Providing remote access to partners and employees is necessary in today’s distributed business environment. Employees want to work from home or at least to have access to their e-mail accounts when travelling. For the sales team partners, access to customer databases or inventory levels is critical. To date, however, setting up secure, easy-to-use remote access has proved complex, costly, and unreliable. And with many of today’s remote access solutions, once a user gains access, they have complete access to the network. The only layer of security remaining is anything on the host or application itself that prevents access.
Neoteris Inc. is attempting to relieve these headaches with its IVE (Instant Virtual Extranet), a stand-alone appliance that provides secure remote access with granular access control and is a snap to set up, earning a Deploy score in our tests.
The IVE essentially acts as a proxy. Users connect to the appliance using SSL (Secure Sockets Layer) through any standard Web browser. No specialized client-side software is required. The IVE translates content dynamically using its Content Intermediation Engine. Via IVE, users can access corporate intranet sites, Web applications, Windows and NFS (Network File System) file shares, and e-mail accounts based on standards such as POP3 and IMAP (Internet Messaging Access Protocol).
IVE comes in two flavours, EmployeeAccess and PartnerAccess. The main difference between the two is that PartnerAccess, the version we reviewed, provides granular access control management, including the use of groups, resource-level access control, and source IP restrictions.
Administrators configure user accounts that authenticate to the IVE to gain access. Neoteris provides an internal database that can be used for authentication, although the solution also supports other authentication methods, such as LDAP, RADIUS (Remote Authentication Dial-In User Service), NT Domain, NIS (Network Information Services), and Active Directory. Administrators do have the ability to import users, which saves them from having to re-create substantial user lists.
Once the users have been defined, administrators can create groups to help define access policies. Each group can be configured according to its access requirements. For example, the sales team needs access to the customer database, but the engineering team does not. The engineering team needs access to the file share containing code, but the sales team does not. IVE makes simple work of setting up these policies and enforcing them through groups.
When defining access control policies, administrators have a fair level of granularity. They can either default to an open system that allows users to access anything except that which is specifically denied, or vice versa, denying access to everything except that which is specifically allowed.
One of the best features we saw was the extensive logging capabilities. The IVE appliance logs every action every user makes. Administrators can quickly see who logged in to the system and from what IP address, what actions they performed while logged in, what administrative configuration changes have been made, and so forth.
Set-up was a breeze: We were up and running in 30 minutes. Out of the box, we connected to the IVE through a console to set the initial IP address and administrator account. We also had to define a NAT (Network Address Translation) rule in our firewall allowing access to the IVE appliance through port 443 (SSL), 465 (S-SMTP), and 995 (S-POP). After that, everything was configured through the GUI. We created several users, some using local database authentication and some using Active Directory authentication. We also created two groups – sales and engineering – and populated them with a few of our users.
We created bookmarks, defined file shares and Web sites that users could access, and tested to make sure the IVE properly enforced our security policy. With the device translating all of our communications, we were concerned with latency, but we did not notice any discernible delay during testing.
The IVE e-mail proxy could use some improvement. Currently, the device supports only standards-based e-mail servers; native Exchange Server set-ups cannot be proxied through IVE. Organizations must use PO3P or IMAP if users want to use an e-mail client to check their email. For Exchange or Lotus Notes users, this means enabling POP3/IMAP/SMTP. For Exchange users, Microsoft’s Outlook Web Access is always an option, and it works exceptionally well through the IVE’s browser feature. Additionally, the Netscape mail client cannot be used to check e-mail through a POP (Post Office Protocol) server because it does not support S-POP.
Neoteris provides an excellent option for creating a secure remote access solution that provides administrators with the ability to control remote access to specific resources, a much-needed approach in today’s distributed environment. Improved e-mail and Java functionality as well as the addition of shell access (all planned for the next release) will greatly enhance this product’s capabilities and will increase further its value for the enterprise.
THE BOTTOM LINE: DEPLOY
Neoteris Instant Virtual Extranet
Business Case: Neoteris provides an easy-to-use solution that’s cost-effective, especially given the savings on support calls that are often required to deploy client-based remote access solutions.
Technology Case: Simple installation, no required client-side changes, and an easy-to-use GUI make Neoteris a dream remote access solution. Improved support for Microsoft Exchange may be a requirement for some organizations.
+ No client configuration required
+ Uses existing infrastructure
+ Granular logging and access control
– No support for native Exchange Servers
– Java support needs improvement
Cost: US$30,000; Secure E-mail Proxy Upgrade: additional US$10,000
Platform(s): Stand-alone appliance
Company: Neoteris Inc.; http://www.neoteris.com