Unlike IPSec VPN tunnels, SSL VPNs do not need a special client on the remote
user device, making them easier to deploy and requiring less administrative
maintenance. (See our special report on VPNs.)
The NetSwift iGate Pro from Rainbow Technologies provides the core SSL VPN
functions -- TCP-based IP traffic and a wide range of authentication options. It
does not, however, have all of the enterprise-level features found in other
competitor’s products, such as the Neoteris Access 3000 Series or the Netilla
Security Platform (NSP) Release 4.0. Among its shortcomings, iGate lacks an
IPSec tunnel, cache cleaning, and host-checking technologies. Software releases
due over the next few months will address many of these issues.
Based on Rainbow’s CryptoSwift 200 SSL encryption cards, the iGate Pro can
handle up to 1,000 concurrent users while securing Web-based applications and
any TCP-based service, as long as you specify the proper ports. For my tests, I
used Windows 2000 Server as the host application server, running Active
Directory, IIS 5.0, Exchange 2000, Outlook Web Access, and a custom, home-grown
ASPX application. For file-level access to the server, I used SMB/CIFS (Server
Message Block/Common Internet File System). The iGate can also handle native
secure access to an Exchange server from a client running Microsoft Outlook.
To assist with setup, the iGate incorporates two simple wizards to help you get
things going right out of the box. The Net Wizard guides you through the initial
network configuration and the Site Wizard shows you how to create a new
protected site. Although effective, the wizards only cover the basics, leaving
you to finish configuration using the advanced portion of the user interface.
The iGate has a clean and easy-to-navigate Web-based user interface to help you
manage the appliance. It also has the Windows-based Access Control Manager for
user management and resource association. Although there are arguments for
separating user functions from resource policy management, I found jumping
between the two applications burdesome, with each UI requiring you to apply your
changes before they would take effect.
In order to create the SSL sessions between client and server, the iGate maps
the address for the published resources to different localhost addresses in your
PC’s hosts file. A Java applet rewrites the hosts file on your PC to match the
resources’ addresses. Despite the advantages of this procedure, I ran into some
trouble with it during my tests. It seems that each SSL-protected resource must
have a FQDN (fully qualified domain name) that resolves to a unique address in
your hosts file. Because I was running multiple services (Exchange, Terminal
Services, and Outlook Web Access) on the same server with the same FQDN, I, with
the help of Rainbow support, had to play tricks with domain names and DNS in
order to make everything work. If all of your resources are on different
machines, you should have no trouble.
Like most other SSL appliances, the iGate uses application proxies to secure
both inbound and outbound HTTP traffic and to intermediate the data stream,
rewriting the HTML on the fly to help obscure internal host names. You can use
SSL to secure traffic not only between client and iGate, but also between iGate
and server resources. HTTP compression is also available to help increase
performance.
Missing from this release of the iGate is an IPSec-style tunnel. You do not have
the ability to open a tunnel directly into your network. For power users or
those who need UDP (User Datagram Protocol) support, this level of access is
critical. Also missing is a browser cache cleanup utility and a client
application verification control. The cache cleaner purges temporary files left
in your browser’s cache when you log off, and the application checker looks to
see what processes are running on your client to determine if your PC is a
security risk or not. The cache cleaner should be available by the time this
publishes, and the other features should be available in a software update due
out in July.
Resources are defined in the iGate using the concept of sites and connectors. A
site is made up of a group of Web apps and their associated SSL tunnel
connections, called a VPX. You do have a lot of control over each site
definition, such as the type of authentication required, the SSL cipher to use,
whether or not to enable compression (on the HTML stream) and the level of
logging to use. Site definition is the strongest part of the iGate system.
For user authentication, the iGate can use RADIUS, Active Directory, LDAP, an
internal database, Rainbow USB tokens, and SecureID, with support for client
certificates coming in mid-April. There is also support for connecting to any
ODBC-compliant database for custom user lists.
The Rainbow NetSwift iGate is a well-rounded performer that will improve as new
features are added, which should happen this month. I would love to see the user
and device management incorporated into a single user interface to reduce
jumping between platforms.
When the IPSec-style tunnel, cache cleaning and host checking technologies are
all available, the iGate will gain on the SSL VPN front-runners.
SSL VPN appliances continue are gaining momentum in the minds of IT
administrators, as evidenced by the growing number of vendors catering to the
market. Secure Sockets Layer encryption, the same technology used to keep
personal and financial information safe across the Internet, is quickly making
SSL VPNs the preferred way to provide remote users with secure access to
back-end Web services.