Secure that line!

 

Connecting state and local government leaders

GCN Lab Review | The Lab tests three Secure Sockets Layer virtual private network appliances. They all deliver the goods.

The SPX3000 FIPS' interface lets users set up virtual sites quickly and gives vital stats on the VPN's performance. B A- A B+ Powerful throughput. Setup and configuration are difficult.The SPX3000 FIPS from Array Networks is capable of regulating an impressive volume of concurrent users and bandwidth. Its additional features make this product an adaptable enterprise-level appliance.The 1U rack-mountable appliance has the obligatory internal and external RJ-45 Ethernet ports and a serial console port. In addition, the appliance comes with a Federal Information Processing Standard-certified Hardware Security Module (HSM) that meets the FIPS 140-2 Level 2 and 3 security benchmarks. It resides in a secure enclosure in the SPX3000 as an added security measure. The module handles private cryptographic key management and SSL handshakes simultaneously, leaving the SPX free to perform other tasks. That, of course, is the main reason for the exceptional amount of throughput the appliance can handle.Unlike some VPNs, SPX models are built on ArrayOS, a proprietary operating system programmed for this specific type of appliance, with security a primary concern. As a result, it is more resilient than almost all other commercial operating systems.The SPX3000 supports as many as 256 virtual portals, which an administrator can use to separate different groups or offices in virtual spaces that have a look and feel all their own. This also gives you an additional method of regulating user access.Setting up the SPX3000 FIPS was more complicated than setting up the average appliance, and only partially because of the added security module. Upon making the serial connection to the console port, you must log in, go into enable mode ' which requires another password ' go into configuration mode, and then enter the settings one by one with line commands. To get the Web-based administration interface running, we also had to log in to the HSM to make sure it was operational. That is much more secure than a walkthrough, but it is also a great deal more tedious.The Web user interface was not very intuitive for some tasks. However, there is a quick-task pane that contains several of the most commonly used administrator tasks. Certificate request generation was done through creation of a virtual site, but once that was done, installing the certificate was relatively easy.The SPX3000 FIPS shines in bandwidth capacity. Array claims it can handle as many as 2,500 concurrent users and 300 megabits/sec of throughput. Based on our tests, that estimate appears to be accurate. Of course, keep in mind that, as with most of these appliances, you have to purchase a license for each concurrent user.Array has set the price for the SPX3000 FIPS at $26,995 for 50 concurrent user licenses, which seems reasonable for such a powerful FIPS-compliant appliance, especially considering the addition of HSM. If you don't need this level of power, Array also offers non-FIPS-compliant models starting at $2,995.The SPX3000 FIPS from Array Networks would do well in any large-scale environment with numerous remote users who create a great deal of traffic.Array Networks, (866) 692-7729, www.arraynetworks.com. SonicWALL's administrator interface is no-frills but will still let users perform the jobs they need to do. A A- B A Easy to set up and use. Low user threshold.The SonicWALL SSL-VPN 2000 is designed for small to midsize enterprises. It is easy to set up, easy to use and light on the budget.The chassis of the SSL-VPN 2000 takes up 1U of rack space, which is as small as rack-mountable equipment gets. It is about two-thirds as deep as other units in this review, allowing for easier mounting. It has four RJ-45 10/100/1000 Ethernet ports for a variety of interconnectivity options, depending upon how your network is set up.The power supply has a hard switch in the back instead of the expected smart-switch button in the front. That would make restarting the appliance more difficult, especially if the rack is completely full.The device's setup was the easiest of the appliances we tested. Connecting to the serial console port was not necessary. A computer set to be on the same subnet was connected via a local-area network cable, and the graphical user interface was available to the browser. That is arguably less secure than going through the serial port, but both methods require a direct physical connection to the device to access it.The installation manual was easy to follow with clear diagrams of various network configurations the appliance supports. Common administrator tasks are outlined clearly in a step-by-step format.The administrator interface is pretty good, with related windows grouped in a logical fashion, so most tasks are easy to find. Importing a certificate is more involved than we would have liked ' the certificate and private-key files received from the certificate authority must first be put into a Zip file before the admin console can do anything with it. This is not a difficult step, but it is an extra step nonetheless.The number of concurrent users for the SSL-VPN 2000 is unrestricted and theoretically unlimited. However, for optimal performance, SonicWALL recommends a maximum of 50 concurrent users.Although you cannot access network files in the traditional sense with an SSL VPN, you can access them through a server-based Web application. The SSL-VPN 2000 provides users with a Java applet that allows them to access shared files on the network. We found this to be a great convenience for users.The SSL-VPN 2000 works well enough by itself behind a third-party firewall, but it is designed to function with a SonicWALL gateway security appliance.The SSL-VPN 2000 has a retail price of $2,295, which we found to be a terrific bargain, especially considering the unlimited user licenses. Admittedly, it doesn't have the bandwidth capacity that a more powerful, more sweeping VPN would have, but it can hold its own in a midlevel enterprise environment.SonicWALL, (888) 557-6642, www.sonicwall.com. Juniper Networks' Guidance Panel has task lists to make sure that administrators don't forget even the most basic configuration or maintenance step. B+ A A+ B+ Fairly easy to use. 2U of rack space.The SA6000SP from Juniper networks is a powerhouse that is surprisingly easy to use considering its complexity. It is capable of taking charge of a multienterprise-level environment, yet it is reasonably quick to set up.This device takes up 2U of rack space, more than any other in this review.However, the increased size is primarily because of two redundant power supplies, which are hot-swappable in case one of them fails. The unit we tested had only one, but there was space for another. Juniper took advantage of the increased appliance size and made the two cooling fans as big as they could. These are also hot-swappable, which makes replacement easy.In addition to the expected pair of RJ-45 10/100/1000 Ethernet ports, the SA6000SP has two small form-factor pluggable ports for Gigabit Ethernet connectivity. Even if your network does not yet support this type of connection, you won't need to replace this appliance if you decide to upgrade your network later. The appliance meets FIPS 140-2 Level 3 requirements.Setting up the SA6000SP is no more difficult than we've come to expect from any security device. We connected a null modem cable from the console port to a computer's serial port, started a Telnet program, set the com port to the correct settings, and off we went. We took the appliance through the basic settings, and it allowed us to change them one by one until it could be accessed via the network by a Web browser.We found the Admin WebUI to be easy to use if you have basic knowledge of SSL VPN settings. There is a guidance pane to the right that lists the settings that still need to be done and has links to the corresponding pages. There are additional guidance panes that list tasks an administrator might want to perform. Although the menu system on the left is easy enough to navigate, the guidance task lists entirely bypass it for the most basic tasks.The standard licensing that came with the device we tested allowed for 25 concurrent users, although you could buy licensing for more users separately.The SA6000SP has a list of more than 80 trusted server certificate authorities, so Web servers with one of those certificates will automatically be trusted. This will save the time that would be spent authenticating specific servers. Importing a device certificate ' so Web browsers will trust your VPN ' was about as simple as it gets: Once you get the certificate and key information from the certificate authority, you just browse for the files they gave you, click Import and you're done. Juniper added no unnecessary steps to an already step-laden process.Juniper sells the SA6000SP with 25 concurrent user licenses for $24,985, which is about what you'd expect for a FIPS-compliant SSL VPN of this capacity. And the hot-swappable components are a money-saving feature. Of course, Juniper has smaller models for less if that's what you need.The SA6000SP would perform well in the largest-scale environments. It might be overkill in a smaller arena, but it would be hard to beat in a service provider or a multienterprise-level situation.Juniper Networks, (866) 298-6428, www.juniper.net.XXXSPLITXXX-Secure Sockets Layer virtual private networks are rapidly becoming the most universally used method for remote access to a network. Encapsulated, encrypted packets via the Internet are the most effective means for an external client to securely communicate with a network. But what about the local user?The established method for local users involves logging in to a computer on the subnet and comparing the user name/password combination to a list of users. The method is universal, and it has done pretty well by us all so far. But increased use of wireless networking ' and the persistence and skill of potential hackers ' has made it necessary to start rethinking this strategy.Network Access Control (NAC) is a security solution that controls which network resources and applications authenticated users can access based on their identity, the computer they are using and how that computer connects to the network. This level of access can even change during a connection, depending on the behavior of the connecting computer.All you administrators are probably thinking this sounds too good to be true. Well, in a sense, it is ' for now. Many companies offer solutions under the NAC label with widely varied capabilities, so it is easy to get an NAC product that is not optimal for your needs.An SSL VPN is essentially an NAC solution for remote users, and many experts recognize it as such. Although the network does not regulate the connecting computer's behavior, administrators can restrict access to network applications or resources using the VPN permission settings. That's why many believe the technologies and processes used by an SSL VPN can easily be turned into an NAC for all users, whether in the office or on the road. That would put organizations that currently employ an SSL VPN one step ahead on the road to NAC.The future is difficult to divine, of course, but transition from SSL VPNs to total NAC seems to be a logical step. Perhaps as early as next year, we will be looking at SSL VPN-type devices to protect local networks instead of just remote connections. Officials at more than one company in this review suspect that this could be the future, so we thought it would be worth mentioning. You wouldn't want to be left out in the cold when the winds of change start blowing, and a secure network means a local NAC appliance. XXXSPLITXXX-Since its introduction about a decade ago, the Secure Sockets Layer protocol has changed the way we do business via the Internet ' or, more accurately, it has enabled Internet business to be done at all. Nearly every credit card purchase or secure log-in uses SSL to keep transactions safe from eavesdropping, tampering and forgery.Although the details can vary depending on the version, SSL uses four basic steps to create a secure connection via the Web. First, the client shakes hands with the server and requests that the server send its identification. The server returns the requested identification in the form of a digital certificate that has the server's public encryption key. The client then makes a session key and encrypts a random number using this key, which only the server's private key can decrypt. Finally, the server sends the random number back to ultimately prove its identity, and the secured connection begins.The crucial element to making this process work is the digital certificate sent as the server's identification to the client. This certificate contains the server name ' servername.domain.com is the typical format ' the trusted certificate authority, and the server public encryption key. If the server name does not match the URL you are browsing, the browser will warn you, allowing you to back out of a potentially insecure connection or continue at your own risk.You can get these certificates only from a trusted certificate authority. It is the authority's responsibility to verify the identity of each certificate applicant in addition to their authority to get a certificate for a certain domain. Through databases such as the Data Universal Numbering System, maintained by Dun and Bradstreet, the authority can verify the existence and location of the applicant's company. The authority also will determine the ownership of the domain in question and ensure that it matches the company information. The certifying authority must take every step to ensure that the certificates they distribute are to the people they claim to be.The latest version, SSL 3.0, is officially superseded by Transport Layer Security Version 1.0, but these two protocols are similar and largely synonymous with each other. In fact, VPN appliance manufacturers and certificate authorities use SSL to refer to either protocol.For our testing in this roundup, we became verified users of and used certificates provided by Entrust (www.entrust.com).

Virtual private networks have been around for more than a decade as cost-effective solutions to letting employees telecommute from home or work from the road or remote offices. And VPNs have evolved.

A VPN establishes a logical network connection between two points ' using tunneling, which is making packets constructed with a specific VPN protocol ' and encapsulates them within a carrier protocol. Most use IP for transport via the Internet. The packets are de-encapsulated at the other side of the connection, usually without interference from other IP traffic because VPN packets use encryption and authentication.

That's quite an improvement compared with the old ways. One older method was to have dedicated, leased lines between the clients and networks, which formed early wide-area networks and could be costly because you were paying to have a constantly open private line. The other involved a modem connection to an application server, which was feasible for people only in the local dialing area unless you paid for a toll-free line. In any case, the connection was restricted to dial-up speeds.

Another method of connecting clients to a central network is to set up a traditional VPN, one that uses IPSec or another similar protocol. This method uses a client program, which finds and makes a connection to the VPN server on the central network.

The requirement for client software has its pros and cons. It provided extra security, but software licenses can be expensive, and configuring the software to make the proper connection requires user expertise or the presence of a network administrator at each remote location.

Now the best way to connect to a network securely is with a Secure Sockets Layer VPN appliance. It eliminates the need for client software in addition to the expense and headaches that come with maintaining multiple licenses. All recent Web browsers have SSL capabilities built in, so nearly every computer already has the client software in place. The downside of using a Web browser as the client is that users can access only certain Web-based applications, not the entire network. But that also means administrators can more precisely regulate access control, because the only settings that can be made are on the VPN appliance.

We received SSL VPN appliances from Array Networks, Juniper Networks and SonicWALL. They ranged from inexpensive, low-bandwidth, workgroup devices to powerful multienterprise managed appliances. We set up each of them in turn on our test bed network and ran them through normal configuration and maintenance routines, such as incorporating new SSL certificates.

Because of the differences in what the devices could do and the lack of testing standards, we decided not to perform any heavy endurance tests, though we did hook them up to a test network and pushed some traffic through to verify that they could work with their listed number of users. Mostly, we concentrated on the ease of setup and maintenance, and any extra features the devices had. Of course, price did factor into our grading, but only when considering an appliance's other offerings.





Array SPX3000 FIPS

Under the hood:

Ease of setup:

Ease of use:

Features:

Value:

Pros:

Cons:

























SonicWALL SSL-VPN 2000

To the point:

Ease of setup:

Ease of use:

Features:

Value:

Pros:

Cons:



























Juniper SA6000SP

Ready Reminder:

Ease of setup:

Ease of use:

Features:

Value:

Pros:

Cons:













































X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.