Remote Access VPN Buyer's Guide: SonicWALL - Page 2
E-Class SRA appliances offer flexible-yet-secure mobile access, governed by unified policies.
Who Goes There
SonicWALL's approach to secure remote access starts with detection. First, each user is authenticated via password (integrated with Active Directory, LDAP, or RADIUS), a two-factor token like RSA SecurID, digital certificate, one-time-password (OTP), or a combination of these.
"Our integrated OTP makes us a little different," said Dieckman. "After username / password is entered, we can send the user an OTP via email or SMS, to be entered as a second factor. Since the user doesn't have to have a physical token, that reduces cost and chance of loss." SonicWALL's single-sign-on also extends the user's authenticated state to other applications, without answering yet another prompt.
Next, E-Class SRA determines the security posture of the user's endpoint device. SonicWALL End Point Control (EPC) can interrogate Windows, MacOS, or Linux notebooks or iPhone/iPad and Windows Mobile 6.5 phones prior to authentication. According to Dieckman, rules can be deeper for Windows, MacOS, and Linux endpoints, but E-Class SRA can still check for certificate-based watermarks on other devices. "For example, we can give an IT-issued Windows 7 machine access to everything on the network, while giving the same user on a home machine restricted portal access."
Finally, customers who buy Advanced EPC can combine firewall/anti-malware detection with data protection. "When the same user comes in from a coffee shop or friend's PC, our Cache Controller can remove all traces of session data after logout. For companies with data leak prevention requirements, we can activate a [client-side] secure desktop emulator that prevents users from downloading any data and carrying it away on a USB." (Advanced EPC, Cache Cleaner, and Secure Desktop are included with the EX7000.)
Enforcing Realm-based Profiles
After users and devices are identified, they are permitted to access authorized resources. As a rule, SSL VPNs tend to support more granular policies than IPsec VPNs, but such rules can grow unwieldy without strong policy management tools. SonicWALL's Aventail Unified Policy Management console defines reusable user, group, device, and resource objects that can be mapped onto Policy Zones.
"We have a single interface for policy configuration, no matter the user logs in," explained Dieckman. "We start with a high level definition of user trust. From there, we decide whether to allow or quarantine them, and set up different realms that determine where they can go." Companies that require detailed per-user logging (e.g., medical facilities subject to HIPAA), can purchase the optional Aventail Advanced Reporting module.