Although F5 Networks Inc.s initial foray into security appliances is a little rough around the edges, its FirePass 1000 has the potential to provide a flexible, powerful, SSL-based remote access solution for organizations looking to avoid IP Securitys administrative hassles albeit at a hefty price.
The FirePass 1000s price starts at $9,900 for 25 concurrent users or at $19,990 for a maximum of 100 concurrent users. At almost $200 per user for 100 users, this price is steep compared with that for many SSL (Secure Sockets Layer) and IPSec VPN solutions. Companies with greater needs should consider the FirePass 4000, which supports as many as 1,000 users for $69,990 and can be clustered for even greater demand. Both units began shipping in late October.
SSL-based VPNs present a clear advantage over IPSec to overworked administrators, requiring little or no client configuration. Using the FirePass 1000, clients can interact securely via SSL: The FirePass decrypts and proxies transmissions to the proper host on the protected network. Indeed, the FirePass requires remote users have nothing more than an HTTPS (HTTP Secure) and ActiveX- or Java-enabled browser and an Internet connection to access corporate applications and data.
F5s FirePass 1000 SSL VPN provides excellent security and easy access for remote users accessing the corporate network. The product institutes a tiered approach to network access, using policies that account for user and group permissions, location, and client software. However, some features behave inconsistently according to the Web platform being used. Pricing for 100 concurrent users is a relatively steep $19,990.
EVALUATION SHORT LIST
A few network services (intranet, e-mail and terminal host access) can be viewed clientless in the browser frame; others can be viewed via a thin client configured via the appropriate F5 Webifyer ActiveX component or Java plug-in—Windows drive mapping and Terminal Services are notable. To use an organizations existing client software, administrators can define an appropriate, single-application F5 AppTunnel back to the server. We liked the flexibility the latter feature provides, although we did have to point the client application to a loop-back address that is presented to the user in a pop-up box, which can cause some confusion. The FirePass also offers full network SSL VPN access for applications, such as voice, that require a wide range of ports.
In eWEEK Labs tests, we placed the FirePass in our networks DMZ and configured our firewall to pass the service with the protected servers. We culled user and group information from our Active Directory via an LDAP call and configured the FirePass to authenticate to our domain for each user log-in attempt. The FirePass can also authenticate to RADIUS (Remote Authentication Dial-In User Service) servers and Windows NT domains, or it can use an internal database.
The FirePass powerful policy engine allowed us to define different access rights for each group, but keeping track of Web-based configuration pages for multiple groups can be difficult. Wed prefer that F5 add a group-centric viewing option allowing us to see a single groups entire policy, instead of having to click through each Webifyer individually.
More impressively, the FirePass let us control access depending on the relative security of the client machine. The FirePass supports kiosks where the user has no rights to install ActiveX or Java plug-ins, limiting access to intranet or e-mail traffic only. As mentioned above, administrators can also limit access to sensitive applications by requiring a client-side certificate and appropriate anti-virus and firewall security software—although we believe deploying client certificates to end-user machines reduces some of the advantages inherent in SSL VPN technology.
The FirePass supports an array of browsers, with the flexibility to tailor the user experience by platform. However, certain features were inconsistent across platforms, particularly the drive-mapping Webifyer. F5 officials attributed this flaw, along with other interface irregularities and rare system lockups, to the late-beta software in our test unit. These issues should not dissuade administrators from further investigating the shipping product.
Technical Analyst Andrew Garcia can be reached at firstname.lastname@example.org.