SSL VPN Gateway Product Selection Guide
> Page 1 - AEP Networks, Array Networks
> Page 2 - Aventail, Caymas Systems, Check Point
Page 3 - Cisco Systems, Citrix, F5 Networks
> Page 4 - Juniper Networks, Nortel Networks, Permeo
> Page 5 - Portwise, Symantec, Whale Communications
> Page 6 - NeoAccel, Stonesoft
 |
| Vendor |
Cisco Systems
|
Cisco Systems
|
Citrix |
F5 Networks
|
|---|---|---|---|---|
|
|
||||
| Product Name |
VPN 3000 Series Concentrator
|
ASA-5500 Series
|
Access Gateway
|
FirePass Controller
|
|
|
||||
| Product Type |
Multi-Function
VPN Concentrator |
Hybrid VPN Gateway Appliance
|
SSL VPN Gateway Appliance
|
SSL VPN Gateway Appliance
|
|
|
||||
| Vendor Positioning |
Remote Access VPN Appliance
|
Mulit-Function Security Appliance
|
SSL VPN Appliance
|
SSL VPN Appliance
|
| Gateway Scalability | ||||
| VPN Coverage |
|
|||
| SSL Remote/Local Access3,4 |
Yes
|
Yes
|
Yes
|
Yes
|
| IPSec Remote/Local Access3,4 |
Yes
|
Yes
|
No
|
|
| IPSec Site-to-Site Protection |
Yes
|
Yes
|
No
|
Yes
|
| Resource Access Methods (SSL-based unless noted) | ||||
| Web Applications |
HTTP Proxy/URL Rewriter???
|
HTTP Proxy/URL Rewriter???
|
L2 Net Connector (at client)
|
HTTP Proxy/URL Rewriter
|
| Client-Server |
None
|
Port Forwarder
|
L2 Net Connector (at client)
|
Port Forwarding
|
| Terminal-Server |
None
|
Port Forwarder
|
L2 Net Connector (at client)
|
Terminal Emulation
|
| Full Net Access |
None
|
Level 3 Net Connector
|
L2 Net Connector (at client)
|
Level 3 Net Connector
|
|
|
(SSL & IPSec)
|
|||
| Note: A user may need admin-level privileges on (a) browser (b) operating system (c) personal firewall in order to to load/operate an access agent on the user device. | ||||
| End Device Support for SSL Access Methods
(Web/Client-Server/Terminal Server/Full Net Access) Note: Yes/No/No/YES indicates that a web proxy and network connector is offerred; there are no special agents for client-server and terminal server applications |
||||
| Windows XP |
Yes/No/No/No
|
Yes/Yes/Yes/Yes
|
No/No/No/Yes
|
Yes/Yes/Yes/Yes
|
| Linux |
Yes/No/No/No
|
Yes/Yes/Yes/Yes
|
No/No/No/No
|
Yes/No/No/Yes
|
| Macintosh |
Yes/No/No/No
|
Yes/Yes/Yes/Yes
|
No/No/No/No
|
Yes/No/No/Yes
|
| Unix |
Yes/No/No/No
|
Yes/Yes/Yes/Yes
|
No/No/No/No
|
Yes/No/No/Yes (Solaris)
|
| Other |
|
PocketPC
(Network Access) |
||
|
WAP/i-Mode/PDA support (Portal Access)
|
||||
| Client-Side Gateway Software | ||||
| Browser |
IE, FireFox, Navigator, Safari
|
IE, FireFox, Navigator, Safari
|
IE, FireFox
|
IE, FireFox, Navigator, Safari
|
| ActiveX or Java Agent1 |
|
ActiveX & Java
|
ActiveX
|
ActiveX & Java
|
| Proprietary Security Client2 |
|
Level 3 Net Connector (Java)
|
Yes
|
Level 3 Net Connector (ActiveX & Java)
|
| User Gateway Interface | ||||
| Web Portal13 |
No
|
Yes
|
No
|
Yes
|
| Native Application Clients14 |
|
Level 3 Net Connector
|
Yes
|
Level 3 Net Connector
|
|
|
||||
| Authorization Policy Granularity | ||||
| Applications & File Servers |
Packet Filters
|
Yes
|
Yes
|
Yes
|
| Subnetworks |
Packet Filters
|
Yes
|
Yes
|
Yes
|
| Web Pages (URLs) |
No
|
Yes
|
Yes
|
Yes
|
| Identity-based Granular Access Control 18 |
||||
|
|
||||
| Pre-Packaged Endpoint Security5 | ||||
| Session-level Security8 |
No
|
Yes
|
Yes
|
Yes
|
| Compliance Enforcement9 |
No
|
Yes
|
TBD
|
Yes
|
| Personal Security Software10 |
No
|
Yes
|
No
|
Key Logger Protection
|
| Device OS Controls7 |
via Protected Workspace
|
|||
| Integrated Perimeter Security | ||||
| Network Firewall |
Yes?
|
Yes
|
No
|
Packet Filtering
|
| IDS/IPS |
No
|
Application & Network Level
|
No
|
No
|
| Web (HTTP) Firewall |
No
|
Yes
|
No
|
No
|
| Denial-of-Service Defense15 |
Yes
|
Yes
|
Yes
|
Yes
|
| Other |
|
Anti-Virus, Anti-Spyware
|
Anti-Virus Scanner
|
|
|
|
||||
| Other Key Features |
|
|||
| Service Provider Feature Set11 |
No
|
Yes
|
No
|
Yes
|
| NIST-Certified FIPS-14016 |
No
|
No
|
No
|
Yes
|
| High Performance Platform12 |
Yes
|
Yes
|
No
|
Yes
|
| Pre-Packaged Strong Authentication5 |
No
|
No
|
No
|
Certificate Server, Validation via CRL & OCSP17
|
Notes:
- Required for some application access methods; uses browser SSL services
- Downloaded client is required either for some applications or for security functions like strong user authentication
- VPN between remote device and access gateway
- VPN between local device and access gateway
- Pre-packaged means the vendor delivers and supports the feature
- Gateway policy manager can control usage of actual application commands so users have access to limited application functionality; this goes beyond URL-level filtering of Web applications
- Controls a users ability to access device operating system services like printing and saving when accessing network application and file servers
- Includes such features as protected workspaces, session clean-up, and session time-outs
- Checks device security against endpoint security policies; enforces and adjusts user privileges, and assists in problem remediation
- Includes personal virus, firewall, and spyware protection
- Includes secure gateway partitioning, VLAN support for SP data centers, customer usage and billing data/reports, secure remote policy administration, and remote service-level monitoring and reporting
- Rich set of performance enhancements - e.g., bulk crypto, web caching, SSL acceleration,
- Users access internal network resources through a gateway portal interface
- Users access internal resources via standard application clients
- Protects internal network from DOS attacks
- Encryption for communications and key storage
- CRL = certificate revocation list; OCSP = online certificate status protocol
- Sophisticated user privilege management capabilities and policy admin tools
Gateway Product Lines & Models
Most vendors offer multiple models of gateways. You can view the platform-specific characteristics of the products displayed on this page now.