Caption by: Alan Stevens
SSL VPN appliances are pretty commonplace these days and are no longer restricted to the corporate market. Indeed, there are now lots of affordable small-business products, starting at just a few hundred pounds. Compared to entry-level products, Aventail's EX-750 may seem a little expensive — but then it does have a number of features that are not available elsewhere.
To begin with, Aventail is one of the longest established of the specialist SSL VPN vendors, having more or less invented the concept — the aim of which is to simplify the deployment and management of remote LAN access. To this end, an SSL VPN appliance uses the Secure Socket Layer (SSL) encryption technology found in desktop Web browsers, such as Internet Explorer and Firefox, to create its VPN tunnels rather than custom VPN client software. And that, in turn, does away with the need to deploy, manage or maintain anything extra at the remote user end.
Another difference is that, although very much a small-business solution, the EX-750 can support up to 25 concurrent users compared to, typically, 5-10 users on most of the cheaper competition. Plus, if you need to handle more, it’s part of a much larger family of SSL appliances able to handle up to 2,000 users at the top end with additional clustering, load balancing and failover features also on offer.
And last but by no means least, the EX-750 provides additional Network Access Control (NAC) features that are usually only found on more expensive enterprise solutions. Most notably, it can enforce pre- and post -authentication software and configuration checks on Windows, Windows Mobile, Apple Mac and Linux clients. These ensure that basic security pre-requisites are met before allowing remote users to connect, and can also be used to clean up after they leave.
You can tell that Aventail's product is different right from the start. Most of the really low-cost SSL appliances are tiny ASIC-powered devices, but not the EX-750. It’s built on a 1U rack-mount Linux server powered by a 2.4GHz Intel Pentium 4 processor with 512MB of memory. You also get two 10/100Mbps Ethernet interfaces, enabling the unit to be deployed as a gateway if required, although it’s not mandatory and for our tests we simply plugged the unit into our network using a single port.
A local console can then be attached and the appliance managed via a command line if that’s your thing. However, most customers will do as we did, and point a Web browser at the Aventail appliance to set up and administer it.
In its favour we found the interface reasonably intuitive and the initial setup, at least, a fairly easy process, with a wizard to take you through the basics. However, by the time you’ve read through the supporting documentation and sorted out the best way to deploy the EX-750 you may find that you’ve spent the best part of a day getting it working. Moreover, when you start delving into NAC options it can all get very complex and most customers will, therefore, need to get a specialist reseller to install the product — especially those without dedicated technical resources of their own.
How it works
Remote users connect to the appliance using a browser, usually over the Internet, by typing in a URL which will be resolved to the IP address assigned to the built-in Web portal — the Aventail Workplace. This then provides access to the Web applications that users are allowed to run, and also a Web-based network browser tool. The workplace can also be further customised by adding your own logos and editing the text displayed.
Users who log in at the portal, can be authenticated against an internal database or an external LDAP, Active Directory or Radius server. They can also be assigned to communities and access controls can be applied at a very granular level as part of the authentication process.
With our Windows clients, for example, we were able to check for an active desktop firewall and antivirus software and stop users connecting when these weren’t found. Alternatively we could restrict users to a quarantined subnet if these and other prerequisites weren’t met, pointing them to sites where the appropriate updates could be obtained.
Network address and access method can also be used to limit access, and controls can be applied differently depending on the date, time and encryption strength settings on the client PC. Another important feature is the ability to clean the browser cache and remove session data automatically when users log off, although this option is only available on Windows.
Although it's described as 'clientless', ActiveX and Java applets are employed by the Aventail appliance to facilitate access to network applications and other resources via a browser. There’s also a lightweight Connect client that can be deployed to provide a full 'in-the-office' experience. Most applets, however, can be installed on-demand or downloaded from the portal (or another server) and preinstalled, by the users themselves if required, with none of the complicated setup or management that's required with a traditional VPN client.
The SSL experience
The performance of the EX-750 is primarily a function of the available bandwidth and the client platform. We used Windows clients and an 8Mbps ADSL line, and found this setup very usable. Moreover, unlike some of the low-end products, the perceived performance didn’t suffer noticeably as additional users were attached.
Indeed, the only real issue we had was the complexity of the Aventail solution. For the majority of small businesses looking for basic remote network connectivity it’s a little over the top, and there are plenty of alternative products that can do the job at a fraction of the price. However, the Aventail pedigree, scalable hardware platform and network access controls are all worth having, and for companies seeking enterprise security at a small-business price it’s hard to beat.
Caption by: Alan Stevens