IPSec, the fully open Virtual Private Network (VPN) protocol standard created to support interoperable, nonproprietary secure network-to-network connections is a resounding success. IPSec VPN appliances are now commodity products that are highly compatible with each other. They perfectly fit the need of interconnecting trusted private networks over the untrustworthy Internet.

But IT administrators want more. In particular, they want to connect individual computers to the enterprise LAN via VPN, and they want more control over the access those individual remote users have to the home office network. They're also tired of the complex support headaches incurred when we try to bend IPSec to this task, with the requirement for tricky end-user configuration and often proprietary client software installation.

Fortunately, security vendors have responded, in the form of a new kind of VPN that runs over the well-understood SSL protocol. Usually used for secure Web access, it turns out that SSL can be readily transformed into a generic encrypted network tunnel for any kind of traffic. Better yet, that traffic can be tightly controlled, limiting where SSL VPN users can travel on your network—to a single destination host and protocol, if necessary. And best, most of the benefit of SSL VPN requires no explicit client software installation—users initiate SSL VPN access via a browser-delivered Java applet, which is refreshed every time a user reconnects.

Vendors now offer a slew of appliances geared specifically to SSL VPN. Some of these appliance can do double duty as a general purpose firewall, but even if they can, you should consider deploying SSL VPN as a dedicated box, for both reliability and performance. To help you evaluate the flock of SSL VPN appliances in the wild, this article includes a handy comparison chart that summarizes the key features of each product.

Products selected for this buyers guide meet the minimum requirements of being enterprise-ready, scalable at least to hundreds of users, but generally compare only the entry level products of each line. Here is an explanation of each feature.

Vendor and Product. A great deal of merger and acquisition activity complicates tracking which vendors sell which products. To help you correlate actual products with the constantly changing suppliers and product names, the table provides a detailed hardware description of each appliance, listing (where possible) the processor speed, memory, nonvolatile storage capacity, available ports, and physical size.

Base Price. Security product vendors are infamous for unbundling features as extra-cost upgrades. The table shows the lowest list price for the smallest functional unit, which often excludes certain advanced features, such as antivirus and intrusion- detection and prevention. Itatic text in the table notes which features incur an additional charge.

VPN Features. To properly size a candidate appliance, you need to know the number of VPN tunnels and users it will support. If the appliance is also a general purpose firewall, you need to know the number of simultaneous non-VPN IP sessions it can handle. Also important is whether the appliance has the ability to deliver site-to-site VPN tunnels and traditional client-software-based remote access, which may let you deploy the product as a double-duty VPN gateway. Some vendor's products don't directly support SSL VPN, but can work in tandem with other vendor offerings that do support SSL. These have been included but with an "SSL VPN = No" notation.

Throughput. Depending on how many simultaneous users you need to support, throughput may or may not be an issue. Most SSL VPN hardware supports more than enough throughput for the typical enterprise Internet connection, but if you plan to employ SSL VPNs over an internal LAN—an increasingly popular technique for interconnecting far-flung departments in a large enterprise—throughput may become a factor. Note that some vendors decline to provide throughput information, which could be important if you expect to push the high end of the VPN traffic envelope.

Firewall Features. Every SSL VPN acts as a firewall, in the sense that it blocks outside access based on specific policies. That policy may be as simple as "only permit SSL VPN traffic through this appliance" or more complex, mixing SSL VPN with inside user surfing and even port address translation (PAT) remote access. It's generally not a good idea to mix both VPN and generic firewalling in the same box, due to the complexity of administering diverse policies and the single point of failure such use creates. Nevertheless, the table lists the traditional firewall features each product supports, as you may want to use these features for remote administration or special-purpose transport such as cellular data security.

Notes. Not every useful bit of information can be neatly pigeonholed. The Notes field of the table adds comments about each product based on our analysis of the vendor's literature and published product reviews, to give you some additional insight into a product's capabilities.

View the comparison table.

Mel Beckman is a senior technical editor for System iNEWS.