In a conventional VPN setup, a user authenticates from the Internet to a VPN server on the corporate LAN, and all traffic between the user and the LAN is encrypted. However, to access a VPN the user must install client software. The IVE eliminates this need by deploying SSL tunneling and acting as an application proxy, which means you must be on a network that passes HTTPS (Port 443) traffic. Connections are made from the user to the IVE, and then the IVE opens a connection and passes data to the internal server. Some activities, such as file sharing and SSH, are "Webified"--transformed into a Web-browser-based interface. Other TCP-based programs and services are proxied and tunneled through a Java applet using SSL.
I plugged the IVE into the Network Computing network at our Syracuse University Real-World Labs®. Using an Apple Macintosh and a Microsoft Windows NT box as clients, I connected through an external broadband link and set up a Microsoft Exchange 2000 and Internet Information Server (IIS) running Windows 2000 on the private LAN. The IVE includes two Ethernet ports--you can use just one port or use the second port as a DMZ. I installed the IVE in one-arm mode.
|
Good News
Easier to use than VPNs for some applications.
No client software to install.
Supports Microsoft Exchange and Lotus Notes.
Bad News
Harder to use than VPNs for some applications.
Split tunneling can't be turned off.
Expensive.
|
In addition to accessing a built-in user database, users can authenticate against an NT domain, LDAP, NIS (Network Information Services), ACE (Advanced Computing Environment), and RADIUS servers. You can group users and create multiple security and access policies. I found it limiting, however, that a user can belong to only one group and that subgroups cannot be created.
Webified Apps
I created a user name in the database and set up policy and access permissions. Connecting to the IVE, I was presented with a list of Web- and file-server bookmarks, a browse-Web option and a list of client applications (see screen, at right). The browser applications are provided for browsing intranet sites as well as for using a Web-based e-mail system. Web pages are passed between the client and IVE via SSL and then in the clear from the IVE to the back-end Web server. The IVE supports HTTPS browsing as well. One small complaint: A navigational widget on the top of every Web page lets you return to the IVE home or log out. I would have preferred to see the pages embedded inside a frame, making it easy to tell if you're still connected.
The file-sharing feature is a real bonus. You can browse the Windows file-sharing network and connect to NFS (Network File System) servers. You also can explore graphically or type in an absolute path to authenticate, download or upload files. You cannot rename or move files, but you can delete them. Other users on the LAN will not be able to see or access your machine.
|
Vendor Information
Instant Virtual Extranet Partner-Access 1000 2.1, starts at $29,995. Neoteris, (650) 605-4800.
www.neoteris.com
|
SSH and telnet are Webified, too. Enter a host name, and a black-and-white terminal pops up that lets you remotely connect to machines without requiring SSH to be opened to the world on the firewall. These sessions are proxied by the IVE and encapsulated in the SSL session. You cannot copy or paste text in the terminal, nor change the font size or color of text.
Your Own Apps
Although the ability to access Webified services is useful, organizations typically deploy VPNs in to use custom applications. The IVE lets you use your own applications for e-mail and most TCP-socket-based programs. In fact, for e-mail the IVE acts as a mail server. If you have an SSL-capable mail client, you can set your e-mail program to use the IVE as the SMTP server; it also supports SSL-encrypted POP and IMAP mail. You don't have to log into the IVE to use e-mail proxying. The IVE retrieves the mail or forwards it to the back-end servers. I configured my Mac Mail program to use IMAP, pointed it to the IVE and was able to send and retrieve mail through the IVE to an Exchange server behind the firewall. The IVE also supports Lotus Notes and Exchange MAPI messages.
Neoteris claims that almost any TCP program can work with the IVE, but it does not support UDP (User Datagram Protocol) or DNS tunneling. Users can't create listening ports on the fly, so the forwarded ports and addresses must be preconfigured by the administrator.
Port-forwarding works similar to SSH tunneling. To connect with the Microsoft Terminal Services client, I set up a configuration in the IVE to forward traffic on Port 3389 (the default Terminal Services port) to my Windows 2000 box. I then logged into the IVE on my remote client machine. A Java applet loaded and set up a few listening ports on the client machine. Then I told the Terminal Services client to connect to 127.0.0.1 on Port t 3389. Traffic was forwarded automatically, and I was connected to the Windows 2000 box. This worked flawlessly. I then set up port-forwarding to two different computers. Because Terminal Services ran on the same port on each machine, the IVE automatically selected an alternate local open port on the client.
The IVE I tested supports 1,000 concurrent users and costs approximately $30,000. Comparatively, a Cisco Systems 3030 VPN Concentrator that handles 1,500 users is priced at only $22,000. Neoteris argues that because there is no client software to license, install or maintain, total cost of ownership is lower. I'd counter that there are free VPN clients built into Windows 2000, XP and Mac OS X 10.2, and the Cisco and Nortel clients also are free. Using the IVE is easy, especially for file-sharing and intranet-browsing, but for more advanced capabilities, such as multiple SSH sessions, or other non-Webified programs, using a VPN makes more sense.
Michael J. DeMaria is an associate technology editor at Network Computing.
Send your comments on this article to him at mdemaria@nwc.com.
RSS
