Empowering your Business with Innovative Solutions.
Home Solutions Services Our Methodology Partners About XSM Contact XSM Careers
Storage Management Consulting Communications Security

News
XSM is a "Symantec Platinum" partner.
XSM in BC Business Magazine
Events
Hot Topics
NetApp announces that Sun Microsystems now supports its Network File System Protocol
NetApp is first to support Oracle HARD initiative in Modular Storage Arrays.
F5's FirePass® Controller pronounced 'Product of the Year' by IT Networking Publication.



Simple, Secure Enterprise Remote Access

Historically, organizations have used IPSecVPN solutions to provide employees with remote access to network resources. Originally designed for securing site-to-site communications, IPSec has shown it is unable to keep up with the growing demands of remote access required by today's enterprise organizations. As the Internet becomes the most important method for organizations to provide access to mission critical applications, and Web-enabled devices become more prevalent, the limitations plagued by IPSec solutions are proving prohibitive for many enterprises.

Challenges

Organizations employing IPSec VPNs have to contend with issues regarding IP addressing, network address translation, limited remote device support, and software installation and maintenance required on every client.

  • Limited Client Support IPSec VPN solutions require client software to secure the transactions, corporate resources can only be accessed through a limited number of systems. This severely limits the ability of end-users to obtain access to important resources from public systems and mobile devices.

  • Costly to Deploy IPSec VPN required the deployment of client software on each device, this significantly increases the cost of the implementation because it requires organizations to provide and maintain corporate laptops for each employee who travels.

  • Limited Security Granularity - IPSec VPN systems lack the granularity administrators need in order to provide appropriate access to users. Administrators must chose between providing broad access, which compromises network security, or providing very limited access, making it difficult for users to work effectively.

  • Limited Auditing Capabilties - IPSec VPN solutions also provide limited auditing, making it difficult for administrators to troubleshoot problems and blinding them from clear insight into user data.

Solution

F5's FirePass® controller enables enterprises to provide secure, reliable and intuitive remote access to corporate applications and data using standard web browser technology, without the headaches associated with time-consuming client software installation and configuration, or changes to server-side applications.

FirePass is the first SSL VPN solution with complete cross-platform support. Extending its support for any IP application to Apple® Macintosh®, PocketPC and Linux clients, in addition to Microsoft® Windows®, and expanding client and application security for web, email and file application access, FirePass delivers the industry's most ubiquitous solution for secure network access.

  • Full Network Access - The corporate laptop user, also referred to as a "trusted" user, is an employee using company issued and maintained equipment. The trusted user is typically an executive or a member of the sales team who needs the same access to network resources as users in the office.

    For these users, the FirePass controller delivers full network access for Windows, Macintosh, PocketPC and Linux systems. Standard features across all desktop and laptop platforms include split tunneling, compression, activity-based timeouts, and automatic application launching.

  • Enhanced Security - To protect against backdoor attacks when accessing the network with split tunneling, the FirePass system provides a dynamic firewall that protects Win2k/XP users when using the full network access feature. This eliminates the ability for a hacker to route through the client to the corporate network or for the user to inadvertently send traffic to the public network.

    FirePass also increases security by detecting the presence of required processes (e.g. virus scan, personal firewalls, OS patch levels, registry settings and McAfee® anti-virus levels) and the absence of other processes (key logger for example) on the client PC before allowing full network access. Users who fail these primary policies can be connected to a quarantine network where they can update to current corporate security standards.

  • Portal Access - Secure Access From Public Systems For Employees, Customers and Partners
    Enterprises increasingly deploy web-based applications, intranet and extranet portals, as well as web-based email to enable higher employee productivity and increased operational efficiency both internal to their organization as well as with their partners. To maximize the benefits of these applications, organizations should ensure these applications are accessible to employees and partners from any location while ensuring restricted, secure access only to authorized users.

  • Web Applications - The FirePass device provides access to internal Web servers, including Microsoft Outlook Web Access and Lotus® iNotes®, as easily as from inside the corporate LAN. It also delivers granular access control to intranet resources on a group basis. For example, employees can be provided access to all intranet sites; partners can be restricted to a specific web host.

  • File Server Access/Email Access - The FirePass controller allows users to browse, upload, download, copy, move or delete files on shared directories. It supports SMB Shares, Windows Workgroups; NT 4.0 and Win2000 domains; Novell 5.1/6.0 with Native File System pack, and NFS servers. For email, the FirePass device provides secure web-based access to POP/IMAP/SMTP email servers from standard and mobile device browsers. This allows users to send and receive messages, download attachments and attach network files to emails.

  • Mobile Device Support - The FirePass controller allows secure access from PDAs (like Palm OS), and cell phones (like WAP and iMode phones) to email and other applications. It dynamically formats email from POP/IMAP/SMTP email servers to fit the smaller screens of mobile phones and PDAs, and supports the sending of network files as email attachments and the viewing of text/Word documents.

  • Advanced Security- The FirePass controller delivers multiple layers of control for securing information access from public systems. For example, users of Windows 2000/XP can be automatically switched to a protected workspace for their remote access session. In a protected workspace mode, the user cannot write files to locations outside the protected workspace and the temporary folders and all of their contents are deleted at the end of the session. Since the user session is in a separate desktop, users are protected from trojan horses and key loggers.

    The FirePass device also includes a cache cleanup control feature that removes cookies, browser history, auto-complete information, browser cache, temp files, and all ActiveX controls installed during the remote access session from the client PC. A secure "virtual keyboard" enables secure password entry from the mouse instead of the keyboard. When engaged, this feature enables users to securely enter a password on a system that has been compromised by a key logger.

    For systems unable to install a "cleanup" control, the FirePass controller can be configured to block all file downloads to avoid the issue of inadvertently leaving behind temporary files - yet still allow access to applications.

    The FirePass device can also scan web and file uploads using either an integrated scanner or external scanner via ICAP API. Infected files are blocked at the gateway and not allowed onto email or file servers on the network, heightening protection.

  • Terminal Server Access - FirePass provides secure Web-based access to Microsoft Terminal Servers, Citrix® MetaFrame® applications, Windows XP Remote Desktops, and VNC servers. It supports group access options, user authentication and automatic logon capabilities for authorized users, and supports automatic downloading and installation of the correct Terminal Services or Citrix remote-platform client component, if it is not currently installed on the remote device.

  • Desktop Access
    FirePass allows secure remote control of Windows corporate desktops from Web browsers supporting Java or ActiveX downloads. It provides the ability to share the desktop with other users for Web-based collaboration or demonstrations and provides access to files, email and other applications.

  • Unix System Access and Host Access - FirePass supports secure access to Unix/Linux systems from Web browsers supporting Java or ActiveX downloads. It utilizes X Windows to natively communicate with Unix systems, without requiring modifications to the Unix system or application or requiring preinstalled X Windows client software. Host Access features enable FirePass to secure web-based access to legacy VT100, VT320, Telnet, X-Term, and IBM 3270/5250 applications without requiring modifications to the applications or application servers.

  • Authentication and Authorization - The FirePass controller includes a dynamic policy engine that enables administrators to easily manage user authentication and authorization privileges. Dynamic policy based access gives administrators quick and granular control over their network resources. For example, administrators can configure a user's permission to allow email-only access from a public kiosk with active cache and temporary file cleanup, but provide them full network access from a corporate laptop with active firewall and virus detection software.

    The FirePass device can also be configured to work with RADIUS, Active Directory (Kerberos) and LDAP authentication methods, basic and form-based HTTP authentication, identity management servers (e.g. Netegrity),and Windows Domain Servers.

    For authentication, many organizations require "two-factor" authentication, which uses something beyond knowledge of a user ID and password. FirePass fully supports RSA SecurID® token-based authentication. FirePassalso offers a built-in implementation of VASCO Digipass®.

    The FirePass controller can also use a client-side certificate as a form of two-factor authentication and prohibit all network access for users without a valid client-side certificate. The FirePass device can act as a certificate authority and auto-generate and distribute client certificates. This drastically reduces the additional costs to purchase and manage certificates for each of the clients.

  • Access Privileges
    Access privileges can be granted to individuals or to groups of users (for example: "Sales", "Partners", "IT"). This allows the FirePass device to restrict individuals and groups to particular resources. Partners may be allowed access only to an extranet server, while Sales staff can connect to email, the company Intranet, and the CRM system. Access Policies can be defined to a group of resources as opposed to individual resources. New resources can be simply added to a resource group without modifying individual access policies manually. In addition, resources can be defined as an alias so that any changes to resource definitions are automatically updated in all resource aliases. These capabilities significantly reduce the policy management complexity in an enterprise environment with a large number of user groups and resources.

  • Auditing The FirePass device provides reports from the session and activation logs. Summary reports aggregate usage by day of the week, time of day, accessing OS, features used, web sites accessed, session duration, session termination type, and other information for a user-specified time interval.

Platform Choices

Firepass 4100

Firepass 1000

Firepass 600

100-1,000 concurrent connections

25-100 concurrent connections

10-25 concurrent connections

SSL Hardware Acceleration

N/A

N/A

Awards

Terms of Use Privacy
© 2004-2005 XSM Systems Incorporated. All rights reserved.