Comment Re:IPSec tunnels the kitchen sink... (Score 2, Interesting) 34
AKnightCowboy - great posting. You do sound like you work for Neoteris. I'm in Tech Marketing in the former Neoteris, now NetScreen, soon to Juniper organization - and you're about to put me out of a job :)
Seriously, I'm glad our products have worked so well for you. We just release our new code, version 4.0, and there have been some significant improvements and additions. Particularly in the areas of security and access management. Check it out, you'll be pleased with all the new features.
As for looking at the choices, there have been multiple competitive reviews in the SSL-VPN space and NetScreen(Neoteris) has been fortunate enough to receive top honors in the most prestigious reviews:
- NetworkWorld - World Class Award
(#1 out of 7 vendors) Jan 12, 2004
- NetworkComputing - Editor's Choice
(#1 out of 8 vendors) Nov 13, 2003
- PC Magazine - Editor's Choice
(#1 out of 6 vendors) Aug 19, 2003
But to the original question, what are some "essential" things SSL-VPN (or Secure Access gateways) should have?
On the product side, it's really about security controls & access methods. Both are equally important. Scalability is also an issue because you want to be able to grow with your organization's needs.
SECURITY CONTROLS:
- Hardened Appliance/Server with encrypted disks
-- Gov't, Defense, Intelligence agency need FIPS/CC compliant solutions
- 3rd party security audits
- Content Intermediation Engine (blocks DoS/malicious attacks, un-auth user access, provide app security)
- End-Point Security tools
-- Host Checker (scans users for AV, personal firewall, keystroke loggers, trojans, etc.)
-- Cache Cleaner (cleans up session info during and after user logout)
- Access Privilege Management capabilities
-- rules for pre-auth assessment, role restrictions, and resource-based access controls
-- rules can be based on sourceIP, client-side digital certificates info, user-agent, LDAP/RADIUS user and group info, time-of-day, day-of-week, day-of-year, etc.
ACCESS METHODS (no software installation req'd):
1. Clientless Web Access
-- web (static & dynamic content)
-- web-apps (complex content: JavaScript, VBScript, scriptable ActiveX, Java Applets, Flash, etc.)
-- email (OWA, iNotes, Webmail, POP/IMAP, SMTP)
-- terminal session (telnet/ssh)
-- desktop sharing (ICA, RDP, VNC)
2. Client/Server support
-- Java version - static port apps
-- Windows version - process name, dynamic port, and/or ip range: port range
3. Network-based support
-- full network tunnel (TCP, UDP, ICMP - all traffic)
-- greater security concerns but greatest level of resource access
SCALABILITY/PERFORMANCE:
- Configuration clustering (minimum)
- Session syncronization clustering (very good)
- Hot standby (Active/Passive) clustering
- Full Active/Active clustering
- Local clustering (same subnet)
- Multi-Site clustering (across networks)
- Mulit-Unit clustering (3 or more)
- Support up to 10,000 concurrent user sessions
- Hardware-based SSL offloading
- Hardware-based Compression (improve response-time on slow connections)
I'm just scratching the surface. There's so much to cover but those are some of the essential things to look for.
Good Luck -
Doug
Seriously, I'm glad our products have worked so well for you. We just release our new code, version 4.0, and there have been some significant improvements and additions. Particularly in the areas of security and access management. Check it out, you'll be pleased with all the new features.
As for looking at the choices, there have been multiple competitive reviews in the SSL-VPN space and NetScreen(Neoteris) has been fortunate enough to receive top honors in the most prestigious reviews:
- NetworkWorld - World Class Award
(#1 out of 7 vendors) Jan 12, 2004
- NetworkComputing - Editor's Choice
(#1 out of 8 vendors) Nov 13, 2003
- PC Magazine - Editor's Choice
(#1 out of 6 vendors) Aug 19, 2003
But to the original question, what are some "essential" things SSL-VPN (or Secure Access gateways) should have?
On the product side, it's really about security controls & access methods. Both are equally important. Scalability is also an issue because you want to be able to grow with your organization's needs.
SECURITY CONTROLS:
- Hardened Appliance/Server with encrypted disks
-- Gov't, Defense, Intelligence agency need FIPS/CC compliant solutions
- 3rd party security audits
- Content Intermediation Engine (blocks DoS/malicious attacks, un-auth user access, provide app security)
- End-Point Security tools
-- Host Checker (scans users for AV, personal firewall, keystroke loggers, trojans, etc.)
-- Cache Cleaner (cleans up session info during and after user logout)
- Access Privilege Management capabilities
-- rules for pre-auth assessment, role restrictions, and resource-based access controls
-- rules can be based on sourceIP, client-side digital certificates info, user-agent, LDAP/RADIUS user and group info, time-of-day, day-of-week, day-of-year, etc.
ACCESS METHODS (no software installation req'd):
1. Clientless Web Access
-- web (static & dynamic content)
-- web-apps (complex content: JavaScript, VBScript, scriptable ActiveX, Java Applets, Flash, etc.)
-- email (OWA, iNotes, Webmail, POP/IMAP, SMTP)
-- terminal session (telnet/ssh)
-- desktop sharing (ICA, RDP, VNC)
2. Client/Server support
-- Java version - static port apps
-- Windows version - process name, dynamic port, and/or ip range: port range
3. Network-based support
-- full network tunnel (TCP, UDP, ICMP - all traffic)
-- greater security concerns but greatest level of resource access
SCALABILITY/PERFORMANCE:
- Configuration clustering (minimum)
- Session syncronization clustering (very good)
- Hot standby (Active/Passive) clustering
- Full Active/Active clustering
- Local clustering (same subnet)
- Multi-Site clustering (across networks)
- Mulit-Unit clustering (3 or more)
- Support up to 10,000 concurrent user sessions
- Hardware-based SSL offloading
- Hardware-based Compression (improve response-time on slow connections)
I'm just scratching the surface. There's so much to cover but those are some of the essential things to look for.
Good Luck -
Doug
