SSL VPNs dissected

Since we tested this class of products nearly two years ago, vendors have packed them with application support, security options and end-user presentation glitter. The upshot is that comparing SSL VPN devices side by side uncovers more differences than similarities.

If you don’t like IPSec VPNs, then you’ll love SSL VPNs. That’s the pitch from vendors pushing SSL VPNs as the alternative for secure remote access, as a platform for extranet deployment and even as an internal security tool for corporate LANs.

Since we tested this class of products nearly two years ago, vendors have packed them chock full of application support, security options and end-user presentation glitter. The upshot is that comparing SSL VPN devices side by side uncovers more differences than similarities.

The 11 products we tested in seven critical areas of operation were: AEP Networks’ Netilla Security Platform, Array Networks’ SPX-5000, Aventail’s EX-1500, Caymas Systems’ Caymas 525, Check Point’s Connectra, F5 Networks’ FirePass 4100, Fortinet’s Fortigate-3600, Juniper Networks’ Secure Access 6000, Nokia’s Secure Access System 500s, Nortel’s VPN Gateway 3070 and SonicWall’s SSL-VPN 2000.

The seven critical areas were (see How we did it):

• Application interoperability – we tested each product’s ability to run with 16 distinct applications in nine operating system and browser configurations.

• End-point security support – we tested the efficacy of wares designed to collect information about the machines trying to get on the network, and what you can do with that information.

• Fine-grained access control – we examined how much control you get – and don’t get – with each product.

• High availability – we tested the features of each product that let you build bigger and more reliable SSL VPN services.

• Manageability – we evaluated how easy it is to manage each device, and which management systems work best.

• Portal control and virtualization – we examined the virtualization features in each product, and looked at where and how you can customize the end user’s Web portal.

• Authentication – we tested six authentication systems, ranging from digital certificates to two-factor authentication, to see how compatible and flexible each product is.

As in our last test, Juniper steps to the front of the line with a massive set of enterprise features. In every category, including end-point security, detailed access control and interoperability testing, Juniper leads the pack.

Although Juniper did well across the board, we found that the competition is stiff in every category. We saw great results from Aventail in its manageability and high-availability efforts, from Check Point in the area of threat mitigation, from F5 in portal presentation and authentication interoperability, and from Nokia in interoperability and high availability measures.

We were pleasantly surprised by the high scores from AEP, especially in interoperability, and Caymas, in the area of fine-grained access control. These two vendors had not been riding high on our radar screens before this test.

Joel is a senior partner at Opus One, a consulting firm, in Tucson, Ariz. He can be reached at Joel.Snyder@opus1.com.

Snyder is also a member of the Network World Lab Alliance, a cooperative of the premier reviewers in the network industry, each bringing to bear years of practical experience on every review. For more Lab Alliance information, including what it takes to become a member, go to www.networkworld.com/alliance.