Aventail and F5 extend their security reach to network access control
Companies build on already excellent SSL VPN product lines
This release, Version 5.5, comes with enhanced and powerful end-point control that allows administrators to create various security policies based on the "who, what, and where" of the client. F5's end-point control provides the means for deftly handling host policy classification. FirePass works with nearly every anti-virus and personal firewall product on the market for maximum flexibility and security enforcement.
One of FirePass' brightest spots is the Visual Policy Editor. This tool graphically depicts each step of the log-on sequence and allows admins to craft end-point policy quickly. What I really liked about the policy editor is that I could not only create pre-log-on sequences but also post-log-on and remediation sequences. For example, if a host passed the initial verification steps and had a valid anti-virus program but its signatures were out of date, I could pass it to a page with information on updating its virus signatures instead of simply denying access.
For added scalability, a FirePass, or even a cluster of FirePasses, can offload SSL processing to an F5 Big-IP appliance. Moving this CPU-intensive processing to an appliance built for SSL tasks makes a lot of sense, and it allows the FirePass to serve a virtually unlimited number of users.
FirePass still isn't one of the easiest devices to set up and configure, but it does give ultimate control to administrators. Every aspect of the appliance, from SSL encryption strength to policy enforcement per access method, is exposed. And IPSec site-to-site tunneling is still available in the FirePass.
The FirePass is one of the best SSL VPN appliances available. It has exceptional access support and an excellent end-point control engine. SSL offload to the Big-IP appliance is a major plus, and the flexibility in the policy enforcement is first rate. Resource definition almost provides too many choices, and it could more fully support Linux and Mac users. But for the most part, there isn't any scenario that the FirePass can't handle.
SSL VPNs will continue to evolve and expand their roles in network security. Both Aventail and F5 are paving the way with tighter policy and host integration; look for the shift to internal protection to continue. I really like the overall flexibility and functionality of the FirePass 4100. It provides exceptional scalability, and the Visual Policy Editor makes it easy to understand the pre- and post-log-on process. Aventail's EX-2500 is easier than FirePass to deploy and now includes native Citrix and MS Terminal Server support. The EX-2500 is a very capable performer that just doesn't quite scale like the 4100.
Will SSL VPNs take over internal network security? Only time will tell, as more security features are stuffed into these already-bursting devices.