Remote access is a necessity for today's businesses, whether it's for getting at data and apps from a remote office or from the living room sofa after hours. SSL VPNs help provide that access securely and easily through the ubiquitous Web browser without requiring a "fat" software client on the remote PC. And now SSL VPN vendors are finally bringing feature-rich clientless remote-access solutions to the little folks, small and midsize companies, at a price low enough for everyone to afford.
Among these solutions aimed at SMBs is the ZyXel ZyWall SSL 10 VPN appliance. The box delivers access to a variety of applications, plus it can connect to various authentication schemes. Moreover, it can check end points for compliance before allowing clients network access. The product sports a Java-based client engine, thus leveraging Java's wide availability on all platforms – but not without the language's notorious performance penalty.
Compact yet capable
The ZyWall SSL appliance is available in configurations for 10 and 25 concurrent users, and it's small enough to fit in even the most space-constrained SMB closet. Despite its stature, the SSL 10 delivers secure access to intranet webservers, Web-based applications, and TCP and UDP traffic, as well as to Windows and Linux file shares.
Notably, admins can allow secure entry to Microsoft's Outlook Web Access through ZyWall using the predefined OWA application type. This is important because OWA does strange things to the rendered page, and not all SSL VPN appliances – big or small – handle it correctly.
Like the big guys, ZyWall allows remote access to non-web applications, a feature I really appreciate. Upon successful login to the appliance, a Java applet is pushed down to the client. This client redirects connections to the local loopback addresses (such as 127.0.0.3), sending them to the appliance and on to the application.
For example, I created policies that let me access Microsoft Terminal Services using Remote Desktop Connection from my Windows XP Pro client. I then connected to the loopback address specified by the Java client and was able to link up to the service. Higher-end SSL appliances, such as offerings from Aventail and F5, are more transparent to the end-user – they don't have to connect to the loopback address – but they're much more expensive.
Another nice feature: ZyWall can access file shares on both Windows and Linux servers from within a browser. I was able to create multiple links in the appliance's portal page to various shares on both platforms without too much trouble. I did, however, find that connecting to shares on a Windows Server 2003 domain controller brought up some problems. I was not able to authenticate to my server unless I disabled SMB signing in the server's domain controller security policy. Not a problem on small networks, but it requires a little policy fiddling to make it work. I had no issues with shares on Windows XP or Windows 2000 Server.
The IPSec-style network access, called SecuExtender, works, but its usefulness is limited. On login, the Java client installs a virtual PPP adapter with an address on the host network. Users can connect to resources behind the appliance using programs such as Telnet and PuTTY, but they cannot map drives to network shares or browse to an internal Web server.
Among its strengths, the appliance can work with different authentication and authorisation services. Admins can go with the built-in user list or choose from RADIUS, LDAP, or Active Directory. Unlike with the F5 and Aventail, admins can use only one type of authentication at a time with ZyWall – no mixing and matching here. But for most small office deployments, the integrated user database will be enough.
Policy-based access control
ZyWall employs a surprisingly granular approach to controlling access to resources at the network level. Admins can create policies on a per-user or per-group basis. Each policy defines the protocols, destination, time of day, and day of the week that the user is able to access the network. Admins can create very specific policies to control access to each resource.
I've come to expect end-point security compliance checks in enterprise SSL solutions, and accordingly, ZyWall covers eight different criteria on the connecting PC to make sure it fits in with the established security posture. For example, I created one policy for Windows XP PCs that required XP Service Pack 2, IE 7, and Norton AntiVirus, while a second policy for Windows 2000 clients required Service Pack 4 and IE 6. ZyWall will check for the presence of personal firewalls from Norton and McAfee, but not Microsoft.
Reporting and logging are available in the appliance, but they are below average. A monitor function allows admins to see who is connected and for how long (with the ability to kill the connection) – but not which services they are utilising. The logging utility lists events as they occur, though with little in-depth information. Admins can direct log files to external mail servers or a Syslog server for archival purposes. The report feature is also limited; it captures only the user name if they authenticated their duration, browser type, and source IP address.
For small and medium-sized businesses, the ZyXel ZyWall SSL 10 VPN appliance is a good buy. It packs in plenty of useful features that can help small businesses have safe and secure remote access without the hassle of IPSec VPNs or fat clients. The Java client works fine on both Internet Explorer and Firefox, and once connected, performance isn't an issue. While I shouldn't expect extensive logging and reporting at this price point, it would be nice to have more information recorded to help diagnose connection issues or to audit user access. For its target audience, however, the ZyXel ZyWall is a great choice.
Keith Schultz is contributing editor of the InfoWorld Test Centre.
The ZyWall SSL 10 packs a lot of enterprise-worthy features into an inexpensive appliance. Set-up wasn't as intuitive as I expected, but once configured, the Java client worked well on my test PCs. The ZyWall exposed my servers and resources, and allowed metered access in to my test network. I also liked the inclusion of end-point policy enforcement. At this price point, it's hard to ping it for any missing features, but logging and reporting are notably underpowered.