a reference to see how the SIP software and hardware would work without a VPN in the way. The GL Communications Voice Quality Tester gave us MOS ratings for our calls, with higher scores being better quality. Most people would consider a call with a score as low as 3.0 to be acceptable, although obviously degraded (see “Minding your Ps and Qs”). These no-VPN networks set the standard for SSL VPNs to meet: acceptable quality over unimpaired and good networks, with poor calls over the bad and bad/slow networks.

Our next set of tests measured how each SSL VPN device behaved carrying VoIP calls over an unimpaired network. The results were good. In general, the SSL VPN devices caused very little degradation in the quality of the VoIP calls. With a perfect MOS being 4.24, as set by our base test, the worst score we saw (with F5 being the exception) was 4.16. And, as we noted above, the difference between that and the perfect score is not likely to be noticeable. Even the low score registered by the F5 FirePass device, at 4.02, would still be considered a very good call. Granted, testing over an unimpaired network with zero latency doesn’t tell you much about how these devices would work in the real world.

To read this test in its entirety and much more, please click here.

Snyder is a senior partner at Opus One, a consulting firm, in Tucson, Ariz. He can be reached at