You can always tell when a particular technology begins to gain momentum by the availability of lower-cost alternatives to the bleeding-edge, high-end devices.
One company that is specifically targeting the SMB SSL VPN market is enKoo, whose enKoo-3000 Remote Access Appliance provides access to Web-based and TCP-based applications, Windows and Unix file shares, terminal servers, and users' desktop PCs via 128-bit encrypted SSL streams. Although it lacks much of the granular access control and end-point management found in the high-end SSL VPN appliances, it makes up for it in ease-of-use and ease-of-deployment.
From shrink-wrapped to operational, the enKoo-3000 took me less than 30 minutes to install. Initial setup of the appliance only required setting a static IP address -- IP address was assigned via DHCP initially -- and time, date, and time zone. The install wizard also includes a detailed set of instructions for configuring your firewall/router to forward traffic to the enKoo appliance from outside the network.
Unlike enterprise-class SSL VPN appliances such as the Aventail EX-1500 and the Juniper Networks SA-5000, the enKoo-3000 does not include any VLAN or other advanced IP routing features, nor can the appliance be provisioned into multiple virtual servers. To be fair, the enKoo-3000 isn't trying to play at the high end of the SSL VPN market. User management is also sparse, supporting only an internal user database in the release I tested. According to enKoo, support for Active Directory and LDAP will soon become available as a free upgrade. To prevent any chance of someone gaining access to user names and passwords on the appliance, the local user database is encrypted using 3DES.
At your service
As do other SSL VPN appliances, the enKoo-3000 serves up a Web portal for remote user log-in. For Web-based applications, users simply click on the Web Apps button to access a list of predefined Web resources. Using the Web Apps connector, the enKoo-3000 rewrites the HTML stream as it passes through the appliance, and I found it can adversely affect how your Web application functions.
For example, I created three links to different Web apps: OWA (Outlook Web Access) 2000, OWA 2003, and a "homegrown" Active Server Pages application I use for tracking software keys. I accessed each site using Internet Explorer 6, and the enKoo's HTML rewrite engine failed to reproduce the two OWA sites correctly. My homegrown application worked fine, but OWA didn't work or look as it should.
To get the true OWA experience, I had to configure both services using an alternate service called the Secure Application Connector. Whereas Web Apps is a pure HTML rewrite/reverse proxy engine, the Secure Application Connector uses a Java client to cleanly pass all TCP traffic through the appliance. The downside to using the Secure Application Connector for Web-based applications is that the HTML content is not inspected and rewritten, so it's potentially less secure. enKoo stated that support for premium Web applications such as OWA will be available in the Web Apps connector sometime in the first quarter of this year.
One unique feature found in enKoo is a host program called Beam that runs on your Windows desktop and allows you to control your PC remotely via a Web browser. Installation of the Beam host component is done from enKoo-3000's Web portal, and you must have local administrative privileges on your PC to install it. Also, all Beam hosts must be on the same local subnet as the enKoo appliance. I tested this by installing Beam on a PC located at my home office. When I tried to access it from my test lab over an IPSec VPN (different subnets), I discovered that it was not listed as an available resource. On other PCs local to the appliance, Beam worked well without any real problems.
I had no trouble accessing file shares on any of my Windows servers and desktops even across domains -- support for Unix shares is also built-in. As with other enKoo services, a Java applet is pushed to your browser on access. If you use Internet Explorer to authenticate to the appliance, the enKoo will try to reuse your credentials when accessing other Windows resources. I found this to be hit-and-miss; I had to re-enter my user name and password on more than one occasion to reach a file share.
On the plus side, I limited file access at the resource level, all the way down to a single file. Here the enKoo-3000 allows for users to be placed in groups and rights to be assigned to the group as a whole. Unfortunately, this feature is available only for file level resources and not for any other service.
Another complaint I have is that the Java applet that provides access to Terminal Services and Secure Application Connector rewrites the Windows' Hosts file to include local loopback addresses for enKoo-protected resources. The Java applet listens for requests made to the resources on the local loopback address and redirects the traffic to the enKoo appliance. The upside is that the Hosts edits are automatically maintained by the Java applet and the entries are destroyed when the applet closes. The Hosts file modifications did not trigger any alerts or warnings from my PC's anti-spyware software.
The enKoo appliance does not check the integrity of client systems -- such as whether anti-virus software is running and is updated with the latest signatures -- before allowing users to connect. If you need end-point security scanning, you will have to look elsewhere. Also, you cannot specify the strength of SSL encryption; the enKoo is hard-set to support only 128-bit ciphers.
Logging and reporting is available in the system, with various filtering capabilities to help narrow down what you seek. Syslog support is not in this release, nor is SNMP support.
The enKoo-3000 does not offer all of the features that a very large company would need, but it hits the mark for smaller shops, providing secure yet easy-to-administer remote access. When LDAP and Active Directory support are added and the wrinkles in the Web Apps connector get ironed out, the enKoo-3000 will begin to encroach on the territory now owned by the Aventails and the Junipers of the world.
For more product information go to the enKoo site at www.enkoo.com/. Australian IT managers can purchase the product through security distributor Lan1. More sales information can be found at www.lan1.com.au