F5 Networks FirePass 4100
Support for large user base, easily configured, versatile access policies, very strong end-point inspection and security, detailed reporting
Vista has limited support for FirePass client and drive mapping
The FirePass 4100 shows off the power of SSL VPNs with a well-specified appliance that's tough on client security yet easy to deploy and manage
In the past few years, SSL VPNs have started to overtake IPsec VPNs as the most popular choice for securing remote communications with the head office.
F5 moved into this market in 2003 when it acquired uRoam and has since built up a solid portfolio of SSL VPN appliances. This latest version delivers support for Windows Vista and for session variables in policy creation and adds a new MSI Windows package for automating client deployment. More importantly, it now integrates with F5's BIG-IP traffic management appliances, allowing the global traffic manager to query FirePass controllers and redirect users to the most appropriate appliance.
The 2U-rack chassis comes equipped with a quad of copper Gigabit ports, plus a pair of SFPs supporting fibre Gigabit connections. All can be configured as LAN or WAN ports. Power fault tolerance is available as an option as the appliance can support a pair of built-in 400W redundant supplies. With dual 2GHz AMD Opterons and 8GB of memory, the appliance has plenty of power on tap and can support up to 2,000 concurrent users. Clustering multiple appliances together gives you up to 20,000 concurrent connections.
The appliance's web interface is easy to use and provides plenty of wizard-based help. You start by configuring your LAN and WAN port addresses and defining web services for the interfaces. The latter allows you to determine whether an interface supports user and administrative access and offers options to redirect incoming requests to another location.
To determine access to LAN resources users must be members of master groups that enforce authentication and general security settings and determine how the portal will look to the user. For testing we used the appliance's local user database, but it also supports Windows Domain, Active Directory, LDAP and Radius servers. Network resources are defined in groups, which can include anything from applications to file shares and legacy hosts to full access to all LAN resources. The advantages of using network objects to represent resources means any changes will be propagated across all master groups that use them.
Endpoint security allows you to scan remote systems to determine if they meet your requirements. The inspection process can be extremely stringent as you can check for operating systems, service packs, registry entries, application versions and so on. Pre-logon sequences bind all these together, and the visual policy editor tool makes light work of creating quite complex structures.
Subject to the inspectors selected, the pre-logon sequence downloads ActiveX controls or Java applications to check the remote system for required or undesirable components. Remedial action can be taken by installing a security update or asking users to makes changes and you can force actions such as an anti-virus scan. The protected workspace uses an ActiveX control to create a virtual environment where applications can run safely on a remote system whilst a virtual keyboard will circumvent keyloggers. Note that although F5 supports Windows Vista, there are limitations as this OS doesn't currently work with the protected workspace.
The 4100 works with all the main browsers, including IE, NetScape Navigator, Firefox, Mozilla and Safari. You can identify a device by the browser type when it connects which can be used to determine which user interface is loaded. Alternatively, you can create a pre-logon sequence that loads the most appropriate interface for the identified OS. Usefully, performance can be improved by using split-tunnelling to determine what local traffic will be handled by the FirePass proxy.
During testing the FirePass was straightforward to install. We used two subnets to simulate LAN and WAN networks and created a range of resources, including terminal services over RDP, file shares, direct network access via a full tunnel, intranet access and tunnels for non-web based applications. The portal is well-designed and easy to use.
To test non-web applications run locally we defined resources for accessing an FTP server using a third-party product. For any local app you need to define the precise location of the executable and the FirePass supports system variables. We found this worked fine, although we did note that browser-based FTP access will not display directories.
SSL VPNs are by far the superior solution for providing secure mobile access to corporate resources, and the FirePass delivers a highly versatile solution. The tidy management interface and combination of master and resource groups makes it simple enough to install and configure and its end-point security checks are particularly impressive.