Certification for web-based remote access

Leading virtual private network suppliers have signed up to a new certification process from TruSecure's ICSA Labs to prove their...

Leading virtual private network suppliers have signed up to a new certification process from TruSecure's ICSA Labs to prove their products all pass a bank of performance tests.

The programme for "clientless" web-based VPN systems for remote access, covers at least 80% of the installed base and joins ICSA certification programs for firewalls, anti-virus and other major security product types.

"The vendors came together and are extremely motivated," said Brian Monkman, technology programme manager at ICSA Labs, and leader of the scheme.

In the past few years, VPNs based on the web's SSL security protocol have become more popular and been endorsed by MCI. They allow users to log into corporate systems securely from web browsers in internet cafes, without having to have a special client on the machine.

Although there are around 30 SSL VPN suppliers, Monkman reckons 80% to 90% of the market is covered by the six companies that have got products through the tests already: Aventail; F5 Networks; Netscreen Technologies (recently acquired by Juniper Networks); Netilla Networks, NetScaler and PortWise.

Among the dozens of others not on the list, perhaps the most interesting omissions are Whale Communications, (despite being a founder member of the ICSA plan). Nokia  is also a member of the ICSA scheme, with no products certified yet, and Cisco Systems subsidiary Twingo is another.

However, Monkman cautioned against reading too much into any absentees. "Some vendors aren't ready, and some need time to redirect resources to certification," he said.

The tests, which determine whether the products operate securely, have been pulled together in only nine months, starting last June when two suppliers approached ICSA.

Draft tests were circulated in October, and improved on, using suggestions from industry experts. Monkman expected new versions of the tests by the end of 2005, with a rolling programme of new versions every nine months or so.

 "The tests show that the product does what it says in the criteria," said Monkman, adding that all the suppliers who have certified products had to make changes to pass the tests.

However, he warned against complacency. "It doesn't mean it's 100% secure, and it doesn't mean it can't be misconfigured."

Monkman also pointed out that the tests are simply a pass-or-fail measurement, and cannot be used to compare products. 

Peter Judge writes for Techworld.com

Read more on IT risk management