Secure connections between business partners

Systems administrators often find their firewalled fortresses create access problems when they try to deploy an extranet. Aventail ExtraNet Center 3.0 lets outside business partners connect to your private network without sacrificing security. ExtraNet Center's foundation of a SOCKS 5 circuit-level gateway and Secure Sockets Layer (SSL)-encrypted connections gives this highly configurable solution the edge over many static point-to-point VPNs.

ExtraNet Center's core, called ExtraNet Server, acts as a SOCKS Proxy. And ExtraNet Server's design complements rather than replaces full-featured firewalls because you deploy the product behind the firewall. I installed the software on a server running Windows NT 4.0 with Service Pack 4 (SP4). The test bed consisted of a Web server, Check Point Software Technologies' FireWall-1 4.0, and Microsoft Proxy Server 2.0.

Aventail's Connect 3.01 client software runs as a layered service provider under NT and Windows 9x with WinSock 2.0. (ExtraNet Center also includes Connect 2.51, which works with systems running WinSock 1.1; however, neither Connect 2.51 nor 3.01 supports the Macintosh operating system—Mac OS.) To install Connect, you can use the conventional setup wizard or Customizer. The Customizer tool let me fine-tune the features, security settings, and product options before installation. And Customizer cuts administrative overhead by creating a single preconfigured executable for distribution.

Connect monitors application requests in the client's TCP/IP stack. The software uses a set of redirection rules and only intercepts designated traffic, which Connect sends to the ExtraNet Server over an SSL-encrypted link. Unlike some WinSock replacement drivers, the software is completely transparent to normal traffic. Destinations can be single hosts, IP address ranges, or entire domains. The program can redirect traffic based on ports, protocol (i.e., UDP or TCP), and individual 32-bit applications.

ExtraNet Server also has granular control. From the Policy Console that Screen 1 shows, I could specify connection rules based on source and destination addresses or ports, authentication method, time of day, and encryption key length. The system can authenticate users by checking NT domains, UNIX passwords, NetWare's Novell Directory Services (NDS) or bindery, Remote Authentication Dial-In User Service (RADIUS), and Security Dynamics' ACE/Servers. Authentication methods such as Challenge Handshake Authentication Protocol (CHAP), Challenge Response Authentication Method (CRAM), S/Key, digital certificates, and more are part of the package. However, the increasingly popular Internet Key Exchange (IKE) isn't available. Secure Extranet Explorer is a nice added feature. This feature provides users the ability to securely browse selected internal network shares directly from the familiar Windows Explorer interface.

I was able to make a direct connection between my client and the ExtraNet server with little fanfare. (I discovered, however, that an SSL connection can't perform user authentication against more than one type of database at a time.) To test the Web host and ExtraNet Server behind FireWall-1, I had to define a rule to let traffic travel to the ExtraNet Server's port 1080 (i.e., the SOCKS standard). Connect's handy SOCKS 5 ping tool made it easy for me to verify connectivity. And having both client and serverside logging tools to pinpoint problems was reassuring. After I made a quick modification to my redirection rule, I was back in business.

ExtraNet Center supports multiple-chaining topologies, which maintain a secure link when traversing several firewalls or proxies. Maintaining secure links is crucial for extranet users because business partners make connections from behind firewalls. I successfully tested the ability to pass data through a proxy by replacing the firewall with Proxy Server. I had to change the Connect client's redirection rules to reroute traffic through Microsoft's SOCKS Proxy. I made one adjustment to the ExtraNet gateway, changing the listening port from 1080 to 443 (i.e., HTTP's default port).

I appreciated the Policy Console's ability to securely manage both NT and UNIX ExtraNet servers, but sometimes I found the administrative tools frustrating. For example, the addition or modification of Access Control rules doesn't take effect until you choose Reconfigure. A more frustrating quirk occurs when the new rule denies access to currently connected users. These users' sessions remain active with no manual override. On the plus side, the program simplifies rule management by employing user-definable folders so you can easily create logical groupings of elements.

Connect also had quirks. I had to define the redirection of port ranges by name, not number. How many people remember what port biff is? All documentation is online and is in Adobe Acrobat format, which is not my favorite format. However, I found the documentation quite thorough.

While I was wrapping up this review, I took a quick look at ExtraNet Center 3.1 beta. Aventail says ExtraNet Center 3.1 will ship by press time, and the new version will add Lightweight Directory Access Protocol (LDAP) user authentication, support for smart cards, browser-based X.509 certificates, and Web-based client configuration files.

Nit-picking aside, I found ExtraNet Center a usable and well-implemented system. The $10,000 base price might keep it out of reach for smaller companies, but this price isn't unreasonable if you consider the product's security features and functionality. If you're looking to connect with outside trading partners and don't want to give away the keys to the kingdom, ExtraNet Center can have these partners online quickly and safely.

Aventail ExtraNet Center 3.0
Contact: Aventail * 877-283-6824
Web: http://www.aventail.com
Price: Starts at $10,000
System Requirements: Server:
Windows NT 4.0 with Service Pack 3 or later, Solaris 2.6, AIX 4.2, Linux 2.x, HP/UX 10.20, or Digital UNIX 4.0
Client:
NT 4.0 with Service Pack 3 or later, NT 3.51, Windows 9x, Windows 3.1, or Windows for Workgroups 3.11