F5 Secures Remote Access

Although F5 Networks Inc.’s initial foray into security appliances is a little rough around the edges, its FirePass 1000 has the potential to provide a flexible, powerful, SSL-based remote access solution for organizations looking to avoid IP Security’s administrative hassles albeit at a hefty price.

The FirePass 1000’s price starts at $9,900 for 25 concurrent users or at $19,990 for a maximum of 100 concurrent users. At almost $200 per user for 100 users, this price is steep compared with that for many SSL (Secure Sockets Layer) and IPSec VPN solutions. Companies with greater needs should consider the FirePass 4000, which supports as many as 1,000 users for $69,990 and can be clustered for even greater demand. Both units began shipping in late October.

SSL-based VPNs present a clear advantage over IPSec to overworked administrators, requiring little or no client configuration. Using the FirePass 1000, clients can interact securely via SSL: The FirePass decrypts and proxies transmissions to the proper host on the protected network. Indeed, the FirePass requires remote users have nothing more than an HTTPS (HTTP Secure) and ActiveX- or Java-enabled browser and an Internet connection to access corporate applications and data.

A few network services (intranet, e-mail and terminal host access) can be viewed clientless in the browser frame; others can be viewed via a thin client configured via the appropriate F5 Webifyer ActiveX component or Java plug-in—Windows drive mapping and Terminal Services are notable. To use an organization’s existing client software, administrators can define an appropriate, single-application F5 AppTunnel back to the server. We liked the flexibility the latter feature provides, although we did have to point the client application to a loop-back address that is presented to the user in a pop-up box, which can cause some confusion. The FirePass also offers full network SSL VPN access for applications, such as voice, that require a wide range of ports.

The FirePass’ ActiveX cache-cleaning utility, which ensures any relevant data is removed from the remote browser cache, distinguishes it from competing products from Aventail Corp. and others. But customers implementing client security with JavaScript on their intranet applications may prefer the Neoteris Access 1000 product because the FirePass requires workarounds to reverse-proxy these applications correctly.

In eWEEK Labs’ tests, we placed the FirePass in our network’s DMZ and configured our firewall to pass the service with the protected servers. We culled user and group information from our Active Directory via an LDAP call and configured the FirePass to authenticate to our domain for each user log-in attempt. The FirePass can also authenticate to RADIUS (Remote Authentication Dial-In User Service) servers and Windows NT domains, or it can use an internal database.

The FirePass’ powerful policy engine allowed us to define different access rights for each group, but keeping track of Web-based configuration pages for multiple groups can be difficult. We’d prefer that F5 add a group-centric viewing option allowing us to see a single group’s entire policy, instead of having to click through each Webifyer individually.

More impressively, the FirePass let us control access depending on the relative security of the client machine. The FirePass supports kiosks where the user has no rights to install ActiveX or Java plug-ins, limiting access to intranet or e-mail traffic only. As mentioned above, administrators can also limit access to sensitive applications by requiring a client-side certificate and appropriate anti-virus and firewall security software—although we believe deploying client certificates to end-user machines reduces some of the advantages inherent in SSL VPN technology.

The FirePass supports an array of browsers, with the flexibility to tailor the user experience by platform. However, certain features were inconsistent across platforms, particularly the drive-mapping Webifyer. F5 officials attributed this flaw, along with other interface irregularities and rare system lockups, to the late-beta software in our test unit. These issues should not dissuade administrators from further investigating the shipping product.