Rollout: Array Networks SiteDirect

Site-to-site IPSEC VPNS are the most common configuration for connecting networks or offices, but they expose all connected network resources to internal users. Unfortunately, implementing tight access controls can become a configuration nightmare of firewall rules.

Array Networks claims its new site-to-site SSL VPN, SiteDirect, can ease the configuration burden and improve security. Available as a software upgrade to its SPX Series SSL BVPN gateways, it provides fine-grained access control and avoids the complexity of securing conventional IPsec VPNs.

SSL VPNs have proved a viable alternative to IPsec for remote access; now Array is challenging IPsec supremacy in the site-to-site connection arena. It has its work cut out for it. Check Point Software, Cisco Systems, Nortel Networks and others have a strong hold over the VPN/firewall market. IPsec is also a battle-tested standard with broad industry support that enables vendor interoperability.On the SSL front, Array has the site-to-site category to itself--except for James Yonan's OpenVPN, an open-source solution that has been offering site-to-site SSL VPN since the project's inception in 2002. However, because OpenVPN works only in routing or bridging mode, it lacks the least-privilege access Array's technology delivers.

SSL VS. IPSEC

Array's SiteDirect has some distinct advantages over conventional site-to-site IPsec VPN solutions. For starters there is Site2Site Resource Publishing, a technology that's part of Array's new offering. Site2Site Resource Publishing conforms to the principle of minimum access: That which is not explicitly granted is denied. If access to a specific host, network or application is required, it must be explicitly published to the remote network. Because Site2Site Resource Publishing is application-specific, companies do not run the risks associated with full network exposure.

Site-to-site IPsec VPNs, by default, expose the entire network on both ends of the connection. The only way for IT to address this security gap is with multiple firewalls and/or time-consuming and error-prone ACLs (access control lists) and/or iptable packet-filtering rules.

Site2Site Resource Publishing makes configuration easier by letting a host appear as just another node on the local network. The published host is assigned an IP address on the local subnet, but NAT is applied to the traffic flowing through the site-to-site SSL VPN. As a result, a client application believes it is communicating with a local server, when in actuality the traffic is being routed through the site-to-site SSL VPN to a remote SPX Series VPN Gateway, then on to the real host.

Making Connections

To assess the new features in the 8.1 beta release, we set up a private corporate and private partner network. The two networks were not routable to each other. Two SPX 3000 VPN Gateways were used to establish the site-to-site SSL VPN and employ the Site2Site Resource Publishing technology.

Once the site-to-site SSL VPN has been established, our next step was to publish resources--that is, applications, hosts or networks--using Site2Site Resource Publishing. This means navigating a maze of Array's terminology--the company certainly could do a better job of providing context-sensitive help here.

Published resources must be provisioned on the remote network by mapping them to IP addresses that are local to the remote network. On the remote network, client devices must be mapped to IP ranges for requests and service responses. These dedicated IP ranges are used to avoid IP conflicts when sharing resources. Once we had dedicated IP ranges configured on both the local and remote networks, publishing new resources was a snap. We published an Exchange Server, for example, and clients were able to access Exchange using Outlook over RPC connections.Deprovisioning access is also quite simple: The published resources are removed from Site2Site Resource Publisher, and you're done.

One drawback we discovered is that resource provisioning within the remote network occurs automatically. This means once the site-to-site SSL VPN and IP remote/local pools are set up, an administrator in the corporate or partner network (depending on the configuration) can publish one of the local resources to the remote network without getting approval from the remote network's administrator. Also, broadcast and multicast applications weren't supported in the beta code we tested.

Finally, note that the patent-pending Site2Site Resource Publishing is proprietary, which raises the concern of vendor lock-in. Conversely, IPsec is a widely adopted standard that enables interoperability among a host of different products. However, vendor implementations of IPsec often differ, complicating interoperability.

Array's SPX Series SSL VPN Access Gateways with SiteDirect are available in three models, with throughput rates that range from 100 Mbps up to 850 Mbps (see table, at left). The version we tested, the SPX 3000 Gateway, lists for $13,995. In addition to the site-to-site SSL VPN capability in the 8.1 software release, the appliances continue to support remote access SSL VPNs.

Todd Ouimet is a freelance writer and systems consultant for Kishmish, a technology services company based in Syracuse, N.Y. Write to him at [email protected].0