Array Networks falters where F5 flies in SSL VPN standoff
FirePass 1000 proves more complete next to Array SP
For mobile and remote users, SSL VPNs are fast becoming the secure access of choice by IT professionals. They are easy to implement, and because they work through your Web browser they negate the need for an IPSec-style client, making them easier to deploy on a wide range of mobile devices.
The SSL VPN appliance space is currently in a state of “me too,” as vendors old and new announce new releases and upgrades. In October, I reviewed two SSL VPNs. This time, I looked at Array Networks’ Array SP (Secure Proxy) and F5 Networks’ FirePass 1000.
These two devices provide the core SSL access features of reverse Web proxying, access to Windows or Unix file shares, and terminal services. Both scale well
and rewrite and compress HTML streams but differ in usability and functionality.
Of the SSL appliances, the FirePass provides the best mix of VPN functionality, client security, and ease of use. You get SSL-secured VPN support for Web-based and thin applications as well as an IPSec-style network-level connection. The Array SP secures Web apps very well, but support for thin applications is cumbersome and IPSec-style tunnel is nonexistent.
F5 FirePass 1000
Recently acquired from uRoam, the FirePass 1000 provides a full range of secure remote access. The FirePass blends HTML translation and compression for increased performance with client-side cache management. You do not get any URL filtering or low-level network features as you do from the Array SP, but you do get an IPSec-style tunnel and the ability to manage how content is cached in the user’s browser.
The FirePass 1000 comes in a slim 1U chassis and ships with dual 10/100Mbps Ethernet interfaces. Unlike the Array SP, the FirePass does not support clustering, but you can configure a second unit for hot, stateful fail-over. You can also use SSL to encrypt local traffic to help prevent snooping.
While not a task for the novice, configuring the FirePass was much easier than was the Array appliance. The tasks are well-organized and include informative descriptions that take much of the mystery out of the equation. As would just about all of the other SSL appliances I’ve reviewed, the FirePass would benefit from a setup wizard or ordered
list of steps to complete specific tasks.
Policy configuration begins with the creation of one or more user groups. You can import users from an LDAP source, from a file, from a Windows domain, or simply add them manually. Available authentication schemes for groups are RADIUS (Remote Authentication Dial-In User Service), Vasco Digipass, LDAP, basic HTTP to an external server, Windows domain/Active Directory, or HTTP form-based authentication, but only one type of authentication is available per group. Just as with the Array SP, I used Windows 2000 Active Directory as my authentication source and had no trouble with the system.