A VPN gateway can be implemented as software on a server, as a dedicated security appliance or as a function of a firewall, UTM, router.

SSL VPN Appliance

An appliance is an integrated hardware solution; all software, including hardened operating system, comes preloaded on the platform.

  • Removes the responsibility from the administrator of installing the VPN software on a server and hardening that server.
  • Typically is remote access oriented concerned with associated VPN inbound traffic; cannot be used by local corporate hosts as default gateway.
  • Likely deployed along with an existing network firewall.
  • Has limitations imposed by underlying hardware(e.g. throughput) or firmware(e.g. supported number of users).
  • Can include a hardware cryptographic module to offload SSL operations.
  • Sometimes upgrades may result in a box replacement.
  • Offers a high level of application inspection intelligence and it is feature-rich.

SSL VPN Virtual Appliance

A virtual appliance is a ready-to-use virtual machine image usually intended to run on a specific virtualization platform(optimized for better performance). It includes an already installed, hardened, and configured operating system along with ready-to-run software.

  • It provides a way to try, use and buy software by simply downloading the virtual appliance and evaluate it; when ready it can be moved into the virtualized production environment.
  • Removes the responsibility from the administrator of creating the virtual machine, installing the OS, VPN software and hardening the VM.
  • Typically is remote access oriented concerned with associated VPN inbound traffic; cannot be used by local corporate hosts as default gateway.
  • Likely deployed along with an existing network firewall(this may be virtualized too).
  • Has limitations imposed by the hypervisor and its underlying hardware(e.g. throughput) or firmware(e.g. supported number of users).
  • The VM can be moved from one hypervisor to another(live migration) if needed(e.g the underlying physical hardware becomes over utilized).
  • In case of upgrades when VM replacement is needed, the process is simpler and cheaper since it may not require any physical hardware changes.
  • Offers a high level of application inspection intelligence and it is feature-rich.

The hardware appliance and virtual appliance are very much alike; a SSL VPN appliance(either hardware or virtual) is a secure remote access gateway.
The virtual infrastructure offers advantages in terms of flexibility and agility(e.g. if the VM crashes for some reasons, it can be easily restored using a snapshot; or if the hypervisor experiences problems, another one can take over meaningless if the appliance itself supports or not high availability).
The hardware appliance can achieve greater throughput taking advantage of hardware encryption and may offer greater security(e.g. by not depending on the security of the hypervisor or due to SSL cryptographic operations being done in hardware).

VPN Firewall

The VPN gateway can be integrated into a firewall(or UTM, router).
The idea behind this is to offer an integrated security solution, eliminating the need to manage individually multiple security devices.

  • The firewall, UTM or router normally is a hardware appliance; but can also be a virtual appliance(popular these days) or software installed on top of an OS.
  • Advantages of such solutions are: simplicity, streamlined installation and management.
  • The disadvantage is the solution being a single point which needs to process data at wired speed.
  • Due to the possible performance impact not all the features of a SSL VPN appliance may be present on the integrated VPN gateway.
  • The SSL VPN option can be offered along with traditional remote access VPNs(IPsec-based or PPTP) and rather providing network level access through a SSL VPN client; the portal functionality may be limited or absent.
  • Typically a lower level of application inspection intelligence is offered.
  • Has limitations imposed by the underlying hardware(e.g. throughput) or firmware(e.g. supported number of users).
  • Sometimes upgrades may result in a box replacement(or VM respectively).

SonicWALL Approach

SonicWALL offers:

  • Through the SRA series dedicated feature-rich SSL VPN appliances(either hardware or virtual).
  • Through the NSA series SSL VPN firewall.
  • Furthermore a SRA appliance can be easily integrated into a network protected by a SonicWALL NSA firewall to achieve layered security(SonicWALL Clean VPN).

Conclusion

The SSL VPN hardware and virtual appliances are both feature-rich secure remote access gateways offering a high level of application inspection.

The hardware-based one is security and performance oriented while the virtual one provides flexibility and agility at a lower cost.

The VPN firewall is an integrated security solution usually offering limited SSL VPN features.