Does a good SSL VPN provide good NAC?

We assessed an SSL VPN product as if it were in fact a NAC device to assess its role in NAC

Is an SSL VPN by either definition or by circumstance a NAC device?

Both Caymas Systems and Juniper Networks would argue a resounding "yes". The argument here would be that because the most recent iteration of SSL VPN products have been focused on authorizing users, controlling access and using end-point posture assessment, an SSL VPN is a natural fit into any NAC scheme. Just as the intrusion-detection system (IDS) vendors were ideally situated to start selling intrusion-prevention system (IPS) products, SSL VPN vendors are going to have a natural leg up in this market

Caymas, has repositioned itself into the NAC space using the same technology it originally sold as an SSL VPN device. Juniper has also jumped heavily on the NAC bandwagon, repurposing the policy engine from its top-rated SSL VPN product into the Unified Access Controller (UAC) IC-4000 appliance we tested as part of the TCG/TNC framework.

For an objective answer to the questions of an SSL VPN's role in NAC, we approached F5 Networks -- which hasn't yet entered the NAC marketing fray -- and asked if we could assess its FirePass SSL VPN product as if it were in fact a NAC device.

Our first criterion for a good NAC device is a broad range of authentication methods and types. In the case of NAC, this process includes both the back-end authentication server -- and the FirePass supports eight of these -- and the way by which users convey their credentials to the device. For an SSL VPN in general, the latter process is limited when compared with a NAC-enabled environment. A good NAC framework can use various methods, such as an 802.1X process, a captive portal, or even sniffing some other authentication system while SSL VPNs tend to be limited to Web-based client authentication mechanisms.

The FirePass provides both Web-based username/password authentication (roughly equivalent to a captive portal) and a passwordless authentication based on digital certificates. The question then follows: Is there some way for an SSL VPN to do a more integrated authentication, such as with a client or by integrating directly with the Windows logon sequence akin to what is done in NAC? With FirePass (and other full-function SSL VPNs), that only happens when you use the product's network extension tools, which link the SSL VPN user's system at the IP layer to the central site's network, similar to an IPsec VPN, rather than the Web-based parts of the product.

Our second criterion for a solid NAC framework is the ability to factor end point security assessment and environmental information into the access equation. With a very sophisticated end-point security assessment system in place within FirePass, the network manager can build a policy to check end-point security across a variety of platforms. At this point, FirePass is ahead of most NAC vendors, which rarely have cross-platform support, because it can detect and handle endpoints running Mac OS X differently than those running Windows.

End-point security assessment depends on the ability of the SSL VPN portal to push software down into the users' browsers. In the case of the FirePass, this requires an ActiveX-compatible browser. Some NAC vendors, such as Juniper and Cisco, prefer a permanently installed client, rather than relying on the browser. FirePass doesn't support the option of an installed client to do end-point security checking over its Web services portal.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joel Snyder

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?