For many companies, rolling out an IPSec client to road warriors and trusted business partners was once the only way to provide the secure access they needed. Now SSL VPNs are quickly gaining steam, poised to replace cumbersome IPSec implementations.
SSL VPNs provide easy, clientless access to corporate resources without requiring a fat client on each remote PC. Remote users connect using their Web browser and have secure, managed access to Web applications, file shares, and the like.
I reviewed two SSL VPN gateways from longtime security vendors: Check Point Software Technologies’ Connectra 2.0 and Nortel’s VPN Gateway 3050. Both systems are quite capable of handling an enterprise’s remote-access needs, but each has its little, not-so-charming quirks, too.
Check Point Connectra 2.0
The Check Point Connectra Web security gateway should easily fit into your existing network infrastructure, especially if you already have Check Point products in place. It provides access to both Web and TCP/IP applications, adds an application firewall and malicious-code-detection engine, and offers improved integration with Check Point’s SmartCenter management platform. It lacks a TCP/UDP (User Datagram Protocol) port-forwarding service, present in other SSL VPN gateways, but it circumvents that with its Layer 3 tunnel.
I installed the Connectra 2.0 without any problems. The underlying OS detected my hardware and installed itself in less than an hour. I logged in to the Connectra using Internet Explorer 6 (IE is the only supported browser for administration) and defined authentication servers and protected resources.
The Connectra’s list of authentication sources is not as extensive as it is for other vendors’ SSL VPNs, but for most situations LDAP, Active Directory via LDAP, RADIUS, local database, and digital certificates will suffice. I created a connection to Active Directory for my users, but not without a little effort. Make sure you know your complete LDAP log-in information. This part could use a little wizardry to make the process more straightforward.
By using Network Extender, Check Point’s layer 3 service, I defined links to Web and file resources and to TCP/IP application access. Network Extender allows granular control over bidirectional TCP and UDP Layer 3 tunneled traffic. Disappointingly, it is only available for IE users.
Specifying Web resources and SMB file shares proved straightforward. However, accessing file shares requires Microsoft WebDAV. This delivers a Windows Explorer look and feel, but, again, it limits you to IE.
A unique feature in Connectra allows admins to create mail services for remote users. As Nortel does with its VPN Gateway 3050, Check Point includes templates for OWA (Outlook Web Access) and standard SMTP, POP3, and IMAP to make defining the resources quick and easy. I had no trouble creating links to my OWA servers.
Connectra focuses heavily on network and end-point security, putting in place services that protect the enterprise at the network and application level. The product advances application-level security by checking traffic for known worms, plus it inspects all HTTP traffic through its Web Intelligence service. Additionally, Connectra allows administrators to enforce some validation on the HTTP traffic, such as denying unsafe HTTP methods, but the list of available choices is vague and doesn’t allow for any tweaking of the rules.
I was, however, impressed with the Connectra’s built-in application protection. Although it’s basic, admins can choose to prevent cross-site scripting, SQL and command injection, and directory traversal. This protection is no match for an application firewall such as Imperva’s SecureSphere , but it’s a step in the right direction.
Overall, end-point security is well done and manages host checks, browser cache policies, and personal firewall status. Through Check Point’s Integrity Clientless Scan, Connectra will check the remote PC for potential risks such as malware, but this feature is — you guessed it — limited to IE users. This scan also looks for Check Point Integrity Firewall, but no other vendors’ firewalls. Also, as with VPN Gateway 3050, there is no way to define specific processes or Registry entries to scan for.
Connectra 2.0 warrants consideration, especially when compared with other enterprise remote-access solutions. It has all of the core features, plus solid end-point security. I don’t like its heavy reliance on IE, and I would like to have more control over some security features, but it’s still a stable and capable system.
Nortel VPN Gateway 3050
Nortel’s VPN Gateway 3050 appliance scales well and has highly configurable SSL parameters. It comes with all of the SSL VPN services I’ve come to expect in a gateway and does most other SSL VPN vendors one better by including IPSec VPN client support. TunnelGuard provides the end-point security and management piece via a download-on-demand Java applet, but it takes some time to get up and running. Also, integration with Active Directory is a bit sketchy.
I tested the 3050 by installing it in my test LAN, which was recently vacated by six other SSL VPN appliances. After setting IP addressing for my LAN through a local serial connection, I logged in with Firefox and finished the configuration using the administration UI. I found the UI nicely organized, but locating specific menu options was not as intuitive as it is with the Connectra.
I created a couple of test user accounts in the local user database and added Active Directory as my source for user authentication. The 3050 comes with support for RADIUS, NTLM (NT LAN Manager), SiteMinder, LDAP, and Active Directory via LDAP, but creating a connection to Active Directory nearly stumped me. Similar to my experience with the Connectra, I had to ferret out LDAP syntax and enter it manually, but unique to Nortel is the requirement to also list the Active Directory group and user-attribute mappings.
Once in place, the LDAP/Active Directory authentication worked superbly and even allowed for the passing of expired Active Directory user accounts for password remediation. As with other SSL VPN gateways, administrators can stack different authentication services with a predetermined precedence to allow for flexible user authentication. For example, a user might first be checked against the local user database and, when no match is found, checked against the next authentication service — RADIUS, for example.
The 3050 offers great flexibility in how it provides remote access. Service providers can virtually slice up the 3050 into many distinct sites, each with its own authentication schemes and resource definitions. Like F5’s Firepass, the 3050 comes with VLAN support and, when clustered, scales very well. Like the Connectra, the 3050 has solid browser-based support but goes on to handle both TCP and UDP apps via a download-on-demand Java applet.
The 3050 also comes with canned definitions for Citrix, Telnet, and SSH; it also allows for native Outlook (fat client) connection across the Internet. Nortel provides RPC across SSL without requiring any changes to your Exchange server, much like Exchange 2003’s new RPC across HTTP service. Netdirect is the ActiveX-based full tunnel for those who need a layer 3 connection. Although limited to Windows platforms, Netdirect does allow for full bidirectional TCP/IP traffic and supports both split and full tunneling. I like that the virtual adapter removes itself quietly on disconnect so there are no lasting traces on the PC.
Unlike the Connectra, admins running the 3050 have a huge amount of control over SSL implementation as well as HTTP-specific settings, which allow for granular control over items such as SSL Header rewrites, secure cookies, and image, script, document, and ICA (Independent Computing Architecture) caching. But missing is any type of application firewall. End-point management and control are handled through Nortel’s TunnelGuard service. A Java-based utility, TunnelGuard checks a remote PC for compliance, but only after the user authenticates. It will check for any disk content, running process, and digital certificates on files. Currently it will not perform Registry, program-version, or date checks, which prevents the utility from looking for valid and up-to-date anti-virus programs. Although it’s comprehensive, I found the TunnelGuard management overly complex. VPN Gateway 3050 is a great all-around performer that needs a little work on end-point security. I don’t like that it requires IE for its heavy lifting, but the SSL control and IPSec client support help make up for these deficiencies.
The Connectra will fit in well at shops invested in Check Point’s products. Its strong integration with SmartCenter is a bonus. Nortel’s 3050 scales well and comes with very granular security, and it’s a great choice for enterprises that have a heavy IPSec installed base and want a graceful migration path to SSL. Both systems rely too much on IE, but overall, both are worthy security solutions.