F5 Secures Remote Access

 
 
By Andrew Garcia  |  Posted 2003-11-03 Email Print this article Print
 
 
 
 
 
 
 

F5's FirePass 1000 appliance secures remote access, but it's pricey and needs polish.

Although F5 Networks Inc.s initial foray into security appliances is a little rough around the edges, its FirePass 1000 has the potential to provide a flexible, powerful, SSL-based remote access solution for organizations looking to avoid IP Securitys administrative hassles albeit at a hefty price.

The FirePass 1000s price starts at $9,900 for 25 concurrent users or at $19,990 for a maximum of 100 concurrent users. At almost $200 per user for 100 users, this price is steep compared with that for many SSL (Secure Sockets Layer) and IPSec VPN solutions. Companies with greater needs should consider the FirePass 4000, which supports as many as 1,000 users for $69,990 and can be clustered for even greater demand. Both units began shipping in late October.

SSL-based VPNs present a clear advantage over IPSec to overworked administrators, requiring little or no client configuration. Using the FirePass 1000, clients can interact securely via SSL: The FirePass decrypts and proxies transmissions to the proper host on the protected network. Indeed, the FirePass requires remote users have nothing more than an HTTPS (HTTP Secure) and ActiveX- or Java-enabled browser and an Internet connection to access corporate applications and data.

EXECUTIVE SUMMARY
FirePass 1000
F5s FirePass 1000 SSL VPN provides excellent security and easy access for remote users accessing the corporate network. The product institutes a tiered approach to network access, using policies that account for user and group permissions, location, and client software. However, some features behave inconsistently according to the Web platform being used. Pricing for 100 concurrent users is a relatively steep $19,990.

KEY PERFORMANCE INDICATORS
USABILITY FAIR
CAPABILITY GOOD
PERFORMANCE GOOD
INTEROPERABILITY GOOD
MANAGEABILITY GOOD
SCALABILITY FAIR
SECURITY EXCELLENT
  • PRO:Tiered approach to network access depending on client credentials, user install rights and administrator-defined group policies; supports many applications with native client software or within the browser frame.

  • CON:Confusing layout complicates creating a single groups policy; cannot cluster units; inconsistent behavior of the drive-mapping feature; pricey.
  • EVALUATION SHORT LIST
    Aventail EX-1500 Neoteris Access 1000 (recently purchased by NetScreen Technologies Inc.)
    A few network services (intranet, e-mail and terminal host access) can be viewed clientless in the browser frame; others can be viewed via a thin client configured via the appropriate F5 Webifyer ActiveX component or Java plug-in—Windows drive mapping and Terminal Services are notable. To use an organizations existing client software, administrators can define an appropriate, single-application F5 AppTunnel back to the server. We liked the flexibility the latter feature provides, although we did have to point the client application to a loop-back address that is presented to the user in a pop-up box, which can cause some confusion. The FirePass also offers full network SSL VPN access for applications, such as voice, that require a wide range of ports.

    The FirePass ActiveX cache-cleaning utility, which ensures any relevant data is removed from the remote browser cache, distinguishes it from competing products from Aventail Corp. and others. But customers implementing client security with JavaScript on their intranet applications may prefer the Neoteris Access 1000 product because the FirePass requires workarounds to reverse-proxy these applications correctly.

    In eWEEK Labs tests, we placed the FirePass in our networks DMZ and configured our firewall to pass the service with the protected servers. We culled user and group information from our Active Directory via an LDAP call and configured the FirePass to authenticate to our domain for each user log-in attempt. The FirePass can also authenticate to RADIUS (Remote Authentication Dial-In User Service) servers and Windows NT domains, or it can use an internal database.

    The FirePass powerful policy engine allowed us to define different access rights for each group, but keeping track of Web-based configuration pages for multiple groups can be difficult. Wed prefer that F5 add a group-centric viewing option allowing us to see a single groups entire policy, instead of having to click through each Webifyer individually.

    More impressively, the FirePass let us control access depending on the relative security of the client machine. The FirePass supports kiosks where the user has no rights to install ActiveX or Java plug-ins, limiting access to intranet or e-mail traffic only. As mentioned above, administrators can also limit access to sensitive applications by requiring a client-side certificate and appropriate anti-virus and firewall security software—although we believe deploying client certificates to end-user machines reduces some of the advantages inherent in SSL VPN technology.

    The FirePass supports an array of browsers, with the flexibility to tailor the user experience by platform. However, certain features were inconsistent across platforms, particularly the drive-mapping Webifyer. F5 officials attributed this flaw, along with other interface irregularities and rare system lockups, to the late-beta software in our test unit. These issues should not dissuade administrators from further investigating the shipping product.

    Technical Analyst Andrew Garcia can be reached at andrew_garcia@ziffdavis.com.
     
     
     
     
    Andrew cut his teeth as a systems administrator at the University of California, learning the ins and outs of server migration, Windows desktop management, Unix and Novell administration. After a tour of duty as a team leader for PC Magazine's Labs, Andrew turned to system integration - providing network, server, and desktop consulting services for small businesses throughout the Bay Area. With eWEEK Labs since 2003, Andrew concentrates on wireless networking technologies while moonlighting with Microsoft Windows, mobile devices and management, and unified communications. He produces product reviews, technology analysis and opinion pieces for eWEEK.com, eWEEK magazine, and the Labs' Release Notes blog. Follow Andrew on Twitter at andrewrgarcia, or reach him by email at agarcia@eweek.com.
     
     
     
     
     
     
     

    Submit a Comment

    Loading Comments...

     
    Manage your Newsletters: Login   Register My Newsletters























     
     
     
     
     
     
     
     
     
     
     
    Rocket Fuel