Network Computingwww.networkcomputing.com

Aventail provides a Socks 5 client called AutoSocks 2.6s. AutoSocks wraps around WinSock and "socksifies" connections based on a set of redirection rules, which can be as simple as stating that "any traffic bound for this network should be proxied." You can also configure applications that should not be proxied. The AutoSocks client is set up by the end user or the administrator through configuration files, which can be distributed by e-mail or disk. All of AutoSocks' configuration information is kept on the server, so you can maintain tight control over user access. We successfully tested the AutoSocks client with all three servers in this review, as well as with NEC Corp.'s freeware SocksCAP client.

VPN Server is the only product in this roundup that offers encryption between the user and the server (this feature requires the AutoSocks client). At the first connection request, the server and client negotiate an SSL (Secure Sockets Layer) 3.0 connection, which is used to secure user authentication and configuration requests in transit. Once a user is authenticated, the server and client can establish other encryption routines, such as DES (Data Encryption Standard), triple-DES or RC4.

Aventail provides several options for user authentication: internal user lists, NT Domains, NDS, RADIUS and Unix /etc/password files. Users are grouped on the server for easier management when you're building access rules. All user management on the VPN Server is accomplished via groups--even if it's a group of one. We set up our server using NT Domains and created a few specific user groups. Adding users and NT groups was as simple as pointing the server to our PDC (Primary Domain Controller). Once the list was acquired, we could move users into assigned groups on the VPN Server.

After creating a set of rules and a security policy (see "Putting On The Socks: How We Tested" on page 116), applying them was a snap. With Aventail you tailor the rules to include "everyone" or custom groups, in which the rules are ordered hierarchically. Of course, you can also enforce asymmetric security by applying the rules to particular interfaces and specifying source networks. We set up our server to allow HTTP traffic from the local network to anywhere, but denied all incoming connections. We also set up Socks to chain connections to a second proxy server. Proxy chaining allows you to control access to your network as well as to your trading partner's network.

Aventail bundles URL filtering from CyberPatrol and SmartFilter. These managed URL filters allow you to block access to Web sites that match certain non-business-related criteria, such as those containing sports, entertainment and adult material. While testing, we found that we were blocked from accessing some adult and sports sites, but we were able to access www.playboy.com. In addition, we were denied access to the AltaVista search engine home page. After conferring with Aventail, we configured our server to perform reverse DNS lookups and set a ".com" domain alias to force IP lookup on commercial sites. Though this change blocked access to Playboy and other sites we intended to filter, it did not lift our AltaVista denial.

Lacking in Tracking Logging is central to effective network and security management. We found Aventail's logging was less appealing than either WinGate or Proxy Server. Most notably, all of Aventail VPN Server's connections are logged to a single file, which can grow significantly large as connections are made, and unlike WinGate, VPN Server has no automatic rollover.

VPN Server logs information either to a text file or to the Windows NT Event Log. We find text-based logging more useful, with greater detail than the Event Log provides. For example, when using the NT Event Log, you must tediously drill down into each event to determine what an actual event means. We prefer to use event numbers, which let you visually filter events quickly, without examining each Event Log entry.

The NT Event Log tracks some information, but filters are not included. To view filter information, you must use text-file logging. Similarly, if you're looking for custom reporting and accounting information, you will have to write custom scripts that parse the log and format the results.

Aventail says its next version of VPN Server, which should be available by the time you read this, will address these shortcomings. It will simultaneously log to the NT Event Log, a static file and a logging tool for real-time detailed logging. Aventail is also expanding the logging functionality to export log data in a format easier for spreadsheet and other reporting tools to accept.