- Highly scalable
- optional SSL acceleration and clustering
- security compliance checking
- quarantine of non-conforming clients
- extensive logging and reporting
- Management interface takes a while to master
- limited client security checks
A relative newcomer to the world of SSL-based remote access, F5 has been quick to absorb and extend the FirePass VPN appliance technology it acquired, along with the original developer uRoam, back in 2003.
The most recent addition is the FirePass 600, which is aimed at smaller businesses with up to 25 remote users (£3,723 ex. VAT), while its bigger brother, the 1U FirePass 1000 (£13,542 ex VAT), can cope with 100 users at a time. The 2U FirePass 4100 reviewed here, however, is very much designed for large enterprises with optional hardware-based SSL acceleration and clustering that can extend this to 2,000 users or more.
The Web-based management interface is much the same on all three products, and although fairly straightforward, it does take a while to get to grips with. Moreover, although F5 claims a 30 minute install time, in practice that only gives you a basic setup with extra time needed to tailor the various access and security options and customise the end user interface.
And there really is a lot to get to grips with here. To start with, remote access can be managed at a group or individual level with a choice of authentication systems including an internal database, Active Directory, LDAP or RADIUS. There’s support for two-factor authentication (such as SecurID), and endpoint systems can also be checked for security compliance before access is allowed.
On the downside, the compliance checks aren’t as comprehensive as with some rival products, but there are facilities to look for specific service pack updates, registry settings and virus infections. Failing systems can also be quarantined and, usefully, redirected to download the necessary updates automatically. However, the requirement for a client-side virus scanner is limited to McAfee software only.
As with most SSL appliances, FirePass employs a mix of technologies to provide authenticated users with access to network applications and resources. And it does so without the need for a custom VPN client. In fact, for the most part all that’s needed is an SSL-enabled browser that will, typically, be Internet Explorer (although we used Firefox and Opera with good results). Small-format handheld devices are also supported, as well as both Windows and Linux clients.
Access to Web-enabled applications is consolidated using a customisable portal, while AppTunnels can be configured to link to ordinary TCP/IP applications. An ActiveX control is automatically downloaded to support this and other connectivity options, with automatic removal and cache cleanup when finished. There’s a Java-based alternative for situations where ActiveX is not allowed, and it’s possible to pre-install the software on clients where desktop settings are locked down.
A wide range of applications can also be handled using pre-configured connectors, giving access to products like Exchange, Citrix and legacy terminal emulators. Access to Windows file shares and Novell and NFS servers also comes as standard; these and other options are configured using the same graphical policy editor on the FirePass appliance. Remote desktop support is an optional extra, if required; other features worth noting include a built-in firewall and split-tunnelling of client traffic to further protect the network from backdoor attacks.
Performance is a major concern with this type of product and depends mostly on the number of users and the specification of the FirePass hardware. Hardware-based SSL acceleration is essential for large-scale use and is built into the F5 appliance, although you do have to pay extra to activate it.
We were impressed with what the FirePass appliance has to offer, and F5 has certainly moved quickly to establish a presence in the burgeoning SSL remote access market, with products now available to suit a wide range of needs. However, competition is fierce and only time will tell if this broad-based approach will succeed.