Although good, Aventail’s logging features aren’t as comprehensive as those of the F5 FirePass 4100 or the Juniper NetScreen-SA
5000. The EX-1500 comes with support for Syslog, SNMP, and internal text logging but offers no built-in graphical reports.
One big drawback is that, as opposed to the other appliances reviewed here, the EX-1500 lacks any facility for true layer
3 tunneling. The included Aventail Connect utility almost makes up for this shortcoming, however. Aventail Connect is a Windows
application installed on the remote PC that provides “network-level” access to back-end resources. It is not a true layer
3 tunnel -- remote users can ping in but not out -- but it does provide full TCP and UDP inbound support. Aventail promises
to deliver full bidirectional tunnel capabilities in a future release.
F5 Networks FirePass 4100
Many features found in F5’s FirePass 1000 -- which InfoWorld reviewed in October -- carry over to the FirePass 4100 but in an updated, more powerful way. The 4100 also includes some
less common features among SSL VPNs, such as content filtering and anti-virus scanning, both of which are implemented using
open source software. The FirePass can even terminate site-to-site IPSec tunnels, although it isn’t designed to handle client-to-site
IPSec.
The FirePass offers the standard portal-based access for Web applications, application access via TCP-only AppTunnels, and
a layer 3 connector called Network Access. It also allows thin-client access to native host applications such as Citrix MetaFrame,
Microsoft Terminal Services, X Windows, and “green-screen” legacy applications via special connector software. I tested the
Terminal Services support against one of our Windows 2000 Servers and was surprised at how quick and smooth it was. The FirePass
4100’s layer 3 tunnel allows for both split and full tunneling and includes built-in VLAN support.
One notable feature of the FirePass 4100 is Desktop Access. Similar to the Beam application found in the enKoo-3000, Desktop Access is remote access software for Windows that runs in a browser via a Java applet or an ActiveX control, either
of which can be pushed to the remote client on demand.
The FirePass offers almost too many logging options. Every conceivable thing that can be logged, is, and support for SNMP
and Syslog is included. Graphical reporting tools are also built in, making at-a-glance monitoring easy.
Authentication services in the FirePass 4100 include LDAP, RADIUS, Active Directory, Vasco DigiPass, basic HTTP authentication,
client certificates, and local database. Each authentication scheme is assigned to a specific resource group. SSO for Windows
resources is enabled by default and worked in every case I tested.
Clustering support is particularly strong in the FirePass 4100. Linking 10 nodes allows it to support as many as 10,000 concurrent
users, and both Active-Active and Active-Standby clustering come standard.
The FirePass administrator UI suffers from a bit of “hyperlink overload,” but after spending some time hunting through the
myriad options, I became familiar with the layout, which proved fairly easy to navigate. There are also some nice features.
For example, to avoid keystroke loggers on client PCs, F5 offers a graphical virtual keyboard for both user name and password.
The FirePass should be especially attractive to government users because F5 offers a version that complies with FIPS (Federal
Information Processing Standard) 140, the U.S. National Institute of Standards and Technology specification that outlines
security requirements for cryptographic modules. Most of the vendors represented here expect to have FIPS 140 compliance ready
in 2005, but only F5 and Juniper offer compliant products today.
The one area where the FirePass could use some work is in end-point security management. Unlike other appliances, the FirePass
relies on its own host checking software rather than partnering with a third party. Although F5’s offering does provide cache-cleaning
options and a virtual desktop called Protected Workspace, it isn’t as powerful as the Sygate On-Demand engine. It will, however,
check for running processes, Registry entries, OS and Internet Explorer service pack levels, and the presence of McAfee VirusScan.
If a client fails any host check, its access falls back to a quarantine network. Unfortunately, the host check doesn’t take
place until after the user has authenticated. F5 tells us that preauthentication support is in development and is slated for
the next software release.
Juniper Networks NetScreen-SA 5000
InfoWorld reviewed the Neoteris Access Series SSL appliance in October 2003. Now owned by Juniper, the heart of the old product beats on in new and improved hardware and with
a more mature security engine. The current software release, Version 4.2, still suffers from GUI fatigue and needs better
organization, but overall, the product proved flexible and secure.
E-mail
Printer Friendly
Reprints
(InfoWorld) - In the litigious world we live in, deploying a unified communications platform in your enterprise could...
