Verdict

Billion is making quite a name for itself in the SSL VPN appliance market. It started the ball rolling nearly a year ago when it launched the BiGuard S10, which it claimed as the world’s first affordable small business gateway solution to incorporate a firewall. Now we review the BiGuard S20 which has sufficient grunt to handle twenty simultaneous SSL VPN tunnels but also offers dual WAN ports supporting failover and load balancing.

We’ll also be taking an early look at Billion’s optional OTP (one-time password) solution, which aims to make the S20 even more versatile. This combines a RADIUS server with password tokens to provide a two-factor authentication system. Users have their own four digit PIN number and use their token to generate a one-time six digit pass-code, which they combine to create a unique password. Essentially, this system requires something the user knows and something they have making for a strong authentication solution. This gives Billion an edge over the competition as it is effectively the first to deliver this option to small businesses. When we reviewed ZyXEL’s SSL 10 appliance it advised us it had an OTP solution in the wings but six months down the line and it’s still just talk.


The S20 appliance offers an octet of Fast Ethernet ports plus a Gigabit uplink port. The two WAN ports are the Fast Ethernet variety and can be combined in a team to provide either failover or load balancing. We liked the fact that the S20 is fanless so it’s completely silent in operation. The simple web interface helps get the WAN ports configured and then you can move on to SSL VPN creation. For user authentication you have a good choice of methods as along with a local database the appliance supports AD, LDAP, NT domain and RADIUS servers.

Remote workers point their web browser at the appliance’s WAN port where they are presented with a login portal page and after successful authentication are transported to a customisable page displaying available resources. The Network Extender option loads an ActiveX plug-in to create an encrypted connection to the LAN providing users with secure access to all local IP-based resources. The Transport Extender enables you to restrict access by declaring specific protocols and ports, while the Network Places can be used to browse the network for shares.

To provide access to specific resources you use application proxies and these range from FTP, RDP and HTTPS to VNC, CIFS and Citrix. All you do is pick a proxy and provide the IP address or domain name of the system providing the service. For each user account you decide if each one can access the Network Place and Extender services but proxy access is determined at the group level. Groups are also linked to domains, which determine the type of authentication that will be applied.

Billion’s OTP solution is due to be launched in the UK in the next week or so and looks good value as the two-token starter pack will cost around £49, while a ten-pack will set you back £189. It’s based on the Authenex ASAS software, which provides a user database and RADIUS server. This requires either a Windows 2000 Server or Server 2003 platform and we strongly recommend using a fresh install before loading the ASAS server as we found it gets very tetchy if any other applications are already present. The database needs configuring first where you enter the IP address of the S20, provide a shared secret and then set up users. Note that the bundle you purchase comes with a set of tokens each with unique serial numbers, which are linked only to the software you have been supplied with. Each user is given their own PIN and handed the token that has been assigned to their account.

At the appliance you create a RADIUS-PAP authentication domain then give it the IP address of the RADIUS server and shared secret. The only glitch with this system is you also have to manually declare each ASAS user to the appliance. When using a RADIUS domain you don’t enter a password but the accounts are needed to enable you to determine what network resources they can use as the RADIUS server can’t do this itself.


From the login portal you pick the appropriate domain, enter your username, press the button on the token and use your PIN plus the number displayed as your password. The OTP is shown for thirty seconds after which the display is blanked and the code is no longer valid. During testing we found the OTP system worked flawlessly making for a tough security solution that can enable users to work safely from any web enabled system. To test general RADIUS support we also successfully integrated the S20 with SecurEnvoy’s excellent SecurAccess server which uses SMS texts to send out pass-codes.

”’Verdict”’

The S20 shows that SSL VPNs are the way forward for providing secure access to the LAN for remote workers. For the price, it offers a lot of useful feature for smaller businesses and the optional OTP solution makes it even more versatile.

(centre)”’The web interface is well designed and the dual WAN ports can be teamed up for load balancing or failover.

—-


The firewall is very well endowed and includes extensive WAN bandwidth management and QoS features.

—-


Domains are used to define authentication schemes and here we have two different RADIUS servers configured.

—-


Authenex provides the OTP database and RADIUS server and will require a clean machine to run from.

—-


Each OTP user must still be declared manually to the appliance as you need to decide on what SSL VPN resources they can use.

—-

Trusted Score