Product Reviews

Simple Wizardry

Neoteris Access 3000 magically secures your connections.

• By James Carrion
• 03/01/2003

When you think of providing secure access to your organization’s data resources, you probably envision a virtual private network (VPN) using traditional VPN protocols, such as PPTP and L2TP, or setting up a hardened Web server in a demilitarized zone (DMZ). With a VPN solution, you have to configure the client and the server (as well as a plethora of other network devices, such as your firewall and authentication server) to ensure a secure end-to-end solution.

Neoteris claims its Access line of Instant Virtual Extranet (IVE) appliances is a simplified solution to secure remote access needs. The Access 3000 is, essentially, a network appliance designed to provide secure client access to your organization’s resource servers without having to configure any custom hardware or software on either client or company networks. You need just two basic pieces: the Access 3000 between the Internet and your corporate network and an Internet browser that supports Secure Sockets Layer (SSL) at the client.

The Neoteris installation is simple: Rack-mount the appliance, connect the provided cable between the onboard serial port and your computer, then run a terminal emulation program to configure the basic settings for network connectivity. Then plug in one cable from the Access 3000 to your internal network and another cable to the external network.

To secure access to the device, configure access control lists by IP address range, and then configure a list of Windows or Web resources to which users will be allowed or denied access. For example, if I don’t want users to be able to access the CORPORATE PLANS share on Server1, I can add to the denied Windows resource list the \\Server1\CORPORATEPLANS UNC path. Or if I don’t want users to access www.abcorp.local, I can deny users access to that URL.

The Access 3000 can be configured to require SSL version 3 or allow SSL version 2, as well as require 120-bit or 40-bit security. You can also configure an NTP server for time synchronization. I configured the Access 3000 to pass all authentication requests to my Windows 2000 Active Directory Server, although it also supports passing requests to LDAP/NIS/ACE/RADIUS servers. The downside to using a backend authentication server is that you still have to create local user accounts manually on the Access 3000 that match the user names on the authentication server, as the admin console doesn’t have the ability to browse a list of users from your existing directory service. On the flip side, you can import users into the Access 3000 database from a delimited file.

Bookmarks can be configured to Unix shares, Web URLs and Windows shared folder resources (CIFS and SMB); these bookmarks become links on the built-in Web site. Alternatively, users can type in a Web URL from the user access page or browse the Windows network for shared resources dynamically, just as they would through Network Neighborhood. You can even configure the Access 3000 as a WINS client so users can browse across subnets. Windows, Web and Unix resource access is built into the Access 3000; optional support can be purchased for secure Outlook and Lotus Notes clients, secure access to IMAP/POP/SMTP servers, Secure Terminal (Telnet and SSH), client certificates, group logins and so on.

Access 3000 offers a simple way to mediate secure client access to your organization’s resource servers.

The Access 3000 has excellent reporting functionality and can be configured to log to a local log file, which can then be archived automatically to a remote FTP serve or directly to a SYSLOG server.

When a user connects to the Access 3000 built-in Web server, they’re prompted for logon credentials. After authentication, the client loads the home page of the built-in Web server, which is customized with your company logo, welcome message and associated bookmarks. As an alternative, users can be redirected to an internal company Web server that will provide portal access to corporate resources. From login to logout, all access is secured via the SSL protocol, either through a self-signed or commercial Certificate Authority-issued SSL server certificate. The only firewall configuration needed is to open up ports 80 and 443 and, if using the secure IMAP/POP/SMTP option, the proper server side ports for those protocols.

If budget isn’t an issue, forget setting up complicated VPNs and hardened Web servers. Instead, get an Access 3000 and simplify your secure remote-access configuration. Customers or employees can access corporate resources securely from anywhere, with no client configuration required. The Access 3000 setup is simple, and administration through the browser-based admin console is a breeze. Keep in mind, however, that it’s an expensive appliance. Although large to midsize businesses may not blink an eye, especially when it comes to something as important as network security, many small businesses will probably opt for cheaper off-the-shelf components.