Array Networks falters where F5 flies in SSL VPN standoff

FirePass 1000 proves more complete next to Array SP

For mobile and remote users, SSL VPNs are fast becoming the secure access of choice by IT professionals. They are easy to implement, and because they work through your Web browser they negate the need for an IPSec-style client, making them easier to deploy on a wide range of mobile devices.

The SSL VPN appliance space is currently in a state of “me too,” as vendors old and new announce new releases and upgrades. In October, I reviewed two SSL VPNs. This time, I looked at Array Networks’ Array SP (Secure Proxy) and F5 Networks’ FirePass 1000.

These two devices provide the core SSL access features of reverse Web proxying, access to Windows or Unix file shares, and terminal services. Both scale well

and rewrite and compress HTML streams but differ in usability and functionality.

Of the SSL appliances, the FirePass provides the best mix of VPN functionality, client security, and ease of use. You get SSL-secured VPN support for Web-based and thin applications as well as an IPSec-style network-level connection. The Array SP secures Web apps very well, but support for thin applications is cumbersome and IPSec-style tunnel is nonexistent.

F5 FirePass 1000

Recently acquired from uRoam, the FirePass 1000 provides a full range of secure remote access. The FirePass blends HTML translation and compression for increased performance with client-side cache management. You do not get any URL filtering or low-level network features as you do from the Array SP, but you do get an IPSec-style tunnel and the ability to manage how content is cached in the user’s browser.

The FirePass 1000 comes in a slim 1U chassis and ships with dual 10/100Mbps Ethernet interfaces. Unlike the Array SP, the FirePass does not support clustering, but you can configure a second unit for hot, stateful fail-over. You can also use SSL to encrypt local traffic to help prevent snooping.

While not a task for the novice, configuring the FirePass was much easier than was the Array appliance. The tasks are well-organized and include informative descriptions that take much of the mystery out of the equation. As would just about all of the other SSL appliances I’ve reviewed, the FirePass would benefit from a setup wizard or ordered

list of steps to complete specific tasks.

Policy configuration begins with the creation of one or more user groups. You can import users from an LDAP source, from a file, from a Windows domain, or simply add them manually. Available authentication schemes for groups are RADIUS (Remote Authentication Dial-In User Service), Vasco Digipass, LDAP, basic HTTP to an external server, Windows domain/Active Directory, or HTTP form-based authentication, but only one type of authentication is available per group. Just as with the Array SP, I used Windows 2000 Active Directory as my authentication source and had no trouble with the system.

The FirePass uses Webifyers to define access to internal servers. Not only can you connect to Web applications but also to Windows and Unix file shares, X-Windows, Citrix MetaFrame, VNC (Virtual Network Computing, an open source remote control application), Microsoft Terminal Services, “green screen” host access, local intranet sites, and an IPSec-style network-level connector. Unfortunately, access to terminal services is limited to Win32 PCs. Also included is a connector called My E-mail that takes you directly to your inbox on a POP3 or IMAP server. During my tests, I did not experience any compatibility issues between JVM releases on my remote test users and the automatically downloaded Java and ActiveX components from the FirePass.

The SSL VPN portion of the FirePass is first-rate and provides all of the necessary components for secure deployment. You can define static drive mappings to a protected server using your already-accepted client credentials and launch an application on connect. As with other SSL appliances, you can make sure anti-virus and other client security software is active before establishing the tunnel by requiring a process to be either present or absent on the remote PC.

The FirePass also allows you to force the cache cleanup applet to install

on the remote PC to remove any traces of attachments or temporary files on exit. There are different settings for how content is cached, from “cache nothing” to “cache only style sheets and JavaScript.” This allows you to balance performance and security during user sessions.

Array Networks Array SP

As the name implies, the Array SP is a security device. It is not a pure SSL VPN appliance; it’s VPN, firewall, content filtering, and SSL acceleration all rolled into one, and as such, it’s not overly deficient nor does it excel in any one area.

The Array SP is a great choice for networks where Web-based applications are the primary destination for remote users. Like most other SSL VPN appliances, the SP rewrites the HTML stream to hide internal name spaces and can also compress the HTML data on the fly to improve server response. The SP includes a powerful URL-filtering component and easily connects your secure session to both Windows and Unix file shares. However, it does not come with a network-level VPN connector as the F5 FirePass 1000 does, and configuration is too complex.

The SP ships with excellent infrastructure compatibility and includes dual Gigabit Ethernet interfaces and VLAN tagging in its midsize, 3U chassis. It is cluster-ready and has the ability to stack up to 32 units in a single cluster. WebWall, a network-layer firewall, helps protect the appliance from any type of network attack. The SP can also encrypt internal traffic to a back-end server using SSL.

SP’s policy- and user-control start with the creation of a Virtual Site. A Virtual Site is a container for managing authentication and security policies in the SP. Each Virtual Site requires an available IP address from the outside network interface’s subnet. For granular user- or group-level policy enforcement, you must define multiple Virtual Sites. Although I like the Virtual Site concept, I do not like the fact that each one uses up an IP address. Depending on your infrastructure, this may prove to be a logistical problem.

For each Virtual Site, you choose the type of authentication to use from Active Directory, LDAP, RADIUS, SecurID, or the local user database. Array has an API that allows you write your own authentication connector, if needed. For my test, I authenticated my users against Windows 2000 Active Directory without any trouble. Each Virtual Site can have its own server-side digital certificate, cipher suite definition, and minimum cipher strength.

Further Virtual Site definition includes enabling Windows or Unix file shares, and the creation of TCP Application Settings, a section in each Virtual Site that allows you to create thin-application mappings. Defining your TCP applications in the SP is not very intuitive and would benefit from a less confusing user interface. Although the available settings allow you to define just about any TCP application profile based on address and port, there are no predefined applications to choose from.

A Java applet downloads to your browser automatically when you connect to one of these protected resources. I found that for best results, you need to be running the latest version of the Microsoft JVM. I ran into trouble because one of my test laptops had the Sun 1.4.2 Java Virtual Machine installed. Currently there is no network-layer VPN component to allow IPSec-style access through the SP, but a company representative confirmed that one is under development.

All told, the Array Networks Array SP is secure in the services it provides, and it’s well-suited to protecting Web applications. However, the F5 FirePass 1000 is a more complete offering.

InfoWorld Scorecard
Ease of use (15.0%)
Setup (20.0%)
Security (30.0%)
Value (10.0%)
Interoperability (25.0%)
Overall Score (100%)
F5 Networks FirePass 1000 8.0 8.0 9.0 8.0 8.0 8.3
Array Networks Array SP 7.0 5.0 6.0 8.0 7.0 6.4

Copyright © 2003 IDG Communications, Inc.