SSL VPNs: Access Anywhere, Anytime
The best technology, according to an old networking truism, is the one that requires the least amount of change to end-stations. By that measure, SSL-based VPNs are right up there.
In the past year, numerous vendors have come to market with gateways that allow secure access to corporate networks from virtually any Web browser, on any device, anywhere.
Unlike existing virtual private network (VPN) technologies, no changes or complex configurations are needed on client machines. And SSL VPNs come with built-in interoperability: The security mechanism needed for strong authentication and encryption, Secure Sockets Layer (SSL), is already embedded in most Web browsers.
SSL has been around for years, but it’s still very early days for its use as a VPN technology. There hasn’t yet been any public comparison of key metrics like performance, scaleability, and, of course, security.
Light Reading has teamed up with its testing partners – Spirent Communications and Network Test – to conduct the industry’s most comprehensive comparison of SSL-based VPN gateways.
For nearly three months we’ve used Spirent’s Avalanche and Reflector traffic generator/analyzers to answer a key question: Can SSL VPN gateways scale up to meet the demands of enterprise networks? To find out, we tested them with the ultimate enterprise application, Microsoft Outlook, as well as running a battery of other performance and scaleability tests.
Eight vendors took part in this evaluation:
- Array Networks Inc.
- Aventail Corp.
- NetScaler Inc.
- NetScreen Technologies Inc. (Nasdaq: NSCN)
- Nortel Networks Corp. (NYSE/Toronto: NT)
- PortWise AB
- Symantec Corp. (Nasdaq: SYMC)
- Whale Communications Ltd.
It’s not difficult to understand this test’s popularity: This is a new market not yet dominated by one of the giant firms. As we wrapped up testing, Cisco Systems Inc. (Nasdaq: CSCO) announced SSL support for its VPN gateways. But neither Cisco nor any other vendor is anywhere close to market dominance. This is still very much a market up for grabs.
Our findings are promising, though there’s still lots of work to be done:
- On scaleability, SSL VPNs get generally good marks. A single gateway can support anywhere from hundreds to tens of thousands of concurrent users. The record holder, NetScaler’s NS 9500, supports up to 58,000 users at one time.
- All systems support Outlook Web Access (OWA), the Webified version of Microsoft’s Outlook mail client, but there’s lots of variation in how well they do so. The good news: Many products handle huge numbers of OWA users at one time. The bad news: Response times can crawl into the minutes when systems support huge numbers of users. That sort of inconvenience could cause users to go elsewhere, circumventing gateway security.
- Products that lack hardware-based SSL acceleration are generally underwhelming performers. In our forwarding rate tests, some gateways with hardware-based acceleration pushed data at nearly 500 Mbit/s, while the low-water mark for products doing encryption/decryption in software was less than 1 Mbit/s. One commendable exception is the EX-1500 from Aventail, which ran far faster than other products lacking hardware-assisted encryption/decryption.
- Vendors do a generally good job of locking down their devices. Our security assessment turned up only a few minor annoyances, chiefly around weak default configurations.
For example, the Array Networks gateway turned in the lowest response times among appliance-based systems in our Outlook tests. Aventail offers the broadest range of configuration options, while the NetScreen gateway’s user interface is a model of clarity the others should follow. As noted, NetScaler blew the doors off in several of our scaleability tests, while Nortel came out tops among server-based systems in tests of Outlook and concurrent users. PortWise and Symantec were value leaders. Last but not least, Whale Communications combines a novel architecture with strong application-layer access controls.
For those of you keeping score, Table 1 offers a brief outline of which participants performed best in various fields:
Table 1: Best by Test
|If this matters most to you�||�check out this
|�check out this
|OWA concurrent users||PortWise||NetScaler|
|OWA transaction rate||Nortel||NetScaler|
|OWA URL response time||Nortel||Array|
|OWA page response time||Nortel||Array|
|OWA under attack||Nortel||NetScaler|
|Security assessment||� draw �||� draw �|
As another sign that this is still a market in flux, two participants got bought during testing. NetScreen bought Neoteris for nearly $300 million, mostly in stock, while Symantec snared SafeWeb for $26 million in cash. Symantec immediately discontinued the SEA Tsunami product we tested, and says it’s got a more powerful product slated for release in January 2004. We’ll refer to both vendors by their new parent companies in this article. Aventail, for its part, has released a new version, 7.0, that the company says has more features and far higher performance than the version we tested.
Here's a hyperlinked summary of the report:
- SSL VPN Overview
Configured in hardware or software, SSL gateways will complement – not replace – IPSec
- Modus Operandi
Different access modes – including reverse proxy and agent mode – offer different advantages
- Performance Tests
We measure performance 5 ways: session rate; concurrent user capacity, Outlook Web Access handling, with and without DOS attacks; and forwarding rate
- Maximum Concurrent Users
We look at how many users can do actual work through an SSL VPN gateway at any given instant
- Outlook Web Access
OWA tops the list of applications that benefit from anywhere/anytime access secured by SSL
- The Waiting Game
Response-time measurements turn up more differences among products than any other test
- OWA and DOS
We launch Smurf, SYN floods, UDP floods, and Xmas tree attacks
- Forwarding Rate
We measure the most data each system can pump out while handling the maximum number of users
- Security Assessment
Nessus test returns positive overall results