5/15/2016 Comparing the top SSL VPN products

9 SearchSecurity
g
M Buyer's Guide
The best SSL VPN products for you: A buyer's guide

Comparing the top SSL VPN products

z f
by
Karen Scarfone
Scarfone Cybersecurity

u c s o n
Expert Karen Scarfone examines the top SSL VPN products available today to help enterprises determine which option is the best fit for them.

FROM THE BUYER'S GUIDE:

The best SSL VPN products for you: A buyer's guide 0

BUYER'S GUIDE SECTIONS

+ Show More

1. What is...?
u
c
s
o
i
n
Secure Sockets Layer (SSL) virtual private network (VPN) products, or SSL VPNs, provide encrypted tunnels that protect the network traffic that
passes through them. SSL VPNs support the confidentiality and integrity of communications. They are most often used to enable secure remote
2 access for end user devices, including desktops, laptops, smartphones and tablets. Secure remote access to selected organization resources can
be a critical need for a wide variety of users, including the organization's employees (using either organization-issued or personally owned devices,
bring your own device (BYOD)), contractors, business partners and vendors.

http://searchsecurity.techtarget.com/feature/Comparing-the-top-SSL-VPN-products 1/7
5/15/2016 Comparing the top SSL VPN products

There are several ways to procure SSL VPN products. An organization can purchase a standalone appliance that functions solely for SSL VPN, or a
bundled device -- such as a next-generation firewall (NGFW) or unified threat management (UTM) product -- that performs many functions, with an
SSL VPN capability being just one of them. Yet another option for some organizations is to purchase their SSL VPN as a virtual appliance.
Regardless of the form the SSL VPN capability comes in, its functionality and other major characteristics are basically the same.

This article focuses on evaluating dedicated SSL VPN products: standalone appliances and virtual appliances. This is not meant to imply that these
are superior to bundled products. Each product, regardless of its form, needs to be evaluated on its own merits. It would be foolish for an
organization to simply ignore an existing bundled SSL VPN capability just for the sake of having a dedicated SSL VPN product, without sufficient
justification for making this decision. That being said, the dedicated SSL VPN products are often the same ones found bundled with others, so the
evaluations presented in this article may also be relevant to organizations seeking bundled products.

This article covers the following commercial SSL VPN products: Barracuda SSL VPN, Check Point Mobile Access Software Blade, Cisco IOS SSL
VPN, Dell SonicWall Secure Remote Access (SRA), Juniper Networks SA Series (now Pulse Connect Secure), and OpenVPN Access Server.

Each of these has been evaluated against a set of four criteria: VPN client software options; operating system (OS) support; simultaneous users
support and network access control. Organizations considering the acquisition of an SSL VPN product should use these criteria as one part of their
overall product evaluation process. That's because each organization has unique characteristics that need to be taken into account, so the findings
of this article should not be considered comprehensive or exhaustive -- they comprise one piece of a larger puzzle.

Some commercial SSL VPN products only support a flat number of users, while other products have the hardware

z
capacity to support a larger number of users but allow organizations to purchase a smaller number of simultaneous
user licenses.

1Criterion #1: VPN client software options

As discussed in the previous SSL VPN article, there are four approaches to SSL VPN client software:

1. Clientless (relies solely on the web browser, no software installation)

2. Browser plug-in (Java applet, ActiveX control run within browser)
3. Standalone executable for desktop and laptop OSs
4. Mobile app for smartphones and tablets

The table below shows the major differences between these four approaches in terms of relative client deployment effort, resource access, client
device support and network access control support. These indicate that there is no "best" client approach; in fact, there are significant tradeoffs
with each. For example, a clientless approach involves no deployment effort, but it also gives access to the fewest resources. For another, the
browser plug-in and standalone executable approaches won't work for mobile devices. And not all of the approaches offer network access control
capabilities.

Table 1: Four approaches to SSL VPN client software

Clientless Browser plug-in Standalone Mobile app

executable

Client deployment None Minor Major Major

effort

Resource access Websites and Virtually all Virtually all Virtually all
web-based
applications
Client device All Most desktops Major desktop Major mobile OSs
support and laptops and laptop OSs
(needs supported
browser)

Network access No Yes (may be Yes Yes

control limited)

http://searchsecurity.techtarget.com/feature/Comparing-the-top-SSL-VPN-products 2/7
5/15/2016 Comparing the top SSL VPN products
So in the end, what most organizations should be looking for is the approach or combination of approaches that meets its full set of requirements.
All products support multiple approaches, as shown in the table below; however, note that it is unlikely that a single organization will require support
for all four approaches.

Table 2: The client approaches supported by the top SSL VPN products

Clientless Browser plug-in Standalone Mobile app

executable

Barracuda SSL Yes Yes No No

VPN

Check Point Yes Yes No Yes

Mobile Access
Software Blade
Cisco IOS SSL No Yes Yes No
VPN

Dell SonicWall Yes Yes Yes Yes

Secure Remote
Access (SRA)

Jupiter Networks Yes Yes No No

SA Series

OpenVPN Access No No Yes Yes

Server

1Criterion #2: VPN client OS support

The third and fourth SSL VPN client approaches discussed above -- the standalone executable and the mobile app -- can be referred to as "heavy"
because they require installation of full-fledged software (as opposed to a lightweight browser plug-in). This software is necessarily OS specific, so
organizations need to carefully consider which OSs they need the SSL VPN clients to support. Remember that clientless and browser plug-in based
approaches will work regardless of OS. With the exception of the open source OpenVPN Access Server, each product covered in this article
supports the clientless or the browser plug-in approach.

PRO+
Content

E-Zine

x Insider Edition: Beyond 'next gen': Putting a 21st century security strategy in place

E-Handbook

7 Find the security advantage in SDN

E-Handbook

7 Lessons and next steps in continuous security monitoring

So, when evaluating SSL VPN products, don't just automatically look at the specific OS that its client software may support. There may be "light"
options (clientless or browser plug-in) available that truly do support virtually any OS. However, these light products may also offer reduced access
to resources -- particularly clientless products -- and some lack network access control, increasing the likelihood of misconfigured, compromised or
otherwise undesirable devices being able to connect to the organization's resources.

Assuming that an organization wants to use a "heavy" client-based approach, the first and obvious step in evaluation is cataloging which
desktop/laptop OSs and mobile OSs need to be supported. This may prove difficult, especially if the organization allows the use of BYOD or if the

http://searchsecurity.techtarget.com/feature/Comparing-the-top-SSL-VPN-products 3/7
5/15/2016 Comparing the top SSL VPN products
organization allows contractors, business partners, vendors and others outside the organization to use remote access.

The table below shows OS support provided by the heavy clients. Of the products supporting heavy clients, the Dell SonicWall SRA and OpenVPN
Access Server products support the greatest variety of OSs. Ultimately, however, the heavy clients provided by any product are not going to be able
to support every version of every OS that might be used. So carefully consider using a heavy client for the most common versions and a light client
for less common OSs.

Table 3: OS support by the top SSL VPN's "heavy" clients

Standalone executable Mobile app

Barracuda SSL N/A N/A

VPN

Check Point N/A iOS, Android

Mobile Access
Software Blade

Cisco IOS SSL Windows N/A

VPN

Dell SonicWall Windows, Mac OS X, Linux iOS, Android, Windows 8.1, Kindle
Secure Remote Fire
Access (SRA)
Jupiter Networks N/A N/A
SA Series

OpenVPN Access Windows, Mac OS X, Linux iOS, Android

Server

1Criterion #3: Support for simultaneous users

Licensing for commercial SSL VPN products is typically based on the number of simultaneous users of the VPN. There are exceptions to this, such
as virtual appliances that may offer unlimited scalability, but generally it is true. Some commercial products only support a flat number of users,
while others have the hardware capacity to support a larger number of users but allow organizations to purchase a smaller number of simultaneous
user licenses.

Some vendors offer several models of SSL VPN appliances. For example, the Barracuda SSL VPN is available in six hardware appliance models
supporting between 15 and 1000 simultaneous users, and four virtual appliance models supporting between 15 and 500 simultaneous users.
Similarly, the Cisco IOS SSL VPN, which is geared toward small organizations, provides support for 10 to 200 simultaneous users on a variety of
hardware platforms.

For midsize to large organizations, the Juniper Network SA Series (which was spun off to Pulse Secure and renamed as Pulse Connect Secure)
offers three models of appliances handling up to 10,000 concurrent users, as well as a virtual appliance that can support an unlimited number. The
Dell SonicWall SRA has three hardware appliance models that support between 25 and 20,000 concurrent users, and a virtual appliance that can
support up to 5,000.

In addition to these licensing schemes, some products, such as Juniper Networks SA Series, offer surge licensing, meaning that the number of
simultaneous users can be increased temporarily under emergency conditions; for example, for a week during a natural disaster. Surge licensing
can also be normally purchased and provisioned immediately, which makes it an ideal aid for disaster recovery and contingency planning --
assuming that the SSL VPN hardware is robust enough to support that many simultaneous users.

The OpenVPN Access Server follows a significantly different licensing model than the other products in this article. There is no hardware appliance
available; all OpenVPN Access Server servers are virtual. This virtual server component can be downloaded for free, but organizations with a
minimum of 10 users must pay an annual licensing fee for each simultaneous user. As of this writing, it's possible to purchase a 10-user concurrent
license for under $100 per year. On the other hand, there does not appear to be a maximum limit to concurrent users, although -- obviously -- the
hardware the server is deployed to will effectively limit simultaneous usage at some point.

In general, there is no right answer as to which of these licensing models is best for specific organizations. Smaller ones may be interested in nearly
any of the offerings, while larger organizations would likely tend toward products that support massive enterprises, such as Dell SonicWall SRA,
Juniper Network SA Seriesm and OpenVPN Access Server.

1Criterion #4: Network access control

http://searchsecurity.techtarget.com/feature/Comparing-the-top-SSL-VPN-products 4/7
5/15/2016 Comparing the top SSL VPN products
A final criterion for SSL VPN product evaluation is support for network access control. This refers to a wide variety of features that involve checking
the characteristics of the client device to confirm compliance with the organization's security policies. Examples include verifying the presence of
current antivirus software and authenticating a client-side digital certificate.

Most products -- even those with only light clients, such as Barracuda SSL VPN -- do provide at least some support for network access control.
Vendors are generally reticent to detail exactly how their network access control products work; many of which are likely to operate significantly
differently on various OSs. So it is recommended as part of any evaluation to first identify the relevant desktop/laptop and mobile OS versions, then
consult with the vendor to see which network access control features -- system health checks -- the products support on each platform.

An example of robust network access control support involves the Dell SonicWall SRA product. It can verify whether mobile devices have been
jailbroken or rooted; check if various security controls have been installed and configured properly, and examine client certificates and identifiers to
ensure that the device itself is authorized for enterprise remote access use. Other products that advertise network access control support include
Cisco IOS SSL VPN and Juniper Networks SA Series.

1Conclusion
There is no clear frontrunner among the SSL VPNs covered in this article. So much is dependent on an individual entity's needs in terms of client
software support and OS support, simultaneous user licensing, and network access control.

Karen Scarfone asks:

Z
What kind of SSL VPN does your organization use, and why?

0 Responses

Join the Discussion

For example, an enterprise that allows BYOD may determine that it absolutely needs network access control to assure some degree of security
among its remote access clients. In that case, it might favor products such as Dell SonicWall SRA and Juniper Networks SA Series that offer
particularly rigorous network access control. Meanwhile, an organization that does not allow BYOD may find network access control superfluous for
these devices.

For smaller companies, all of these products offer some sort of acceptable solution. The Cisco IOS SSL VPN is best suited for organizations that
already have another security product in place for their mobile devices; for example, a mobile device management system. The Check Point Mobile
Access Software Blade is appropriate for those already having Check Point security products deployed. Other products are well suited for a wider
variety of small and medium sized organizations because of the resource access they grant, the range of client devices they support and their ability
to provide network access features.

For larger entities (thousands of concurrent users), definitely consider the Dell SonicWall SRA and the Juniper Networks SA Series, with the Check
Point Mobile Access Software Blade and the OpenVPN Access Server following close behind.

Editor's Note:
This is part two of a series on virtual private networks (VPNs). Part one looks at the basics of SSL VPNs in the enterprise, part two examines the different
use cases for SSL VPN products, and part three offers insight into procuring and deploying SSL VPNs. Stay tuned for more on SSL VPNs.

m Next Steps
Find out how to mitigate VPN security issues in the cloud

Learn how to prevent VPN security risks for mobile employees

http://searchsecurity.techtarget.com/feature/Comparing-the-top-SSL-VPN-products 5/7
5/15/2016 Comparing the top SSL VPN products

This was first published in April 2015

M Buyer's Guide
The best SSL VPN products for you: A buyer's guide

BUYER'S GUIDE SECTIONS

1. What is...?

2. Do I need…?

3. How to buy…?

4. Which should I buy?

5. Top product overviews

z 0 comments Oldest 5

Share your comment

Send me notifications when other members comment.

Register or Login

E-Mail

email@techtarget.com

Username / Password

Username

Password

Comment

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the
United States. Privacy

-ADS BY GOOGLE

Comply with PCI DSS

balabit.com
Download a Free White Paper on Log Management Best Practices

http://searchsecurity.techtarget.com/feature/Comparing-the-top-SSL-VPN-products 6/7
5/15/2016 Comparing the top SSL VPN products

CLOUD SECURITY NETWORKING CIO CONSUMERIZATION ENTERPRISE DESKTOP CLOUD COMPUTING COMPUTER WEEKLY

5
SearchCloudSecurity

How to securely on board cloud applications and services

Enterprises need to on board cloud services quickly, but there are ways to accomplish it without sacrificing security. Expert Ed ...

How to combat cloud-based gaming security risks

There are many security risks for cloud-based gaming platforms. Expert Frank Siemons explains what's happened to gaming providers...

About Us Contact Us Privacy Policy Videos Photo Stories Guides

Advertisers Business Partners Media Kit Corporate Site Experts Shon Harris CISSP training

Reprints Archive Site Map Events E-Products

All Rights Reserved,

Copyright 2000 - 2016, TechTarget

http://searchsecurity.techtarget.com/feature/Comparing-the-top-SSL-VPN-products 7/7