Академический Документы
Профессиональный Документы
Культура Документы
9 SearchSecurity
g
M Buyer's Guide
The best SSL VPN products for you: A buyer's guide
z f
by
Karen Scarfone
Scarfone Cybersecurity
u c s o n
Expert Karen Scarfone examines the top SSL VPN products available today to help enterprises determine which option is the best fit for them.
1. What is...?
u
c
s
o
i
n
Secure Sockets Layer (SSL) virtual private network (VPN) products, or SSL VPNs, provide encrypted tunnels that protect the network traffic that
passes through them. SSL VPNs support the confidentiality and integrity of communications. They are most often used to enable secure remote
2 access for end user devices, including desktops, laptops, smartphones and tablets. Secure remote access to selected organization resources can
be a critical need for a wide variety of users, including the organization's employees (using either organization-issued or personally owned devices,
bring your own device (BYOD)), contractors, business partners and vendors.
http://searchsecurity.techtarget.com/feature/Comparing-the-top-SSL-VPN-products 1/7
5/15/2016 Comparing the top SSL VPN products
There are several ways to procure SSL VPN products. An organization can purchase a standalone appliance that functions solely for SSL VPN, or a
bundled device -- such as a next-generation firewall (NGFW) or unified threat management (UTM) product -- that performs many functions, with an
SSL VPN capability being just one of them. Yet another option for some organizations is to purchase their SSL VPN as a virtual appliance.
Regardless of the form the SSL VPN capability comes in, its functionality and other major characteristics are basically the same.
This article focuses on evaluating dedicated SSL VPN products: standalone appliances and virtual appliances. This is not meant to imply that these
are superior to bundled products. Each product, regardless of its form, needs to be evaluated on its own merits. It would be foolish for an
organization to simply ignore an existing bundled SSL VPN capability just for the sake of having a dedicated SSL VPN product, without sufficient
justification for making this decision. That being said, the dedicated SSL VPN products are often the same ones found bundled with others, so the
evaluations presented in this article may also be relevant to organizations seeking bundled products.
This article covers the following commercial SSL VPN products: Barracuda SSL VPN, Check Point Mobile Access Software Blade, Cisco IOS SSL
VPN, Dell SonicWall Secure Remote Access (SRA), Juniper Networks SA Series (now Pulse Connect Secure), and OpenVPN Access Server.
Each of these has been evaluated against a set of four criteria: VPN client software options; operating system (OS) support; simultaneous users
support and network access control. Organizations considering the acquisition of an SSL VPN product should use these criteria as one part of their
overall product evaluation process. That's because each organization has unique characteristics that need to be taken into account, so the findings
of this article should not be considered comprehensive or exhaustive -- they comprise one piece of a larger puzzle.
Some commercial SSL VPN products only support a flat number of users, while other products have the hardware
z
capacity to support a larger number of users but allow organizations to purchase a smaller number of simultaneous
user licenses.
The table below shows the major differences between these four approaches in terms of relative client deployment effort, resource access, client
device support and network access control support. These indicate that there is no "best" client approach; in fact, there are significant tradeoffs
with each. For example, a clientless approach involves no deployment effort, but it also gives access to the fewest resources. For another, the
browser plug-in and standalone executable approaches won't work for mobile devices. And not all of the approaches offer network access control
capabilities.
Resource access Websites and Virtually all Virtually all Virtually all
web-based
applications
Client device All Most desktops Major desktop Major mobile OSs
support and laptops and laptop OSs
(needs supported
browser)
http://searchsecurity.techtarget.com/feature/Comparing-the-top-SSL-VPN-products 2/7
5/15/2016 Comparing the top SSL VPN products
So in the end, what most organizations should be looking for is the approach or combination of approaches that meets its full set of requirements.
All products support multiple approaches, as shown in the table below; however, note that it is unlikely that a single organization will require support
for all four approaches.
Table 2: The client approaches supported by the top SSL VPN products
PRO+
Content
E-Zine
x Insider Edition: Beyond 'next gen': Putting a 21st century security strategy in place
E-Handbook
E-Handbook
So, when evaluating SSL VPN products, don't just automatically look at the specific OS that its client software may support. There may be "light"
options (clientless or browser plug-in) available that truly do support virtually any OS. However, these light products may also offer reduced access
to resources -- particularly clientless products -- and some lack network access control, increasing the likelihood of misconfigured, compromised or
otherwise undesirable devices being able to connect to the organization's resources.
Assuming that an organization wants to use a "heavy" client-based approach, the first and obvious step in evaluation is cataloging which
desktop/laptop OSs and mobile OSs need to be supported. This may prove difficult, especially if the organization allows the use of BYOD or if the
http://searchsecurity.techtarget.com/feature/Comparing-the-top-SSL-VPN-products 3/7
5/15/2016 Comparing the top SSL VPN products
organization allows contractors, business partners, vendors and others outside the organization to use remote access.
The table below shows OS support provided by the heavy clients. Of the products supporting heavy clients, the Dell SonicWall SRA and OpenVPN
Access Server products support the greatest variety of OSs. Ultimately, however, the heavy clients provided by any product are not going to be able
to support every version of every OS that might be used. So carefully consider using a heavy client for the most common versions and a light client
for less common OSs.
Dell SonicWall Windows, Mac OS X, Linux iOS, Android, Windows 8.1, Kindle
Secure Remote Fire
Access (SRA)
Jupiter Networks N/A N/A
SA Series
Some vendors offer several models of SSL VPN appliances. For example, the Barracuda SSL VPN is available in six hardware appliance models
supporting between 15 and 1000 simultaneous users, and four virtual appliance models supporting between 15 and 500 simultaneous users.
Similarly, the Cisco IOS SSL VPN, which is geared toward small organizations, provides support for 10 to 200 simultaneous users on a variety of
hardware platforms.
For midsize to large organizations, the Juniper Network SA Series (which was spun off to Pulse Secure and renamed as Pulse Connect Secure)
offers three models of appliances handling up to 10,000 concurrent users, as well as a virtual appliance that can support an unlimited number. The
Dell SonicWall SRA has three hardware appliance models that support between 25 and 20,000 concurrent users, and a virtual appliance that can
support up to 5,000.
In addition to these licensing schemes, some products, such as Juniper Networks SA Series, offer surge licensing, meaning that the number of
simultaneous users can be increased temporarily under emergency conditions; for example, for a week during a natural disaster. Surge licensing
can also be normally purchased and provisioned immediately, which makes it an ideal aid for disaster recovery and contingency planning --
assuming that the SSL VPN hardware is robust enough to support that many simultaneous users.
The OpenVPN Access Server follows a significantly different licensing model than the other products in this article. There is no hardware appliance
available; all OpenVPN Access Server servers are virtual. This virtual server component can be downloaded for free, but organizations with a
minimum of 10 users must pay an annual licensing fee for each simultaneous user. As of this writing, it's possible to purchase a 10-user concurrent
license for under $100 per year. On the other hand, there does not appear to be a maximum limit to concurrent users, although -- obviously -- the
hardware the server is deployed to will effectively limit simultaneous usage at some point.
In general, there is no right answer as to which of these licensing models is best for specific organizations. Smaller ones may be interested in nearly
any of the offerings, while larger organizations would likely tend toward products that support massive enterprises, such as Dell SonicWall SRA,
Juniper Network SA Seriesm and OpenVPN Access Server.
Most products -- even those with only light clients, such as Barracuda SSL VPN -- do provide at least some support for network access control.
Vendors are generally reticent to detail exactly how their network access control products work; many of which are likely to operate significantly
differently on various OSs. So it is recommended as part of any evaluation to first identify the relevant desktop/laptop and mobile OS versions, then
consult with the vendor to see which network access control features -- system health checks -- the products support on each platform.
An example of robust network access control support involves the Dell SonicWall SRA product. It can verify whether mobile devices have been
jailbroken or rooted; check if various security controls have been installed and configured properly, and examine client certificates and identifiers to
ensure that the device itself is authorized for enterprise remote access use. Other products that advertise network access control support include
Cisco IOS SSL VPN and Juniper Networks SA Series.
1Conclusion
There is no clear frontrunner among the SSL VPNs covered in this article. So much is dependent on an individual entity's needs in terms of client
software support and OS support, simultaneous user licensing, and network access control.
Z
What kind of SSL VPN does your organization use, and why?
0 Responses
For example, an enterprise that allows BYOD may determine that it absolutely needs network access control to assure some degree of security
among its remote access clients. In that case, it might favor products such as Dell SonicWall SRA and Juniper Networks SA Series that offer
particularly rigorous network access control. Meanwhile, an organization that does not allow BYOD may find network access control superfluous for
these devices.
For smaller companies, all of these products offer some sort of acceptable solution. The Cisco IOS SSL VPN is best suited for organizations that
already have another security product in place for their mobile devices; for example, a mobile device management system. The Check Point Mobile
Access Software Blade is appropriate for those already having Check Point security products deployed. Other products are well suited for a wider
variety of small and medium sized organizations because of the resource access they grant, the range of client devices they support and their ability
to provide network access features.
For larger entities (thousands of concurrent users), definitely consider the Dell SonicWall SRA and the Juniper Networks SA Series, with the Check
Point Mobile Access Software Blade and the OpenVPN Access Server following close behind.
Editor's Note:
This is part two of a series on virtual private networks (VPNs). Part one looks at the basics of SSL VPNs in the enterprise, part two examines the different
use cases for SSL VPN products, and part three offers insight into procuring and deploying SSL VPNs. Stay tuned for more on SSL VPNs.
m Next Steps
Find out how to mitigate VPN security issues in the cloud
http://searchsecurity.techtarget.com/feature/Comparing-the-top-SSL-VPN-products 5/7
5/15/2016 Comparing the top SSL VPN products
M Buyer's Guide
The best SSL VPN products for you: A buyer's guide
1. What is...?
2. Do I need…?
3. How to buy…?
z 0 comments Oldest 5
Register or Login
email@techtarget.com
Username / Password
Username
Password
Comment
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the
United States. Privacy
-ADS BY GOOGLE
http://searchsecurity.techtarget.com/feature/Comparing-the-top-SSL-VPN-products 6/7
5/15/2016 Comparing the top SSL VPN products
CLOUD SECURITY NETWORKING CIO CONSUMERIZATION ENTERPRISE DESKTOP CLOUD COMPUTING COMPUTER WEEKLY
5
SearchCloudSecurity
Enterprises need to on board cloud services quickly, but there are ways to accomplish it without sacrificing security. Expert Ed ...
There are many security risks for cloud-based gaming platforms. Expert Frank Siemons explains what's happened to gaming providers...
Advertisers Business Partners Media Kit Corporate Site Experts Shon Harris CISSP training
http://searchsecurity.techtarget.com/feature/Comparing-the-top-SSL-VPN-products 7/7