Leading VPN vendors have signed up to a new certification process from TruSecure Corp.'s ICSA Labs to prove their products all pass a bank of performance tests.
The program for "clientless" web-based VPN (virtual private network) systems for remote access, covers at least 80 percent of the installed base and joins ICSA certification programs for firewalls, anti-virus and other major security product types.
"The vendors came together and are extremely motivated," said Brian Monkman, technology program manager at ICSA Labs, and leader of the scheme. In the last few years, VPNs based on the Web's SSL security protocol have become more popular and been endorsed by MCI Inc. They allow users to log into corporate systems securely from Web browsers in Internet cafes, without having to have a special client on the machine.
Although there are around 30 SSL VPN vendors, Monkman reckons 80 to 90 percent of the market is covered by the six companies that have got products through the tests already: Aventail Corp., F5 Networks Inc., Netscreen Technologies Inc. (recently acquired by Juniper Networks Inc.), Netilla Networks Inc., NetScaler Inc. and PortWise.
Among the dozens of others not on the list, perhaps the most interesting omissions are Whale Communications, (despite being a founder member of the ICSA plan). Nokia Corp. and Portwise are also members of the ICSA scheme, with no products certified yet, and Cisco Systems Inc. subsidiary Twingo is another. However, Monkman cautioned against reading too much into any absentees: "Some vendors aren't ready, and some need time to redirect resources to certification," he said.
The tests, which determine whether the products operate securely, have been pulled together in only nine months, starting last June when two vendors approached ICSA. Draft tests were circulated in October, and improved on, using suggestions from industry experts. Monkman expects new versions of the tests by the end of 2005, with a rolling program of new versions every nine months or so.
The tests should reassure users, said Monkman: "The tests show that the product does what it says in the criteria." All the vendors who have certified products had to make changes to pass the tests, he said. However, he warned against complacency: "It doesn't mean it's 100 percent secure, and it doesn't mean it can't be misconfigured." He also pointed out that the tests are simply a pass-or-fail measurement, and cannot be used to compare products.