Ask most network administrators which security appliances they have on their wishlist and Nokia will, invariably, be near the top. Its partnership with Check Point has produced some excellent firewall/VPN solutions but the IP380 platform now finds a new role to play as Nokia offers its own NSAS (Nokia Security Access System) which delivers a complete SSL VPN system. A key feature of SSL VPNs is the minimal client configuration required as users connect to the appliance over the web using a browser, which will already be installed. The IP380 appliance provides the foundation for this approach and is equipped with a modest Pentium III 866MHz processor and 256Mb of PC133 memory. At the front are four 10/100BaseTX ports and the two expansion slots support dual-port Ethernet expansion modules but it’s disappointing to find Gigabit Ethernet is not an option. A couple of PC Card slots are also provided and can accept modems for out-of-band management and CompactFlash cards for backing up system files. Mirrored
The IP380 runs Nokia’s own hardened, FreeBSD-based IPSO (IP security operating system) but note that hard disk mirroring and IP clustering are not supported as the appliance only comes with a single hard disk and only the Check Point implementation supports clustering. The 1U appliance is well built and can be easily upgraded as the entire system board can be slid out from the front allowing the chassis to remain in the rack. After assigning an IP address to one of the interfaces you can use Nokia’s Voyager browser interface, which is infinitely more preferable to the highly complex CLI (command line interface). Voyager provides access to IPSO where you can set up each interface and configure routing, traffic management and administrative access parameters. Regular backups of IPSO can be scheduled for local and remote locations and you can keep an eye on system performance and an impressive range of network and interface utilisation reports and graphs. NSAS must be accessed from a separate secure browser session and we found the interface was easy enough to navigate. User authentication methods are plentiful as you can opt for standard password-based schemes and NSAS supports NTLM, LDAP, RADIUS, NIS and local passwords or you can use certificates instead. An integrity scan can be used to check a client system before access is granted and this downloads a Java applet which uses a simple script that instructs it what to look for. Four examples are provided for checking for running processes, good and bad files and open ports. It’s not too difficult to modify them or create your own but care is needed before letting them loose. They also have limitations as we asked if it would be possible, for example, to scan for up-to-date virus signature files and Nokia advised us that this would be a management intensive activity and not practical to run on the IP380 due to the regular script changes that would be required. The intuitive NSAS administrative screen makes it easy enough to create users and groups, set up global access parameters and determine what resources will be made available to your remote users. Separate categories are provided for web, file, email and port-forwarding. You can easily secure web server and email resources and allocate file sharing permissions across FTP, NFS and CIFS/SMB environments. Port-forwarding is used to allow secure HTTPS access to LAN applications that aren’t web-enabled. When users access the appliance they are presented with a simple login screen and we found the scan process only takes a few seconds to complete. Once past authentication they are provided with a simple screen showing what resources they can access and these are reached with nothing more than a mouse click. Users can enter URLs and create links to favourite sites but, naturally, these can only be accessed if permission has been granted. Our experiences with SSL VPNs show that they are indeed a lot easier to setup and manage than many standard VPN solutions. The IP380 and NSAS combo is a powerful partnership that we found reasonably easy to use making it particularly appealing to larger businesses that need to secure remote access to the corporate network but don’t want any major support hassles.

OUR VERDICT

Although more costly than standard VPNs, SSL VPNs are much simpler to implement as most clients already have the necessary software installed. Nokia’s solution is very easy to use and for larger networks the reduced maintenance and support costs could easily balance out the initial investment.