Supplier: F5 Networks
Price: From £16,929 excluding VAT
Contact: www.f5.com
In the past few years, SSL VPNs have started to overtake IPsec VPNs asthe most popular choice for securing remote communications with the headoffice.
F5 moved into this market in 2003 when it acquired uRoam and has sincebuilt up a solid portfolio of SSL VPN appliances. This latest versiondelivers support for Windows Vista and for session variables in policycreation and adds a new MSI Windows package for automating clientdeployment. More importantly, it now integrates with F5's BIG-IP trafficmanagement appliances, allowing the global traffic manager to queryFirePass controllers and redirect users to the most appropriateappliance.
The 2U-rack chassis comes equipped with a quad of copper Gigabit ports,plus a pair of SFPs supporting fibre Gigabit connections. All can beconfigured as LAN or WAN ports. Power fault tolerance is available as anoption as the appliance can support a pair of built-in 400W redundantsupplies. With dual 2GHz AMD Opterons and 8GB of memory, the appliancehas plenty of power on tap and can support up to 2,000 concurrent users.Clustering multiple appliances together gives you up to 20,000concurrent connections.
The appliance's web interface is easy to use and provides plenty ofwizard-based help. You start by configuring your LAN and WAN portaddresses and defining web services for the interfaces. The latterallows you to determine whether an interface supports user andadministrative access and offers options to redirect incoming requeststo another location.
To determine access to LAN resources users must be members of mastergroups that enforce authentication and general security settings anddetermine how the portal will look to the user. For testing we used theappliance's local user database, but it also supports Windows Domain,Active Directory, LDAP and Radius servers. Network resources are definedin groups, which can include anything from applications to file sharesand legacy hosts to full access to all LAN resources. The advantages ofusing network objects to represent resources means any changes will bepropagated across all master groups that use them.
Endpoint security allows you to scan remote systems to determine if theymeet your requirements. The inspection process can be extremelystringent as you can check for operating systems, service packs,registry entries, application versions and so on. Pre-logon sequencesbind all these together, and the visual policy editor tool makes lightwork of creating quite complex structures.
Subject to the inspectors selected, the pre-logon sequence downloadsActiveX controls or Java applications to check the remote system forrequired or undesirable components. Remedial action can be taken byinstalling a security update or asking users to makes changes and youcan force actions such as an anti-virus scan. The protected workspaceuses an ActiveX control to create a virtual environment whereapplications can run safely on a remote system whilst a virtual keyboardwill circumvent keyloggers. Note that although F5 supports WindowsVista, there are limitations as this OS doesn't currently work with theprotected workspace.
The 4100 works with all the main browsers, including IE, NetScapeNavigator, Firefox, Mozilla and Safari. You can identify a device by thebrowser type when it connects which can be used to determine which userinterface is loaded. Alternatively, you can create a pre-logon sequencethat loads the most appropriate interface for the identified OS.Usefully, performance can be improved by using split-tunnelling todetermine what local traffic will be handled by the FirePass proxy.
During testing the FirePass was straightforward to install. We used twosubnets to simulate LAN and WAN networks and created a range ofresources, including terminal services over RDP, file shares, directnetwork access via a full tunnel, intranet access and tunnels fornon-web based applications. The portal is well-designed and easy touse.
To test non-web applications run locally we defined resources foraccessing an FTP server using a third-party product. For any local appyou need to define the precise location of the executable and theFirePass supports system variables. We found this worked fine, althoughwe did note that browser-based FTP access will not displaydirectories.
SSL VPNs are by far the superior solution for providing secure mobileaccess to corporate resources, and the FirePass delivers a highlyversatile solution. The tidy management interface and combination ofmaster and resource groups makes it simple enough to install andconfigure and its end-point security checks are particularlyimpressive.
SC MAGAZINE RATING
Features: *****
Performance: *****
Ease of use: ****
Documentation: ****
Support: ****
Value for money: ***
Overall Rating: ****
For: Support for large user base, easily configured, versatile accesspolicies, very strong end-point inspection and security, detailedreporting
Against: Vista has limited support for FirePass client and drivemapping
Verdict: The FirePass 4100 shows off the power of SSL VPNs with awell-specified appliance that's tough on client security yet easy todeploy and manage.