Secure Access Gateway Product Categories
The Breakaway Security Group has never been comfortable with the general product category label of SSL VPN - despite its popularity - because SSL-based connectivity represents only a small part of the security capabilities of secure extended networks and the rapidly evolving, multi-function access gateways which are central to them. However, the term SSL VPN has served two important purposes. It has distinguished theses systems from traditional IPSec VPN concentrators and IPSec VPN/Firewalls and highlighted the remote access focus that has characterized most early secure access gateways.
Starting in mid-2006 Breakaway Security adopted "Secure Access Gateway" as the general term for this class of products, indentified several product categories within it, and renamed our portal (formerly SSL VPN Central). This was done to recognize that while all these products employed SSL VPN technology, many had already added IPSec VPN services AND evolved down different paths in terms of "gateway" functionality. More specifically, important differences have emerged with the addition of advanced network and application level protections, downloadable endpoint security services and "network access control" functionality which enforces security policy compliance at the level of user devices. Also, a few systems are now touted as capable of supporting both remote and local access.
Throughout Secure Access Central there are hundreds of references to SSL VPN gateways that are a legacy of our earlier usage of this term. Instead of changing all these references we ask that you substitute "secure access gateway" in your mind whenever you encounter the other reference.
Please note that while many vendors eagerly refer to their gateways as SSL VPN appliances because the term is so widely embraced, others actively seek to avoid the SSL VPN label believing it understates the true value of their systems. Commonly used industry terms include application access gateways, resource access gateways, and network access gateways. And often the word "appliance" is substitued for "gateway".
What is a Secure Access Gateway?Organizations use secure access gateways to enable their employees the freedom to securely access data and applications residing on internal networks from multiple locations and computing devices - these devices can be remotely and locally attached. That is, individual employees are not restricted to using a single device issued and managed by the organization. Instead, they can access network resources from shared "corporate" computers, their own computing devices and ones provided by third parties (e.g., friends, kiosks). Gateways services are also often extended to partners who are authorized to access internal IT resources. An SSL-based secure access gateway is a perimeter security system that uses SSL to protect communications and flexible, policy-based controls to manage user access to internal network resources. They are available both as hardened appliances and as hardened software used on standard commercial servers. Additional baseline gateway security functions include some level of protection for user sessions at the device (endpoint), basic network-level protection (e.g., DoS) and the collection of usage data for security auditing purposes. When we refer specifically to a gateway that employs both SSL and IPSec VPN technology AND employs identity-based policy to define and enforce user access privileges we refer to it as a "hybrid" gateway. These security systems are very different from firewall/IPSec VPN concentrators that have had SSL connectivity added to them but still require organizations to implement access control policies via packet filters and firewalls regardless of the VPN technology being used. When a gateway also includes advanced network and application-level protections we refer to them as multi-function secure access gateways. |
The following table illustrates the primary differences between theses products. You can review our On-line Product Selector for a closer look at product functionality and a sample of available gateway products.
|
Security Services
|
Secure Access Gateway
|
Multi-Function
Secure Access Gateway |
||
|
(SSL)
|
(Hybrid)
|
(SSL)
|
(Hybrid)
|
|
| SSL VPN |
Yes
|
Yes
|
Yes
|
Yes
|
| IPSec VPN |
No
|
Yes
|
No
|
Yes
|
| Local & Remote Access | Only a few vendors offer secure access gateways with the performance to support large-scale local and remote user communities. | |||
| Granular Access Controls |
Yes
|
Yes
|
Yes
|
Yes
|
| Access Policy Manager |
Yes
|
Yes
|
Yes
|
Yes
|
| Endpoint Security & NAC |
Endpoint security and NAC features vary a great deal across
all gateway product classes.
|
|||
| Basic Network Protection |
Yes
|
Yes
|
Yes
|
Yes
|
| Advanced Network Protection |
No
|
No
|
Yes
|
Yes
|
| Basic Application Protection |
Yes
|
Yes
|
Yes
|
Yes
|
| Advanced Application Protection |
No
|
No
|
Yes
|
Yes
|
| Security Audit Usage Data |
Yes
|
Yes
|
Yes
|
Yes
|
The existence of these different product classes reflects vendor innovation and history as much as market requirements. SSL VPN gateway vendors emerged in significant numbers in 2001-2002 to take advantage of the growth in remote and mobile users, the widespread usage of web technology AND well-known limitations of IPSec VPN remote access. Initially, vendors touted the virtues of clientless remote access but almost all now offer "virtual IPSec" functionality via SSL-based network connectors (not really clientless and others offer an IPSec option. And a few of the more aggressive vendors have already included advanced network and application-level security to their products. This trend will continue.
In contrast, the vendors offering multi-function secure access gateways were initially slow to add robust SSL VPN technology to their IPSec-based systems but most now offer hybrid solutions. Since they generally already offer sophisticated perimeter security features their focus is largely on filling gaps in endpoint security, remote device support and access policy management tools, and broadening their line-up of appliance platforms.