Remote Access VPN Buyer's Guide: SonicWALL
As workforces have grown more mobile, VPNs have become a best practice for controlling remote access to corporate resources while ensuring in-transit data confidentiality and integrity. In this edition of EnterpriseNetworkingPlanet's buyer's guide, we examine capabilities and features offered by SonicWALL's Aventail E-Class SRA appliances.
Laying a Foundation
According to product manager Matt Dieckman, SonicWALL offers three Aventail E-Class Secure Remote Access (SRA) products: an E-Class SRA Virtual Appliance (10 to 50 users), the EX6000 4-port Appliance (25 to 250 concurrent users), and the EX7000 6-port Appliance (50 to 5000 concurrent users).
E-Class SRA appliances differ physically but not functionally, letting customers choose the right-sized platform for each environment. "Deployments are based on number of concurrent users, which could translate into how many telecommuters you have or how many workers need after-hours access," said Dieckman. "For example, an insurance company would probably deploy the bigger EX7000 because most agents are located throughout the world, not at the home office."
Both appliances can be deployed in internally-load-balanced active/active pairs for high-availability with stateful failover, meaning that authenticated sessions are maintained without disruption. The EX7000 also includes hot-swappable dual power supplies and support for external load balancers. Alternatively, companies that would rather "go virtual" can run instances of the E-Class SRA VA under a VMware ESX hypervisor.
Licensing is based on number of concurrent users per appliance or HA pair. "Larger customers might set up [appliances] in US, Asia, and Europe, with one serving as primary for each region, the others as back-up to prevent outages or deal with usage spikes," explained Dieckman. "In an emergency, when people can't get to work, we sell a Spike License Pack to let customers go to max capacity immediately."
Who Goes There
SonicWALL's approach to secure remote access starts with detection. First, each user is authenticated via password (integrated with Active Directory, LDAP, or RADIUS), a two-factor token like RSA SecurID, digital certificate, one-time-password (OTP), or a combination of these.
"Our integrated OTP makes us a little different," said Dieckman. "After username / password is entered, we can send the user an OTP via email or SMS, to be entered as a second factor. Since the user doesn't have to have a physical token, that reduces cost and chance of loss." SonicWALL's single-sign-on also extends the user's authenticated state to other applications, without answering yet another prompt.
Next, E-Class SRA determines the security posture of the user's endpoint device. SonicWALL End Point Control (EPC) can interrogate Windows, MacOS, or Linux notebooks or iPhone/iPad and Windows Mobile 6.5 phones prior to authentication. According to Dieckman, rules can be deeper for Windows, MacOS, and Linux endpoints, but E-Class SRA can still check for certificate-based watermarks on other devices. "For example, we can give an IT-issued Windows 7 machine access to everything on the network, while giving the same user on a home machine restricted portal access."
Finally, customers who buy Advanced EPC can combine firewall/anti-malware detection with data protection. "When the same user comes in from a coffee shop or friend's PC, our Cache Controller can remove all traces of session data after logout. For companies with data leak prevention requirements, we can activate a [client-side] secure desktop emulator that prevents users from downloading any data and carrying it away on a USB." (Advanced EPC, Cache Cleaner, and Secure Desktop are included with the EX7000.)
Enforcing Realm-based Profiles
After users and devices are identified, they are permitted to access authorized resources. As a rule, SSL VPNs tend to support more granular policies than IPsec VPNs, but such rules can grow unwieldy without strong policy management tools. SonicWALL's Aventail Unified Policy Management console defines reusable user, group, device, and resource objects that can be mapped onto Policy Zones.
"We have a single interface for policy configuration, no matter the user logs in," explained Dieckman. "We start with a high level definition of user trust. From there, we decide whether to allow or quarantine them, and set up different realms that determine where they can go." Companies that require detailed per-user logging (e.g., medical facilities subject to HIPAA), can purchase the optional Aventail Advanced Reporting module.
Flexible Connection Alternatives
All E-Class SRA users connect securely over SSLv3 or TLSv1, protected by IT's choice of encryption (e.g., DES, 3DES, RC5, AES) and integrity (e.g., MD5, SHA) algorithms. However, when it comes to client-side requirements and application support, the devil is in the details specifically, the way in which the appliance connects users to resources. Aventail E-Class SRA appliances offer several connection methods, selected automatically based upon configured policy and endpoint type/capability.
According to Dieckman, traditional SSL VPN access can be delivered through a web portal for example, presenting links that users click on to launch a Citrix nFuse or RDP session or access a fileshare. "From there we have other alternatives," he said.
"If they need more than web, we can provide layer 3 tunneling through dynamic installation of a client with controlled access to authorized resources. For mobile devices (including iPhone, Android, and Symbian), we can proxy Active Sync connections through a web portal, letting users reach their Exchange Server over a secure connection."
However, Dieckman said that most SonicWALL Aventail customers use ConnectTunnel a persistent client that resides on Windows or MacOS or Linux endpoints. This option gives users on trustworthy endpoints greater access for example, to support VoIP. But those users are not limited to just those endpoints. "We determine dynamically what kind of access each user and endpoint gets. For example, our On-Demand tunnel can be auto-launched for users when they into our WorkPlace Portal from other machines."
SonicWALL's Aventail E-Class SRA products are in many ways "classic SSL VPN" appliances. Aventail was ahead of the curve when it first implemented many of the features described above, in part because the company focused on simplifying and extending secure access without trying to wedge VPN into a broader network portfolio. As a result, these VPN appliances support a relatively broad set of endpoints and applications, independent of network type.
However, after acquiring Aventail, SonicWALL introduced Clean VPN a bundled solution that combines an E-Class SRA appliance with a SonicWALL Next Generation firewall to provide deep packet inspection and IPS on VPN traffic, before it is permitted to enter the enterprise network. This kind of integration is becoming increasingly important as more application traffic rides over port 80, and will no doubt continue to evolve along with SonicWALL's entire collection of security products.
To learn more about SonicWALL products, visit Aventail E-Class SRA.
Lisa Phifer owns Core Competence, a consulting firm focused on business use of emerging network and security technologies. With over 25 years in the network industry, Lisa has reviewed, deployed, and tested network security products for nearly a decade.