Caption by: Alan Stevens
By doing away with the need for additional client software, SSL VPN gateways have revolutionised the remote LAN access market of late, making life simpler for end users and network managers alike. However, they’re mostly implemented as standalone appliances, which means yet another box to setup and manage. But not if you opt for the new BiGuard S10 from Billion Electric, which comes with an integrated router and firewall as well as an SSL VPN gateway.
The advantages of this kind of all-in-one approach are clear. You only have one device to buy and only one management interface to learn. However, some care is required as all-in-ones often lack the bells and whistles found on more specialist products. They also tend to be engineered to suit a specific audience with strict limits on performance and functionality.
That’s very much the case with the BiGuard S10 which, with just four 10/100Mbps LAN ports and a single WAN (Internet) connector, is aimed squarely at small businesses. Moreover, the hardware lacks the processing power to handle more than 10 remote users at any one time. You will be able to get round this when the follow-on BiGuard S20 is released, which will also offer dual WAN ports. However, despite being able to handle up to twenty remote connections and additional IPSec clients, both models still sit firmly in the small business space.
In its favour the BiGuard S10 compares well on price against alternative standalone small-business SSL VPN gateways, from vendors such as Checkpoint, Netgear and SonicWALL. It’s also a very robust device, with a good set of basic features, and is relatively easy to deploy.
OK, the Web interface isn’t the easiest to get to grips with, but the supporting documentation makes up for any shortcomings and once you’re used to how it all hangs together it’s not that difficult to get working. It took us just under an hour to get it configured on our test network with the router and firewall options much as we’ve come to expect on this kind of low-cost device.
A separate ADSL or cable modem is required to connect to the internet and there’s the usual wizard-driven routine to handle the basic setup. Tools are then provided to create custom firewall rules, handle port forwarding and setup a demilitarised zone (DMZ), with basic intrusion detection and content filtering also available if needed.
The manual also explains how to deploy the BiGuard S10 behind an existing router/firewall, although the benefits of the all-in-one approach will then be lost.
As far as the SSL VPN side of things are concerned it’s pretty standard fare, the BiGuard S10 exploiting the SSL encryption provided by browsers such as Internet Explorer and Mozilla Firefox to create its secure VPN tunnels. As a result, no software needs to be installed, with ActiveX and Java applets downloaded to the client browser as required. All the remote user has to do is type in the address assigned to the appliance and login via a customisable web portal.
On a small LAN, an internal database can be used to authenticate users with good support for external Windows domains, LDAP and RADIUS servers on larger networks. After which access can be granted in several ways including a 'Network Places' option to trawl the remote network, much as you would if connected locally.
Remote users can also be assigned a set of applications, accessed though a set of built-in proxies. For example, we were able to use the RDP (Remote Desktop Protocol) proxy to connect to Windows XP desktops on our LAN and a separate VNC proxy to manage remote servers.
FTP, Telnet and HTTP/S proxies are also available, while for more general access you get what Billion refers to as 'network and transport extenders'. Implemented using ActiveX applets, these provide the same kind of access as on a conventional VPN, but without the need to manually install or configure any client software. The network extender gives general LAN access while the transport extender is designed to be used with particular client/server applications, such as email.
Performance is dependent on available bandwidth and whether or not you use the built in quality-of-service controls. The number of concurrent remote users can also have a bearing, although in our tests the BiGuard compared well with traditional VPN routers aimed at this market. You also get tools to brand and customise the portal interface, plus an optional utility to make sure sensitive data isn’t left in the browser cache once a session has ended.
The end result is workmanlike, but the BiGuard S10 is limited in the number of users it can support and many equally affordable alternatives can handle more. We would also question the value of the integrated router/firewall: this may be unique at present, but is unlikely to remain so. Indeed it can’t be that long before SSL VPN functionality is routinely added to routers rather than the other way around.
Caption by: Alan Stevens
Caption by: Alan Stevens