& cplSiteName &

SSL VPNs: Access Anywhere, Anytime

Light Reading

The best technology, according to an old networking truism, is the one that requires the least amount of change to end-stations. By that measure, SSL-based VPNs are right up there.

In the past year, numerous vendors have come to market with gateways that allow secure access to corporate networks from virtually any Web browser, on any device, anywhere.

Unlike existing virtual private network (VPN) technologies, no changes or complex configurations are needed on client machines. And SSL VPNs come with built-in interoperability: The security mechanism needed for strong authentication and encryption, Secure Sockets Layer (SSL), is already embedded in most Web browsers.

SSL has been around for years, but it’s still very early days for its use as a VPN technology. There hasn’t yet been any public comparison of key metrics like performance, scaleability, and, of course, security.

Until now.

Light Reading has teamed up with its testing partners – Spirent Communications and Network Test – to conduct the industry’s most comprehensive comparison of SSL-based VPN gateways.

For nearly three months we’ve used Spirent’s Avalanche and Reflector traffic generator/analyzers to answer a key question: Can SSL VPN gateways scale up to meet the demands of enterprise networks? To find out, we tested them with the ultimate enterprise application, Microsoft Outlook, as well as running a battery of other performance and scaleability tests.

Eight vendors took part in this evaluation:

That’s a record high turnout for any Light Reading test.

It’s not difficult to understand this test’s popularity: This is a new market not yet dominated by one of the giant firms. As we wrapped up testing, Cisco Systems Inc. (Nasdaq: CSCO) announced SSL support for its VPN gateways. But neither Cisco nor any other vendor is anywhere close to market dominance. This is still very much a market up for grabs.

Our findings are promising, though there’s still lots of work to be done:

  • On scaleability, SSL VPNs get generally good marks. A single gateway can support anywhere from hundreds to tens of thousands of concurrent users. The record holder, NetScaler’s NS 9500, supports up to 58,000 users at one time.

  • All systems support Outlook Web Access (OWA), the Webified version of Microsoft’s Outlook mail client, but there’s lots of variation in how well they do so. The good news: Many products handle huge numbers of OWA users at one time. The bad news: Response times can crawl into the minutes when systems support huge numbers of users. That sort of inconvenience could cause users to go elsewhere, circumventing gateway security.

  • Products that lack hardware-based SSL acceleration are generally underwhelming performers. In our forwarding rate tests, some gateways with hardware-based acceleration pushed data at nearly 500 Mbit/s, while the low-water mark for products doing encryption/decryption in software was less than 1 Mbit/s. One commendable exception is the EX-1500 from Aventail, which ran far faster than other products lacking hardware-assisted encryption/decryption.

  • Vendors do a generally good job of locking down their devices. Our security assessment turned up only a few minor annoyances, chiefly around weak default configurations.
We’re not going to pick an overall test winner or winners in this evaluation, for several reasons. First, different products exhibited different strengths in different tests, and we think it makes a lot more sense to let network managers decide which areas matter most to them, and pick a product accordingly. Second, we want to recognize all the vendors that participated in this test; they all deserve considerable credit for participating. Third, we found something interesting and commendable in every single product we tested.

For example, the Array Networks gateway turned in the lowest response times among appliance-based systems in our Outlook tests. Aventail offers the broadest range of configuration options, while the NetScreen gateway’s user interface is a model of clarity the others should follow. As noted, NetScaler blew the doors off in several of our scaleability tests, while Nortel came out tops among server-based systems in tests of Outlook and concurrent users. PortWise and Symantec were value leaders. Last but not least, Whale Communications combines a novel architecture with strong application-layer access controls.

For those of you keeping score, Table 1 offers a brief outline of which participants performed best in various fields:

Table 1: Best by Test
If this matters most to you� �check out this
server-based product:
�check out this
appliance-based product:
Features Aventail NetScreen
Price PortWise NetScreen
Session rate PortWise NetScaler
Concurrent users Nortel NetScaler
OWA concurrent users PortWise NetScaler
OWA transaction rate Nortel NetScaler
OWA URL response time Nortel Array
OWA page response time Nortel Array
OWA under attack Nortel NetScaler
Forwarding rate PortWise NetScaler
Security assessment � draw � � draw �

As another sign that this is still a market in flux, two participants got bought during testing. NetScreen bought Neoteris for nearly $300 million, mostly in stock, while Symantec snared SafeWeb for $26 million in cash. Symantec immediately discontinued the SEA Tsunami product we tested, and says it’s got a more powerful product slated for release in January 2004. We’ll refer to both vendors by their new parent companies in this article. Aventail, for its part, has released a new version, 7.0, that the company says has more features and far higher performance than the version we tested.

Here's a hyperlinked summary of the report:

  • SSL VPN Overview
    Configured in hardware or software, SSL gateways will complement – not replace – IPSec
  • Modus Operandi
    Different access modes – including reverse proxy and agent mode – offer different advantages
  • Performance Tests
    We measure performance 5 ways: session rate; concurrent user capacity, Outlook Web Access handling, with and without DOS attacks; and forwarding rate
  • Maximum Concurrent Users
    We look at how many users can do actual work through an SSL VPN gateway at any given instant
  • Outlook Web Access
    OWA tops the list of applications that benefit from anywhere/anytime access secured by SSL
  • The Waiting Game
    Response-time measurements turn up more differences among products than any other test
  • OWA and DOS
    We launch Smurf, SYN floods, UDP floods, and Xmas tree attacks
  • Forwarding Rate
    We measure the most data each system can pump out while handling the maximum number of users
  • Security Assessment
    Nessus test returns positive overall results
— David Newman is president of Network Test, an independent testing and network design consulting firm in Westlake Village, Calif. His email address is [email protected].

(3)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
User Rank: Light Beer
12/5/2012 | 2:45:26 AM
re: SSL VPNs: Access Anywhere, Anytime
I'm consulting for a company that's looking to provide native, remote access to exchange. If anyone is interested in sharing ideas and thoughts of OWA vs native access, we would welcome your input. Drop me a line at [email protected] if you're interested.

User Rank: Light Beer
12/4/2012 | 11:09:03 PM
re: SSL VPNs: Access Anywhere, Anytime
Since OWA sucks, it would seem to me that the sinlge most important app in the enterprise is Outlook client. Some of these vendors support Outlook, but I'd be really interested in seeing who does it well and who not at all.
User Rank: Light Beer
12/4/2012 | 11:08:07 PM
re: SSL VPNs: Access Anywhere, Anytime
That is a good observation. In my experience with this technology, some vendors fully support it without issue, others partially support it (with re-configuration requirements), and others "will support it" (they won't say "not supported" - ever). I think you pose a good question, which should be a minimum criteria for evaluating this technology. The beauty of VPN's is the ability to use the internet as a connectivity medium, and while OWA is an acceptable solution for slow-speed connectivity, it is not by any means a fully functional solution compared with native Outlook. Although Outlook clients are more traffic intensive, with high-speed remote access connectivity becoming more tangible, then the performance barrier is gone. As a remote user, I would absolutely prefer to use Outlook's native client with SSL VPN given a DSL or better connection, rather than OWA (at all).
Featured Video
Flash Poll
Upcoming Live Events
December 4-6, 2018, Lisbon, Portugal
March 12-14, 2019, Denver, Colorado
April 2, 2019, New York, New York
April 8, 2019, Las Vegas, Nevada
May 6-8, 2019, Denver, Colorado
All Upcoming Live Events