SSL VPNs come of age
We see how six leading appliances measure up to one another and to IPSec
One notable feature of the FirePass 4100 is Desktop Access. Similar to the Beam application found in the enKoo-3000, Desktop Access is remote access software for Windows that runs in a browser via a Java applet or an ActiveX control, either of which can be pushed to the remote client on demand.
The FirePass offers almost too many logging options. Every conceivable thing that can be logged, is, and support for SNMP and Syslog is included. Graphical reporting tools are also built in, making at-a-glance monitoring easy.
Authentication services in the FirePass 4100 include LDAP, RADIUS, Active Directory, Vasco DigiPass, basic HTTP authentication, client certificates, and local database. Each authentication scheme is assigned to a specific resource group. SSO for Windows resources is enabled by default and worked in every case I tested.
Clustering support is particularly strong in the FirePass 4100. Linking 10 nodes allows it to support as many as 10,000 concurrent users, and both Active-Active and Active-Standby clustering come standard.
The FirePass administrator UI suffers from a bit of “hyperlink overload,” but after spending some time hunting through the myriad options, I became familiar with the layout, which proved fairly easy to navigate. There are also some nice features. For example, to avoid keystroke loggers on client PCs, F5 offers a graphical virtual keyboard for both user name and password.
The FirePass should be especially attractive to government users because F5 offers a version that complies with FIPS (Federal Information Processing Standard) 140, the U.S. National Institute of Standards and Technology specification that outlines security requirements for cryptographic modules. Most of the vendors represented here expect to have FIPS 140 compliance ready in 2005, but only F5 and Juniper offer compliant products today.
The one area where the FirePass could use some work is in end-point security management. Unlike other appliances, the FirePass relies on its own host checking software rather than partnering with a third party. Although F5’s offering does provide cache-cleaning options and a virtual desktop called Protected Workspace, it isn’t as powerful as the Sygate On-Demand engine. It will, however, check for running processes, Registry entries, OS and Internet Explorer service pack levels, and the presence of McAfee VirusScan. If a client fails any host check, its access falls back to a quarantine network. Unfortunately, the host check doesn’t take place until after the user has authenticated. F5 tells us that preauthentication support is in development and is slated for the next software release.
Juniper Networks NetScreen-SA 5000
InfoWorld reviewed the Neoteris Access Series SSL appliance in October 2003. Now owned by Juniper, the heart of the old product beats on in new and improved hardware and with a more mature security engine. The current software release, Version 4.2, still suffers from GUI fatigue and needs better organization, but overall, the product proved flexible and secure.