SSL VPN Evaluation Guide

SSL VPN Evaluation Guide
Criteria for Choosing the Right SSL VPN
May 2011
EvaluationGuide

SSL VPN Evaluation Guide Access. Security. Delivery.
2 Copyright © 2011, Array Networks, Inc.
Introduction
Remote connectivity is crucial for enterprise productivity and SSL has gained fast popularity as a remote access
tool. In fact, SSLVPNs as a technology have shown promise in eliminating many of the client side issues associated
with IPSec, and other forms of remote access. Furthermore, SSL VPNs offer a smooth migration to a more cost-
effective, easier to deploy remote access solution than IPSec. SSLVPN’s combination of flexibility and functionality
makes it competitive with IPSec even when deployed for enterprise’s“power users.”
In today’s crowded SSL VPN market, it’s easy to become overwhelmed by the wide range of solutions available.
Obviously, there are many factors to consider when purchasing an SSL VPN product, and you want to make the
best choice possible.This SSLVPN Evaluation Guide serves as an important resource in identifying, describing, and
prioritizing the criteria you should consider when selecting an SSL VPN provider that best fits the needs of your
organization.
Selection Criteria
In coming up with a selection criteria, the functions offered by SSL VPNs have to be evaluated against two key
aspects:securityanduserexperience. Atrulysuccessfuldeploymentofasecure accesssolutioncannotbeachieved
without taking both aspects into consideration. Look for an SSL VPN that can also serve the organization’s long-
term needs, integrates seamlessly with the network architecture, and provides powerful management tools. The
optimal provider will exceed in these key areas:
n Performance and scalability
n Security
n Ease of use
n Company reputation
n Technology leadership

Access. Security. Delivery.
3
Table of Contents
Security 4
SSL VPN Firewall 4
Hardened OS 4
The Gap 5
Virtualization/Network Separation 5
Application Level Filtering 5
Client Side Security 6
Authentication 6
Authorization 7
Auditing 8
Access Modes 8
User Experience 9
Performance 10
User Interface Customization 10
Intuitive Use 11
High Availability 12
Management and Administration 12
Management Interfaces 12
Components Deployment 13
Delegations 13
Conclusion 13
About Array Networks 14

Security
In the case of SSL VPNs, the name itself implies one of the security measures being used. However, SSL does
not make a VPN. In other words, encryption by itself is not enough to provide the security required for today’s
applications. The advantage offered by SSL VPN based solutions lies in the combination of different levels of
protection:
n SSL VPN Firewall
n Hardened OS
n Network Gapping
n Client Side Security
n AAA
n Reducing Network Exposure (Various Access Modes)
n Application Level Filtering
n Virtualization and Network Separation
SSL VPN Firewall
Encryption can often be a double edged sword; it is undiscriminating and offers confidentiality to both friend
and foe. As a result of the encryption, any firewall positioned in front of an SSL VPN appliance cannot inspect the
data sent to the appliance since it does not have the ability to decrypt the traffic. Without a firewall in front, an
SSL VPN appliance is exposed to all sorts of network threats, it is for this reason that it needs firewall capabilities.
These capabilities should include Denial of Service (DoS) protection (including DDoS protection) and apply the
protection from the network through the application layers.
Key Questions You Should Ask Vendors:
1. Does the appliance have any type of firewall capabilities?
2. What layers are these capabilities applied to?
3. What type of DoS/DDoS protection is available?
4. What is the effect on performance when utilizing these features?
Hardened OS
Most operating systems expose network related vulnerabilities due to their generic nature. Commercial
operating systems like Linux, Windows and others are designed to serve a multitude of purposes and often
these purposes contradict, thus creating exposure to attacks. It is well known that the weakest spot provides the
most vulnerability.
Taking into consideration an SSL VPN appliance is most likely exposed directly to all sorts of network threats (as
described in the previous section and in conjunction with any firewall capabilities offered by the appliance) it is
crucial that the underlying operating system will be designed to perform specific duties and will not expose any
unnecessary interface (which can potentially turn into a vulnerability).

5
5. What type of an OS is the appliance based upon?
6. What was done to the OS to reduce its exposure to attacks?
7. What type of tests was performed to assure the strength of the OS?
The Gap
Since it is acting as a gateway to the corporate network, it is important that an SSL VPN appliance create a gap
between the non-secured and secured networks so that end users cannot establish direct connections to secured
resources and applications.
8. Does the appliance implement any type of“gap”technology?
9. Does this technology prevent end users from opening direct connections to resources?
10. What throughput limitations does this technology present?
Virtualization/Network Separation
It is important to leverage the existing infrastructure to support multiple user communities, internal and external.
These communities could include employees, partners, customers, demo sites, etc. Each of the communities
should have their own independent look and feel, customization and should be manageable by independent
administration groups. In addition, users who are part of a particular community should never be able to get into
other community infrastructure.
11. Does the device support multiple communities of interest on the same box?
12. What features are customizable on a per community basis?
13. What protection mechanisms are built to avoid users of a community from getting access to resources
associated with another community?
Application Level Filtering
In accordance to the fine granularity of access control provided by SSLVPN solutions, it needs to be able to enforce
access control policies based on protocol content.
Key Questions You Should Ask Vendors
14. Is application filtering provided on the box?
a. What protocols can be inspected with application level filtering?

Client Side Security
In its strive to allow“anywhere, anytime”access, an SSLVPN appliance also introduce the risks of unsecured devices
getting access to secured network locations. For this reason it is crucial that an SSL VPN appliance provide client
side security facilities. These facilities should allow administrators to evaluate the risk posed by a workstation
(host checking) based on different parameters (determined by the administrator) and associate the result of the
evaluation to the forms of access allowed to users utilizing this workstation (and potentially prohibit any access if
it is determined the risk level is too high).
Client side security should also allow administrators to eliminate any“footprints”that might be leftbehind during
the course of a user session. Access to SSL VPN appliances is based on the user’s Internet browser, local cache
entries might be stored in the browser. Client side security should allow administrators to eliminate these entries.
All that is required to utilize SSL VPN enabled access is a browser and a user account, it is quite likely that users will
use different PCs and not all of them are company issued, these might be home PCs, business centers, Internet
Café, etc.The main risk posed by these machines has to do with confidential information that might be left behind
by the user. To eliminate this risk client side security should offer a “sandbox” facility. So that a user can securely
download any required content during a session, knowing that this content will be wiped automatically when the
session is terminated.
16. Does the appliance offer host checking facilities?
17. What type of information can be checked on the host machine (i.e. anti-virus software, registry values, etc.)?
18. What anti-virus products are built-in?
19. What browsers are supported?
20. Are administrative privileges required?
21. What operating systems are supported?
22. Does the appliance offer cache cleaning facilities?
23. Does the appliance offer“sandbox”functionality?
24. What level of access control can be enforced based on the client profile?
Authentication
Authentication is the first step of establishing the identity of a user. The majority of the complexity related to
authentication has to do with integration. Most organizations have existing standard authentication interfaces,
such as RADIUS or LDAP in place, and the appliance should be capable of integrating with these interfaces without
any special configuration.
A challenge exists when a non-standard interface is used, such as legacy systems, database and others. For
these cases it is important that the appliance will provide a customization infrastructure that allows for a quick
integration with these non-standard interfaces.

7
A special case of authentication has to do with SSL client side certificates. Client side certificates are an additional
level of protection for the establishment of SSL connections, requiring each client to identify itself with its own
unique certificate. For SSL VPN appliances this process takes place before t login page is ever presented to the
user, since the login page is presented over an SSL connection. In many cases the client side certificate will be used
as the only identifier for user sessions (for example USB based client side certificates). For complete protection it is
necessary to be able to associate user sessions with the content of the certificate.
25. What authentication methods are supported (and what configuration is required)?
a) RADIUS
b) LDAP
c) Active Directory
d) NDS
e) SecurID
f) Certificate Based
g) Local
h) Others
26. Do any of the standard methods require server-side configuration?
27. How are different dual-factor authentication interfaces handled?
28. Can authentication be turned off?
29. Can multiple authentication interfaces be supported concurrently?
Authorization
Role based authorization is an important part of almost any security policy and regulation. Administrators need
to be able to limit access to information and applications based on the user role (or associations) within the
organization. These policies should be flexible enough to answer the most complex requirements; they should
also be as dynamic as possible so that changes and updates can be applied easily and quickly.
The most important factor related to authorization policies is the granularity of authorization they provide. For
example a web based authorization policy that allows filtering based on URL is more granular than an IP based
policy that prevents access to port 80 of a specific server.
In addition authorization policies often introduce significant integration complexities. Where should the policies
be stored? How should they be associated with users and groups? To avoid these complexities and allow for a
smooth integration, the appliance should offer the greatest flexibility possible, allowing for policies to be stored
locally as well as on an external server, and also allowing administrators to correlate between external information
(its source is usually the external authentication server) with locally stored policies. In accordance to the fine
granularity of access control provided by SSL VPN solutions it needs to be able to enforce access control policies.

30. What types of policies are supported (i.e. web based, shared directory, TCP, etc.)?
31. Are policies defined as PERMIT or DENY policies?
32. When designing policies is it possible to apply “White List”and “Black List”approaches
33. Can policies be associated with users, groups or both?
34. How are policies stored and retrieved?
35. Can policies be stored on external servers?
36. Can policies be stored locally on the appliance?
37. Can policies be retrieved locally based on information from external servers?
Auditing
Anextensiveaudittrailisaprimaryrequirementofallsecurityrelatedregulationsandpolicies.Theauditinformation
should be generated in formats that allow easy analysis for both security and status monitoring reasons.
38. How is the audit trail provided?
39. What formats of logging are supported?
40. What information is logged?
41. What tools can be used with the logs?
Access Modes (Network Exposure)
SSL VPN solutions gained much ground over the more traditional IPSec technology by being recognized as
“clientless” solutions. As SSL VPN technology evolved and matured, it too introduced several client options,
although in most cases these are dynamic clients that require no pre-installation. However SSL VPN solutions still
offer many advantages over IPSec technology, one of those advantages is the variety of access modes.
These access modes allow administrators to extend their applications, with the least amount of network level
exposure possible, which in turn significantly reduces the risk posed to the network. Most SSL VPN solutions offer
variations of the following access modes:
n Native Web Application and File sharing support (least network exposure)
n Thin client support
n Client/Server application support also known as redirection (moderate network exposure)
n Network level access (full network exposure)
Naturally it is best to prefer the least amount of network exposure possible and therefore take advantage of
native Web applications and file sharing support. However, the reality is that there are many legacy networking
applications deployed that require tunneling (such as redirection or full network level access). It is therefore
important to be able to offer the end-user with a combination of access modes that will reduce network exposure
on one hand, and provide convenient and easy access on the other.

9
An example of such a case is the combination of network level access and native file sharing. Although it might
be possible to offer Windows file sharing through various tunneling services, it exposes the network to a variety
of threats, related to the ports that have to be open in order to allow this type of functionality. Therefore an
administrator might choose to block these ports using authorization policies. In this case users can utilize the
native file sharing offered by the appliance. This is only possible if users can use all the different access modes at
the same time.
42. What type of access modes does the solution offer?
43. What types of applications are supported?
44. What is the underlying technology (i.e. Java, ActiveX, etc…)?
45. Can it offer access to resources based on IP address, DNS host names or both?
46. What types of thin clients are supported?
47. Publishing applications through MS Terminal Services?
48. Publishing applications through Citrix Metaframe?
49. What configuration is required for Citrix integration?
50. How is the client delivered to the end-user?
51. How are versions being updated?
52. Are full and split tunneling settings supported?
53. How are IP addresses being assigned?
54. What is the underlying technology (virtual adapter, PPTP, L2TP, redirection)?
55. Can this mode coexist with the other access modes (for example, is it possible to use this access mode and
native web application at the same time)?
56. What operating systems are supported by this mode?
User Experience
The end-user experience is determined by a variety of factors:
n Performance - How fast data is accessed and applications are executed.
n User Interface Customization - The ability to provide users with an interface that will be intuitive for their
knowledge and needs.
n Intuitive Use - Using the various access modes should be easy and intuitive. No installation should be
required and user interaction should be kept to minimum
n High Availability
The importance of the user experience is obvious and is the main factor of productivity. However it is also crucial
to remember that a good user experience also reduces the volume of support and help-desk calls.

Performance
To gauge the performance abilities of an SSL VPN product, various parameters should be taken into
consideration:
n Maximum number of concurrent user sessions - The maximum number of users that can be logged in at
the same time
n Maximum number of concurrent SSL connections - The maximum number of SSL connections that the
device can sustain. Assuming that each user session requires at least one connection, this number should be
equal if not greater than the maximum number of concurrent user sessions
n Maximum number of SSL operations - It is common practice with SSL devices to state the number of
SSL handshakes per second (or key exchanges), however this is a narrow definition since it covers only a
portion of the SSL activity. Therefore the definition of this parameter should encompass both the initial SSL
handshake and bulk encryption that follows
n Maximum bulk encryption throughput - Most of the encryption performed by an SSL VPN device is bulk,
which is the symmetric encryption portion of SSL
These parameters must complement each other, for example just supporting the right number of concurrent user
sessions is not enough; the number of concurrent user sessions must be complemented by the ability to support
the proper volume of SSL operations (i.e. high transaction rate per second, high throughput). This is a potential
hidden cost factor that must be taken in consideration, the trade off is clear, less operations/sec per user means
slower performance and poor user experience. Mismatched performance and scalability will lead to the purchase
of additional units even though the initial units support the right number of concurrent user sessions.
Under no-load conditions, all appliances introduce some extra latency. But, the true mettle of an appliance comes
across when the device is loaded at the levels to which it is expected to operate.The better devices should be able
to handle higher throughputs while still providing an acceptable user experience.
57. Does the appliance use hardware acceleration for SSL encryption?
58. Maximum number of concurrent user sessions?
59. Maximum number of concurrent SSL connections?
60. Maximum number of SSL operations per time unit?
61. Bulk SSL throughput?
62. What kind of additional latency is introduced by the appliance under no-load conditions?
63. What kind of latency is observed under the targeted work load?
64. Does the appliance offer any other functions designed to enhance performance and user experience?
User Interface Customization
The user interface of an SSL-VPN appliance is usually made of different web pages: login, portal, logout and
various error pages. Different users, partners, employees from different departments, and others have different
applications and information available to them. Access to these applications and information depends on many

11
parameters such as their role and needs. Different users require different user interfaces, the page designed for
employee access might not be suitable for partner access.
For an access solution to be effective the user interface must be customizable in a way that allows for each group
(not to be confused with security related groups) to have the design that best fits their needs. For example, partner
access login might be performed from within an existing partner web site, whereas employees would go to a
special URL designed for employee use only.
Customizing the user interface goes beyond a special layout for each group of users. Each organization has its own
procedures and business logic needs. The need to synchronize certain files after authentication and integration
with proprietary authentication databases are just some examples of those needs. An access solution must have
a way to integrate and interact with such customization.
Overall, the user interface is an important component in a good user experience, it is also crucial for user
productivity. An access solution with a poor user interface, whether it’s a design or lack of custom business logic
integration, will reduce the productivity of its users.
65. What components of the user interface are customizable?
66. Login page?
67. Portal page(s)?
68. Logout page?
69. Error pages?
70. Can the pages be customized per user or group profile?
71. To what level can each of these pages be customized?
72. Customizable logo?
73. Customizable messages as part of an existing template?
74. Integrating with existing organizational portals?
75. Is it possible to create anonymous pages, on which there is no vendor signature?
Intuitive Use
As described in section 2.6, one of the strengths of SSL-VPN based solutions is in the variety of access modes they
provide. However these different options might create confusion for end users. It is therefore crucial that the use
of these different modes will be as intuitive as possible and will have minimal user interaction as possible.
76. Do any of the access modes require pre-installation?
77. Do any of the dynamic components require manual triggering by the user?
78. Is Single Sign-On (SSO) supported?

High Availability
High availability is a part of the end user experience that should be completely hidden.The best user experience
is a consistent one, with no or minimum downtime. This goal should be achieved within the overall security
considerations.
79. Does the appliance support high-availability?
a. How is high-availability implemented?
b. Can multiple units be clustered together?
c. If so, is there a limit to the maximum number of units that can be clustered together?
80. Does the high-availability require any special hardware?
81. Does the high-availability require any special connections?
Management and Administration
Supporting all the different user experience and security related settings mentioned in earlier sections may
translate into an administrative nightmare. It is for that reason that any SSL VPN appliance should address the
following issues:
n Management Interfaces - CLI, Web user interface, etc.
n Components Deployment - How are the different dynamic components (ActiveX, Java applets, etc...)
deployed to the end user.
n Administrative Privileges - Do any of the dynamic components require administrative or oth er
privileges?
n Administration Delegation - Can the administrative load be delegated between different ad ministrators?
Management Interfaces
TheadministratorexperienceofaSSLVPNapplianceisasimportantastheend-userexperience.Offeringavariety
of management interfaces may ease the complexity of the administration task as it provides the administrator
with a customizable interface.
82. What type of management interfaces are offered by the appliance?
a. Does the device offer a CLI for management?
b. Does the device offer a Web User Interface?
c. Does the device offer SNMP support?
d. Does the device offer any programmable management interface that can be used in
conjunction with other Network Management tools?
e. Others?

13
83. Can all administrative tasks be performed from any of the interfaces?
84. If not, which of the tasks can be performed by which of the interfaces?
Components Deployed
Most SSL VPN solutions deploy various components (which depends on the functionality being used). The
deployment of these components, if not performed seamlessly, may create a significant load on support personal,
and ultimately hike the cost of supporting such a solution. The components discussed in this section vary from
dynamic components required for different tunneling services (such as Java applets) to performing host checking
and cache cleaning.
Additional consideration regarding the different components is whether they require administration privileges.
For example ActiveX components will not execute for restricted users, Java applets might be blocked from
accessing the network and standalone executables require administrative privileges to be installed. In some cases
these components require privileges only once while being installed and in others they require these privileges
every time they are being used. In any case the need for administrative privileges creates a significant deployment
complexity and should be avoided as much as possible.
85. What are the all the components that are being used by the appliance
(ActiveX, Java applets and different types of executables)?
86. For each of the components described above?
Delegation
For operational convenience and security reasons, it is commonly required that different administrators will be
assigned to manage different communities. The appliance should provide a method that will allow for delegation
of administrative roles between different administrators. The delegation should also allow for administrator
buffering, essentially having different administrators for the same unit without allowing them to intervene with
each other responsibilities.
87. Does the appliance allow for the definition of multiple administrators?
88. Can different administrators be assigned with different administration roles?
89. Does the appliance provide any type of separation between different administrators
Conclusion
A proper selection of an SSL VPN device involves an understanding of today’s and future needs, as well as careful
evaluation of the capabilities of the different devices under consideration.
Array is happy to assist you in learning more about existing SSL VPN solutions and keep you informed on
future developments, so that you can make the most informed decision about your company’s secure access
requirements.

About Array Networks
Founded in 2000, Array Networks is a global leader in enterprise secure application delivery and universal
access solutions. More than 5000 customers’ worldwide – including enterprises, service providers, government
and vertical organizations in health care, finance, insurance and education – rely on Array to provide anytime,
anywhere secure and optimized access. Industry leaders including Deloitte, Red Herring, Gartner, and Frost and
Sullivan have Recognized Array as a market and technology leader.
Corporate
Headquarters
Array Networks, Inc.
1371 McCarthy Blvd.
Milpitas, CA 95035
408-240-8700
1 866 MY-ARRAY
arraynetworks.net
ASIA Headquarters
Array Networks China
(Beijing) Corp., Inc.
Liang Ma Qiao Road,
Chaoyang District,
Beijing, No. 40, the
Twenty-First Century,
10-Story Building,
Room 1001-1017
Post Code: 100016
+010-84446688
EMEA Headquarters
Array Networks UK
4 Cross End
Wavendon
Milton Keynes
MK178AQ
+44 (0) 7717 153 159
To purchase
Array Networks Solutions,
please contact your
Array Networks
representative at
1-866 MY-ARRAY
(692-7729) or
authorized reseller.
Copyright 2011 Array Networks, Inc. All rights reserved. Array Networks, the Array Networks logo, AppVelocity, NetVe-
locity, ArrayGates, and SpeedCore are all trademarks of Array Networks, Inc. in the United States and other countries.
All other trademarks, service marks, registered marks, or registered service marks are the property of their respective
owners. Array Networks assumes no responsibility for any inaccuracies in this document. Array Networks reserves the
right to change, modify, transfer, or otherwise revise this publication without notice.
May-2011 rev. a

SSL VPN Evaluation Guide

Recommended

More Related Content

What's hot (20)

Similar to SSL VPN Evaluation Guide (20)

More from Array Networks (20)

Recently uploaded (20)

SSL VPN Evaluation Guide