Array Networks falters where F5 flies in SSL VPN standoff
FirePass 1000 proves more complete next to Array SP
The FirePass uses Webifyers to define access to internal servers. Not only can you connect to Web applications but also to Windows and Unix file shares, X-Windows, Citrix MetaFrame, VNC (Virtual Network Computing, an open source remote control application), Microsoft Terminal Services, “green screen” host access, local intranet sites, and an IPSec-style network-level connector. Unfortunately, access to terminal services is limited to Win32 PCs. Also included is a connector called My E-mail that takes you directly to your inbox on a POP3 or IMAP server. During my tests, I did not experience any compatibility issues between JVM releases on my remote test users and the automatically downloaded Java and ActiveX components from the FirePass.
The SSL VPN portion of the FirePass is first-rate and provides all of the necessary components for secure deployment. You can define static drive mappings to a protected server using your already-accepted client credentials and launch an application on connect. As with other SSL appliances, you can make sure anti-virus and other client security software is active before establishing the tunnel by requiring a process to be either present or absent on the remote PC.
The FirePass also allows you to force the cache cleanup applet to install
Array Networks Array SP
As the name implies, the Array SP is a security device. It is not a pure SSL VPN appliance; it’s VPN, firewall, content filtering, and SSL acceleration all rolled into one, and as such, it’s not overly deficient nor does it excel in any one area.
The Array SP is a great choice for networks where Web-based applications are the primary destination for remote users. Like most other SSL VPN appliances, the SP rewrites the HTML stream to hide internal name spaces and can also compress the HTML data on the fly to improve server response. The SP includes a powerful URL-filtering component and easily connects your secure session to both Windows and Unix file shares. However, it does not come with a network-level VPN connector as the F5 FirePass 1000 does, and configuration is too complex.
The SP ships with excellent infrastructure compatibility and includes dual Gigabit Ethernet interfaces and VLAN tagging in its midsize, 3U chassis. It is cluster-ready and has the ability to stack up to 32 units in a single cluster. WebWall, a network-layer firewall, helps protect the appliance from any type of network attack. The SP can also encrypt internal traffic to a back-end server using SSL.
SP’s policy- and user-control start with the creation of a Virtual Site. A Virtual Site is a container for managing authentication and security policies in the SP. Each Virtual Site requires an available IP address from the outside network interface’s subnet. For granular user- or group-level policy enforcement, you must define multiple Virtual Sites. Although I like the Virtual Site concept, I do not like the fact that each one uses up an IP address. Depending on your infrastructure, this may prove to be a logistical problem.