Appliances Vs. Software

In today's market, security products such as SSL VPNs are often sold as appliances, a term used to connote 'black boxes' that function without requiring administrators to understand their internal workings. In theory, appliances thereby reduce the overhead costs of installing, configuring, and maintaining an IT system.

Although some isolation from the internal technology certainly exists when it comes to SSL VPN offerings in appliance form, most appliances consist of standard computers running SSL VPN software on (a hardened version of) a standard operating system. Therefore—from a security standpoint—there is no intrinsic advantage in implementing an SSL VPN with an appliance-based form factor over an SSL VPN product sold as software that can be installed on servers of the purchaser's choice.

Note

Other components may be present in SSL VPN appliances such as SSL Accelerators, Air Gap Switches, etc. These topics are covered in Chapter 4 and 5 of this book.

Practically speaking, however, appliances are typically shipped with their operating systems hardened, SSL VPN software installed, and rudimentary configuration options set. As a result, they reduce the amount of human error likely to occur during the process of installation and configuration, and ensure that no conflicts occur between hardening procedures and the SSL VPN software. In many situations, therefore, the appliance-based offering presents security-related advantages over software. Nonetheless, organizations with data-center standards dictate that preferred brands of servers may prefer a software-based product; this is especially true in situations in which administrators are already skilled in hardening systems.

The figures below show SSL VPN appliances from (left to right) Safenet, Juniper Networks, and Whale Communications:

Regardless of which physical option is selected for implementation, the underlying technology of SSL VPNs remains identical.