If you absolutely need total control over your remote users, and need to run the widest possible range of applications, then the Cranite Systems Inc. SafeConnect VPN software should be in your short list of products to consider. I recently did some tests for the company and found that SafeConnect is neither fish nor fowl, and sits squarely between SSL VPN and IPsec products, combining the ease of use of the SSL crowd with end-to-end applications interoperability of IPsec.
I tested the product on a series of laptops and compared how it worked with SSL VPNs from Juniper, Nokia, and other major manufacturers. Overall, the product stood up well in these tests. SafeConnect will prevent eavesdropping over the remote connection no matter where and how your users connect, and it is easily setup in a few hours. It will support a wider range of applications and do so without any additional configuration required. It delivers extremely high file transfer throughput, way beyond any of the SSL VPN products. Finally, it is priced attractively at about a third to a half of what competitive SSL VPN products with equivalent feature sets would cost.
There are several other things the product doesn’t do. It can’t and doesn’t try to compete with the SSL products for unmanaged remote users, since its client must be installed on each remote desktop or laptop. It doesn’t provide the level of client endpoint integrity checking that a Nokia, Juniper or F5 SSL product provides. It also has three major deficiencies: First, it doesn’t prevent users with duplicate credentials from concurrently connecting to the network, and it doesn’t report on these circumstances either. This puts a burden on your IT department to keep track of their client credentials. Second, there is no auditing ability, which we discuss more completely below. Finally, while the product comes with its own LDAP and RADIUS servers, if you do decide to use these pieces you will have to configure them via their separate command line interfaces. Cranite should integrate these into its own graphic configuration screens.
We liked the fact that once you were connected, your remote connection was solid and bullet-proof from man-in-the-middle attacks. We tried to break the connection by sending malformed packets with a bad MAC address – something that would bring down any SSL VPN connection – but SafeConnect kept on going without any problems. About the only way to tear down the connection would be to fill the pipe with a denial of service attack or if we lost the line entirely from our ISP.