Stonesoft StoneGate SSL-400 review

SSL VPNs are now a popular alternative to complex IPsec VPNs, and Finland-based Stonesoft offers three new appliances. In this exclusive, we look at the entry-level SSL-400, capable of handling up to 25 simultaneous tunnels.

The appliance provides four fast ethernet ports, with the first dedicated to management and the other three available to provide different services to remote users. Installation comes in two parts: you access the appliance's system interface first, where you configure the network interfaces and routing parameters; then you move to the SSL VPN Administrator, where you can delve into a wealth of features. The software comprises four main services: an access point to handle all incoming user connections; an authentication service; a policy service that uses access rules to determine what network resources a user is authorised for; and an administration service.

User accounts are created first - both Active Directory and LDAP are supported, or you can use web authentication, which runs a small Java applet or ActiveX control on the remote system. A client utility allows the stronger Synchronised or Challenged authentication methods to be used. The Mobile Text is a smart alternative, which requires users to log on using directory services, where it takes a mobile number from their user profile, creates a one-time password and sends this back to the user via SMS.

End-point security allows you to implement strict policies on what must be resident on a user's system, and checks include OS versions, antivirus software, Registry entries and specific files. When a session is complete, the appliance cleans up by deleting downloaded files, cookies, caches and URL histories. Access rules contain an authentication method or a membership type. For authentication, you use any or all of the appliance's features and combine them, while membership can be anything from an AD group, an IP address range, a device or just the date and time the user logged on. End-point assessment can also be a form of membership and is configured from within the access rule.

Next come application portals and resources, and choices range from a web server or a shared folder to apps such as Outlook, Domino and Citrix MetaFrame. A simple SSO (single sign-on) feature is also available, where you can create domains that allow users to log on once but gain access to multiple resources. When creating new application portals and resources, or when editing existing ones, you can specify which should be included in an SSO domain. Users will just need to point their web browser at the relevant service port on the appliance, provide their credentials and a secure tunnel is set up for the resources they're authenticated for.

During testing, the SSL-400 was overly complex to configure, and the lack of decent documentation didn't help. It's comparatively costly, too, but the SSL VPN features are superb.

Author: Dave Mitchell