Aventail and F5 extend their security reach to network access control
Companies build on already excellent SSL VPN product lines
The folks at Aventail have been building a great SSL VPN appliance for quite some time, and the current software release -- Aventail ST (Smart Tunneling) -- is no exception. I recently tested the EX-2500 with the latest software and found the features to be good enhancements to an already solid solution.
The EX-2500 is a new hardware platform for Aventail. It features a 1U chassis and scales to as many as 2,000 concurrent users per box. One of the more significant improvements is its capability of providing secure remote access to a wide range of mobile devices such as smartphones and PDAs. Aventail Mobile detects the device type at log-on and formats the display to fit the connected device. The feature can place the device into specific policy zones for access control. Mobile supports BlackBerry, Palm, Windows Mobile, DoCoMo, and Symbian systems.
Another new feature, Aventail's Native Access Modules, provides access to Microsoft Terminal Services and Citrix applications via the appliance without a "fat" client installed on the remote device. I really like this feature because it allowed me to consolidate various Terminal Server connections into one browser-based portal and provided access from within the browser. In fact, instead of being tied to Internet Explorer, as Microsoft's Web-based Terminal Server client is, I easily connected using Firefox.
End-point security also improved with the addition of tools for more flexible application verification. Admins can now create end-point checks based on MD5 checksums, wildcards, and relative dates, allowing for even greater verification of host systems. This increased level of host checking allows for in-depth inspection of a client device to make sure it conforms to the established security policy. Aventail's dynamic, adaptive security engine then places the device in the appropriate policy based on how it faired during the host check.
Through improved integration with Netegrity and RSA, Aventail ST also has better single sign-on support than in previous versions. Password management through the Web portal has also improved. In the past, if a user's password was going to expire, he or she would be notified at log-on but would have no means of updating it. Now the password can be updated right through the portal, eliminating lock-out problems and help desk calls.
The EX-2500 with Aventail ST is a strong step forward in the ongoing evolution of the SSL VPN. It isn't missing any features and provides one of the best platforms for remote users, as well as exposed applications and resources. End-point control is good, and I like how it can fit into an overall internal security policy. Resource definition isn't as flexible as in the FirePass, but outside the most demanding situations, that should not be a problem. Look for its internal policy management to evolve into something that can give the big boys a run for their money.
F5 FirePass 4100
F5's FirePass is still one of the most complete SSL VPN solutions available. As does the EX-2500, FirePass provides a wide range of application and network support, including support for Unix and Windows file shares, X11 for Mac OS X, legacy "green screen" hosts, and various flavors of terminal services. FirePass also supports various browser types such as I-mode and WAP phones, as well as Pocket PC.