Introduction
To drive high levels of user productivity and sustain a competitive edge, today’s businesses must provide network access to outside users, including remote and mobile employees, customers, partners and suppliers. In doing so, however, they must also ensure that infected laptops and mobile devices are kept from doing any harm, that strict control is maintained over which users can get to which specific resources under which conditions, and that sensitive data is not “lost” via exposure to unauthorized parties.
Having supplanted IPSec-based alternatives due to broader applicability, easier implementation, improved granularity and greater overall flexibility, SSL VPN solutions are widely regarded as the ideal approach when it comes to establishing a modern secure remote access (SRA) capability. Leading solutions easily enable government and commercial organizations alike to pursue cost-saving teleworking initiatives and to construct highly flexible extranets for streamlining partner and supplier interactions. They also serve as an integral part of an organization’s business continuity strategy, ensuring user access to network resources during emergencies such as natural or man-made disasters, transportation disruptions, or even pandemics.
And that’s not all. Consider some of today’s top trends: the consumerization of IT, the proliferation of mobile devices, and widespread adoption of virtualization solutions, including virtual desktop infrastructure (VDI). SSL VPNs are invaluable in these instances as well. They not only address the security challenges posed by a diverse population of both managed and unmanaged client devices, but also deliver secure access to the broadest possible range of resources – including centrally hosted virtualized applications and desktops. A well-architected, full-featured SSL VPN solution has the potential to unlock a number of key benefits: • Improved productivity – Users can securely access all of
the applications, data, and resources they require to get their jobs done, at all times, and from all locations and types of devices
• An enhanced user experience – Numerous ease of use features, familiar modes of operation, choice of device, and
performance at scale ensure smooth operation and reinforce continued usage
• Reduced risk and improved compliance posture – A comprehensive set of granular access control, security, and data protection capabilities delivers robust, end-to-end protection
• Greater adaptability – The ability to rapidly extend Secure Remote Access (SRA) capabilities to new users ensures operational resilience and enables organizations to embrace new opportunities in the face of ever-changing business conditions
In reality, however, the breadth and depth of SRA capabilities vary considerably from one product to the next.
Consequently, so too does the extent to which each product enables these benefits. The purpose of this paper is threefold: to expose some of the variability and
associated weaknesses of competing products; to arm evaluators with the means to further reveal similar differences and deficiencies; and, to highlight why your next SSL VPN purchase should be a secure remote access solution from Dell™ SonicWALL™. In particular, this paper examines eight crucial areas of SRA characteristics and capabilities where the Dell SonicWALL Aventail™ E-Class Secure Remote Access
(SRA) Series has compelling advantages compared to its primary competitors. In each case, a general
description of the area is provided, followed by explanation of Dell SonicWALL’s strengths and capabilities in that area, enumeration of competitor shortcomings, and identification of probing questions purchasers can use to help obtain essential details and reveal the true capabilities of the products they are considering.
The information presented in this paper represents the industry experience of the Dell SonicWALL research and development team and reflects the requirements that can be met by applying Dell SonicWALL solutions. The Dell SonicWALL advantages over the competition
Secure remote access market analysis:
The Dell SonicWALL difference
Areas of differentiation
• Accessibility of resources
• User experience
• Endpoint control and security
• Granular access control
• Head-end defenses
• Support for mobility
• Unified policy management
Dell SonicWALL solutions are referenced in the conclusion to this paper and can be reviewed in detail on the Dell SonicWALL web site: www.Dell
SonicWALL.com
Accessibility of resources
The measure of success for this area of evaluation is the ability to support the most extensive set of secure access scenarios. This, in turn, is based on the extent to which a solution not only enables access from the largest collection of client devices, but also to the broadest portfolio of corporate resources (e.g., applications, files, and services).
Dell SonicWALL capabilities and strengths With Dell SonicWALL Aventail SmartAccess, the appropriate access method and security level is transparently determined and deployed based on the type and state of the device, user identity, and resources being accessed. Furthermore, all access is achieved via a pair of familiar, user-friendly approaches. On one hand, Dell SonicWALL Aventail WorkPlace delivers a policy-driven, device-optimized web portal that provides straightforward access to all resources each user is entitled to access. And unlike some competing solutions, confusion is minimized as the only resources displayed on the portal page are the ones the user has access to (versus displaying the entire portfolio of resources and “graying out” those that are unavailable to a given user). Alternately, users can be configured for an “in office” experience. In this case secure access is automatically initiated in the background when users click on corresponding applications, just like they do when operating from a corporate desktop. Finally, 100 percent availability and acceptable performance are guaranteed, respectively, by robust HA functionality (e.g., active/active pairs with integral load balancing and stateful failover) and support for up to 20,000 concurrent users on the top-end, SRA EX9000 platform.
In comparison
Although support for a portal-style interface and an “in-office” connection experience are not uncommon, the SmartAccess feature set is unique to the Dell
SonicWALL solution. In general, competing offerings lack a comparable degree of ease of use and user transparency. For example, agents must be launched manually and there is no ability to automatically fall-back from one type of agent to another in the event of a failed install.
Questions purchasers should ask candidates to explore this topic further include:
• From a user perspective, how are ease of use, consistency, and transparency achieved?
• To what extent is user involvement required to select and/or launch the client components needed to establish secure access in any given scenario?
• Can load-balanced clusters be established natively without the need for additional, external products/hardware?
Endpoint control and security
This evaluation area involves establishing device identity, configuration, and security parameters for the purposes of dynamically adapting access policies and implementing supplemental countermeasures for added protection.Dell SonicWALL capabilities and strengths Only SonicWALL Aventail End Point Control™ (EPC) lets organizations enforce granular access control for Windows, Apple MAC OS and iOS,and Anroid endpoints. EPC combines pre-authentication
interrogation to confirm endpoint criteria such as anti-virus updates and the status of personal firewall software with recurring scans at administrator-defined intervals to ensure ongoing integrity of any endpoint. In turn, scan able attributes can be incorporated
individually or in an aggregate manner as factors that dynamically determine the level of access a user obtains. In addition, device watermarks allow access from a lost or stolen device to easily be revoked, while Device Identification allows administrators to tie the serial or equipment ID number of a specific Windows, Mac OS, iOS or Android device to a specific user or group.
An optional add-on, SonicWALL Aventail Advanced EPC includes:
• Advanced Interrogator, which simplifies device profiling by providing comprehensive pre-defined lists of anti-virus, personal firewall, and anti-spyware solutions, including version and currency of signature file updates;
• Cache Control, which purges browser cache, session history, cookies, and passwords upon completion of an access session; and,
• Secure Desktop, which creates a virtual encrypted
environment that prevents downloaded data from being left behind.
In comparison
Although device integrity and security capabilities are commonly available among Dell SonicWALL’s primary SRA competitors, there are considerable differences with regard to the ease and extent that scan results can be used to dynamically control user access. With Dell SonicWALL, Policy Zones uniquely provides the ability to aggregate client-side attributes and map them to specific levels of trust and, in turn, access (e.g., quarantine, allow, allow restricted, deny). Competing solutions also suffer from gaps in terms of the specific capabilities that are provided and/or how they are obtained. For example, one competitive solution requires purchase of a third-party product for its client integrity and security capabilities, while another is unable to identify/classify smartphones as mobile devices and does not support pre-defined checklists and cache cleaning for platforms other than Windows. Questions purchasers should ask candidates to pursue this topic further include:
• What device interrogation capabilities are supported and how much effort is required to implement them and subsequently leverage the results to dynamically adjust access levels?
• What advanced endpoint security and data protection capabilities are available?
• What interrogation capabilities are available for common smartphone platforms (e.g., iOS and Android)?
Granular access control
A significant advantage of SSL VPNs, particularly relative to IPSec technology, is the ability to more granularly control who has access to which specific resources (as opposed to entire networks) from which devices, and under which conditions.
Dell SonicWALL capabilities and strength E-Class SRA appliances support an extensive array of attributes for formulating access rules, including: user/group identity, source IP, device identity, device integrity, service/port, host name, destination URL, fileshare name, domain, destination IP/range/subnet, and time of day. In addition, with Smart Tunneling, all L3 connections not only benefit from adaptive
addressing and routing capabilities (which automatically eliminate potential conflicts), but are also tightly controlled via L4-L7 policy controls – rather than being left as wide-open conduits to the corporate network. Control is bi-directional, enabling full support for back-connecting apps such as VoIP and various helpdesk utilities. All connections and routes are established and remain open only for as long as they are actively being used. Furthermore, the E-Class SRA operates with a default-deny access model, where nothing gets through unless explicitly allowed.
In comparison
None of Dell SonicWALL’s primary SRA competitors combine the same breadth of attributes with the ability to easily create and maintain access rules that take advantage of them to deliver truly powerful yet usable granularity of control. Equally unique is the degree of security and control Dell SonicWALL provides for L3 tunnel connections.
Questions purchasers should ask candidates to pursue this topic further include:
• What is the full range of attributes that can be used to control access?
• What degree of granularity is available for defining the specific resources that can be accessed?
• How are L3 tunnel connections managed and controlled?
• What is the default policy/access model (e.g., deny or allow)?
Head-end defenses
Head-end defenses pick up where endpoint and granular access control capabilities leave off by providing an additional layer of protection for both the SRA solution itself as well as the network it front-ends.
Dell SonicWALL capabilities and strengths Like most of its primary competitors, E-Class SRA features a hardened operating system, logging/auditing for both user and administrator activities, and basic firewalling capabilities. What sets the Dell SonicWALL solution apart in most cases, however, is its Clean VPN approach. When E-Class SRA appliances are optionally deployed in conjunction with Dell SonicWALL Next-Generation Firewalls, customers benefit from additional powerful capabilities, including: (a) the ability to decrypt and inspect all authorized access sessions for malware, intrusion attacks, and sensitive data; and (b) the ability to leverage Dell SonicWALL Application Intelligence and Control to prioritize business applications over less important traffic.
In comparison
With a few partial exceptions –– none of Dell
SonicWALL’s primary SRA competitors deliver a feature set equivalent to that provided by Dell SonicWALL Clean VPN.
Questions purchasers should ask candidates to further explore this topic include:
• What additional defenses are provided for both the solution itself and the network it is controlling access to?
• Does the solution support an integrated and highly effective approach for malware scrubbing, intrusion prevention, sensitive data detection, and bandwidth management?
Support for mobility
The consumerization of IT is triggering a new wave of mobility and the need to extend SRA capabilities to a steadily increasing and diverse population of both mobile devices and users (as opposed to the earlier generations of remote users who largely operated laptops from fixed locations and with relatively reliable network connections).
Dell SonicWALL capabilities and strengths E-Class SRA delivers the most complete access solution for mobile users and devices. Supported access options include: web-based and in-office network-layer access from iOS, Android devices; browser-based access from a wide range of other platforms (e.g., Symbian,
BlackBerry, and any device with a WAP browser); and ActiveSync (email-centric) access from iOS, Android, and Symbian devices – all with complete security and control. Centralized management of all devices includes the ability to prohibit access from devices that are lost or stolen.
The ability to identify devices as being mobile further allows policy to be tied to this classification. It also allows the WorkPlace portal to dynamically render content accordingly. Finally, with session persistence, users retain their current session as they switch between networks – on the go between office, commute, home and hotel – without needing to re-authenticate.
In comparison
This is a rapidly changing area of evaluation as most competitors scramble to add capabilities in response to escalating interest and demand from enterprise customers. Distinct advantages Dell SonicWALL maintains, however, include the being able to identify devices as being mobile, subsequently enforcing mobile-specific access rules, and providing an additional, powerful layer of protection via its Clean VPN approach – a capability that is particularly important for bring-your-own-device (BYOD) access scenarios where client devices are not directly controlled or managed by enterprise IT. Unlike competitors, Dell SonicWALL also does not require customers to resort to VDI (or similar techniques involving centrally hosted desktops) to enable access to more than just web apps from iOS, Android and other mobile platforms.
Questions purchasers should ask candidates to explore this area further include:
• Which mobile platforms are supported with more than just web-based access? To what extent is granular control retained for any other supported access modes?
• Does the solution explicitly identify devices as “mobile” and support use of this classification for setting access policies and adjusting the presentation of content?
• What other client integrity checks are supported for mobile devices (e.g., for iOS platforms, Dell SonicWALL enables detection of certificates, OS version, and whether the device is jailbroken)?
Unified policy management
With so many attributes and access methods to account for, instantiating policy in the form of access rules has the potential to be quite onerous. This area of evaluation emphasizes characteristics and capabilities which help keep the process simple and
straightforward.
Dell SonicWALL capabilities and strengths Unique to the E-Class SRA solution, Dell SonicWALL Aventail Unified Policy relies on an extensible, object-based policy model with unmatched flexibility and ease of use. Administrators need only define resources, users, groups and access rules a single time – as opposed to the multiple times typical with competing products (i.e., once for each access method or type of resource). Optional policy zones streamline rules even further by effectively rolling administrator-defined sets of device integrity checks (i.e., device profiles) into high-level objects representing device trust level (e.g., deny, quarantine, allow, allow restricted). A helpful by-product of all this: administrators can view and manage all of their access rules in a single place, versus having to flip between a half dozen or more separate areas within the management system. With Unified Policy, not only can admins cut the time it takes to develop and manage access policies in half (or better), but also
cut down on the number of errors inevitably introduced with significantly more complex policy models.
In comparison
None of Dell SonicWALL’s competitors have a policy model that is at once equally easy to use and efficient, yet extremely flexible. For example, with competitive solutions, administrators will need to define resources differently for different access modes and may have to contend with up to eight different access control lists. As with many of the other competitors, increasing levels of granularity come at the price of increased complexity and administrative effort.
Questions purchasers should ask candidates to pursue this topic further include:
• Does the solution require common objects (e.g., for users, groups, devices, resources) to be defined more than once (versus defining them once and simply re-using the associated objects as needed)?
• Does the solution’s policy model require separate rule definitions for each access method or types of resource?
• Can all access rules be displayed in a single, unified view?
Deployment and operation
This area involves efficiency of installation and ongoing operations – in other words, compatibility with an organization’s existing infrastructure and ease of use for administrators.
Dell SonicWALL capabilities and strengths The SonicWALL Aventail Set-up Wizard speeds initial deployment, as does Policy Replication when an organization needs to expand their implementation. Broad authentication support, the ability to dynamically populate groups from popular authentication
repositories (e.g., RADIUS, ACE, LDAP, and Active Directory), and adaptive addressing and routing all help ensure the solution “fits” in your environment, while also reducing common deployment obstacles. From an operational perspective, Unified Policy, as discussed previously, is a major time saver. In addition, enhanced user monitoring and flexible event filtering streamline troubleshooting of current and historical user activity, while Advanced Reporting delivers detailed records of who accessed what resources, at what time, from which location. With Dell SonicWALL Virtual Assist, technicians can also provide secure on-demand assistance to users, without the need for a separate product.
In comparison
Although the differences for this category do not always appear that great on the surface, their impact can quickly add up. Of the primary competitors only one has an integral option for remote assistance and, as discussed previously, none have a match for Dell SonicWALL’s Unified Policy capabilities. Other gaps and relative shortcomings of individual competitors include a lack of support for comparable dynamic grouping, graphical monitoring, and log filtering capabilities.
Questions purchasers should ask candidates to pursue this topic further include:
• What capabilities are provided to expedite initial installation and configuration?
• Does the solution include features that dramatically reduce administrative effort and help ensure smooth ongoing operations (such as Unified Policy, enhanced user monitoring, and Secure Virtual Assist)?
Conclusion
Establishing a secure remote access capability to fulfill the application and data access requirements of users, partners, and customers is unquestionably a business imperative. Achieving greater user productivity, process efficiency, collaboration and a sustainable competitive edge depend on it, particularly as we embark on a new age of computing characterized by consumerization and hyper-mobility. However, no two solutions are created equal and organizations must take care when selecting a SRA product to best meet their needs. The SonicWALL Aventail E-Class SRA Series has compelling advantages compared to its primary
competition in a number of crucial areas, including breadth and depth of resource accessibility, granular access control, unified policy management, and support for mobile users and devices. A 20-year record in the security and secure remote access industries, a presence in 23 countries, and a global network of over 15,000 partners, resellers, and distributors are just a handful of additional reasons why your next SSL VPN purchase should be an Aventail E-Class SRA from Dell SonicWALL.
Dell SonicWALL can help your organization deliver anywhere access to any application from the broadest range of devices and help you lower costs and increase the productivity of both your end-users and IT staff. To learn more, visit
Footnotes:
1. Some vendors offer a substantially similar set of SRA functionality on multiple platforms. For example, two competitive solutions also deliver SSL VPN capabilities via their BigIP Edge Gateway and MAG Series Junos Pulse Gateways ,respectively.
Copyright 2012 Dell Inc. All rights reserved. Dell SonicWALL is a trademark of Dell Inc. and all other Dell SonicWALL product and service names and slogans are trademarks of Dell Inc. Other product and company names mentioned herein may be trademarks and/or registered trademarks of their respective owners. 11/12
