48
1 F5 Security Products FirePass SSL VPN Presented by: Product Management Version 3 Oct. 17, 2008
1
F5 Security ProductsFirePass SSL VPN
Presented by: Product Management
Version 3Oct. 17, 2008
2
Presentation Topics
SSL VPN market and TrendsFirePass SSL VPN Base Functional Overview.Features and Benefits – Reflects release 6.0.2Release 6.0.3 – Sept. 08FirePass Look-ahead StrategySelling our solutionResource helpSummary
3
At HomeOn the Road
Remote Users Datacenter
The Leader in Application Delivery Networking
Microsoft
Exchange ServerBrowserMicrosoft
Outlook
ApplicationDeliveryNetwork
FirePass
4
TheInfoPro Wave 3 Survey – Spring 2007TheInfopro interview with all 133 Fortune 1000 and midsize enterprise customersTop Concerns:
– Network security continues to top the list of areas of concern, along with managing growth while keeping costs under control, managing network performance under demanding conditions, including addressing the issue of aging hardware
5
SSL VPN Market
Source: Gartner Dataquest (April 2007)
6
SSL Total Sales
0
50
100
150
200
250
300
350
400
450
500
2005 2006 2007 2008 2009 2010
M illions of Dollars
SSL World Wide Revenue 2005-2010
From Gartner® SSL VPN Vendor Revenue Forecast Published 7/06
7
Market Trends
Enterprise• Anytime/Anywhere Access• Continuous Business Operations• Lower Costs
Users• Reliable and Easy to use• Support for non-Windows
machines• More than just webmail
IT Staff• Overworked• Expanding Security Needs
Squeezed
8
Market Trends
Market Trend Potential ImpactConsolidation of remote access across the enterprise
Need for highly scalable, high performance SSL VPNs for ALL remote access needs
Increasing use of mobile devices in the enterprise Need for remote access from emerging mobile device/client Operating Systems
Disaster recovery and business continuity planning
Need for anytime, anywhere access during emergencies using SSL VPN technology
Increasing use of wireless LAN in the enterprise for employee and guest access
Need for securing access to wireless LAN
Securing internal LAN access from un-authorized users and client devices
Need for high performance access control solution to secure internal LAN access
SSL VPN is becoming the mainstream technology of choice for remote access. Key trends and drivers for the SSL VPN market and the potential impacts are:
9
Enterprise Manager
TMOSiControl/ iRules
ApplicationsUsers
Global Traffic
Manager
InternationalData Center
LinkController
SecureAccess
Application Delivery Network
Big-IP
LocalTraffic
Manager
AccelerationWAN- optimizationWeb – Acceleration ASM - Web
App Firewall
FirePass SSL VPN
Storage VirtualizationAcopia
Security is a key technology and Solution component of ADN
11
Key FirePass FeaturesAccess Control – Authentication– Authorization– Endpoint Security– Audit
Application Access Modes ( Connectivity Options )– Network Access– Application Access– Portal Access
Visual Policy Management
Clustering & Failover
Platforms – SMB to large enterprises
12
FirePass 6.0.3 Key Feature Summary
Support for FullArmor Group Policy Anywhere functionsProtected Workspace enhancementsJava bases AppTunnels and terminal servicesFirePass Reverse Proxy enhancementsWindows Vista SP1 and Windows XP 3 supportMAC Intel client 10.5 support and enhancementsStandalone client enhancementsProduct serviceability, guide, and online help improvements
(Released September 2008)
13
User Authentication with Master Groups
Wide range of Authentication– Active Directory– LDAP– RADIUS– Client Certificates– 2-Factor Auth (RSA SecurID and others)– HTTP Forms based and Basic Auth
Authentication based on Group– For e.g., 2-Factor auth for employees, RADIUS auth
for partners
14 Simplified Access Policy Management using Resource Groups
FirePass Features & Functions• Resource Alias – Automated update of access policies based on resource• Resource Groups – Drastically reduces changes to individual access policies new resources are added/modified• Enterprise Integration – Integration with AD, RADIUS, LDAP, Citrix MetaFrame etc.
MicrosoftExchange
Intranet
HR Application
CorporateResource Group
SalesResource Group
Employee Group
Sales Dept Group
Multiple User Groups Multiple Resources
Simplification by reducing configuration changes
Automated policy updates via Instant Access Policy Provisioning
Adaptable to new business needs
Instantly provision newresources
Change resources without having to update individual access policies
Business Benefit:
•
•
•
•
•
15
Strong Endpoint Security• Client Integrity Checking
– Checks for AV/FW software, OS patch etc.
• Protected (Secure) Workspace– Prevent accidental file leakage
• Cache Cleaner– Clear temp. files, browser cache
• Device level authentication– Machine certificates– Well known process– Pre-defined registry entry
16
Access ModesPortal Access– Access to Web applications & portals via FirePass Reverse Proxy – Web based access to email, windows files– Any browser based client device including mobile devices
Application Access– Access to specific client/server applications (hosts, ports)– Application level audit and access control– Windows 2000/XP/Vista clients
Network Access– Support for ANY TCP/UDP network applications– Full layer 3 network access (IPSec equivalent)– Broad client support Windows, Mac, Linux, PocketPC &
SmartPhone
17
FirePass® Network AccessExtend Corporate Network to Employees from Corporate Device
Client support • Windows Vista, XP, 2000• Windows Mobile 5 & 6 (Pocket PC & Smartphone)• Linux• Mac (incl. Intel based Mac)
Application access• Any Internet connection
• Any IP-based application • Optimization
Corporate NetworkCorporate Laptop
Network Access
SSL VPN Tunnel
• Increased productivity • Reduced operational costsBenefits:
FirePass®
Enterprise integration• Automated deployment• Centralized policies• VLAN Support
Microsoft
Exchange Server
BrowserMicrosoft
Outlook
18
FirePass® Network AccessEndpoint Security Features
Deep integrity check• Specific antivirus / FW checks• Registry, client cert, file checks• Windows OS patch levels
Quarantine policy support• Ensure policy compliance• Automatic direction to quarantine
• Strong Security • Protection against attacksBenefits:
FirePass®
FullNetwork
QuarantineNetwork
Please updateyour machine!
19
Application AccessSecure Extranet or Employee Access
Client support– Standard web browsers– Java/ActiveX capable
Restricted access– Defined applications– No network connection
Detailed logging– Session details
– Specific applications
Corporate NetworkPartner PC
Application Access
SSL VPN Tunnel
• Strong Security • Application-level auditingBenefits:
FirePass®
Browser• Terminal Servers• Legacy Hosts• Citrix• Client/Server Applications
Microsoft
Outlook
20
Citrix Application InteroperabilityFlexible Integration Options
Session Reliability Support– Terminal Services– Static AppTunnels– Portal Access
Citrix Deployment Guide on f5.comCitrix Seamless Windows Support
21
Portal AccessSecure Ubiquitous Access from Any Web-Enabled Device
Client support • Any web-enabled device• SSL security
Application Ready Access• OWA 2007, SharePoint 2007,
Oracle, SAP Portal, Peoplesoft HR
Portal etc.• Wide range of web app content
Corporate NetworkKiosk/Home PC
SSL
• Improved productivity • Reduced operational costsBenefits:
Portal Access
Browser • Web• Email• File Servers
FirePass®
Directory integration• Automated group mapping• SSO integration
22
Web Application InteroperabilityNext generation reverse proxy– New and improved HTML and JavaScript
Parsing Engines
Application Ready Access– Outlook Web Access (OWA) 2007– SharePoint 2007– iNotes 7.0– Oracle Portal (3.1) to 10g– PeopleSoft HR Portal 8.1– SAP Portal– ..
Emerging Web 2.0 Content Support– HTML, Javascript, Java, Flash,
AJAX
Web Server
FirePassReverse Proxy
Internet
Client
23
Desktop / Laptop Client OS Support
• Intel Macs• Client/Server Apps• Web based Apps• Web based Files
• Vista 64 bit• Client/Server Apps• Web based Apps• Web based Files
• XP 64 bit• Client/Server Apps• Web based Apps• Web based Files
24
MS SharePoint & OWA 2007 Application Delivery
• Security• Firepass Reverse Proxy• Granular Access Policy
• Performance• Web Acceleration• Local Traffic Management
• Availability• Access from any device• Global Load Balancing
25
Portal AccessPolicy-based security controls
Reverse proxy– URL obfuscation– Cookie protection– Browser cache control
Content Inspection– Block inappropriate traffic– Integrated virus scanner
Corporate Network
Kiosk/Home PC
SSL
• Enhanced SecurityBenefits:
Portal Access
Cache/Temp FileCleanup
Protected Workspace
• Web• Email• File Servers
Content Inspection Engine
FirePass®
Public Access Security – Cache cleanup– Protected workspace
26
Improving the User Experience
27
Enhanced Mobile User Support“Holy cow!! Forget MobileMe, I now have my entire work calendar on my iPhone so I can manage my work and personal life much better. It also worked extremely well for mail.”
— F5 Beta Tester Feedback
28
Mobile User Support
Internet SpecificApplication Access
Portal Access
Network Access
Application ready Access
Authorized Applications Mobile user
Intranet
FirePass®
Tunnel
SSL VPN
Firewall
Windows Mobile 5 & 6 Support
iPhonesupport
Standard (Safari)Browser
-+
-+
End-Point Secure Access Policy Management
Visual Policy Editor
29
Visual Policy EditorSimplified policy managementPoint and click interface to easily define end-point access policiesSingle point of management for FirePass clusters
30
Visual Policy Editor
Graphically associates a policy relationship between
end-points, users and resources
31
Group Policy for Remote & Mobile Users
Extend Group Policy to non-Domain endpoints.
Protects against loss of sensitive data.
Regulatory concerns? Comply with HIPAA, PCI & GLBA.
Integrated with Visual Policy Editor for easy deployment.
32
Group Policy Creation
Pre-defined templates for common policies
Custom template upload option
33
Customization
34
FirePass Provides Enterprise Class Scale and AvailabilityScalability
Supports up to 2,000 concurrent users per deviceSupport up to 20,000 users per cluster
AvailabilityOut of the box clustering (no 3rd party products required)Built in load-balancingOptimized integration with F5 traffic management productsRedundant Hardware and Software Options Available
“The reliability is very good. The FirePass boxes have been running flawlessly for about a year now”
- Salvatore Ranazzisi, Global Network Architect, Organon Pharmaceuticals
“FirePass failover capability is excellent. ”
- Joseph Girodo, Group Manager, Sports Authority
35
Best in Class SSL VPN
Best in Class Features & Performance
Security• Broad End Point Security - Anti virus, Firewall, OS, File Checks• Granular Access Policies
Lowest Cost of Ownership
Established Market Leadership
Broad Infrastructure Support• Any Client / Application • 3rd Party Infrastructure - Active Directory, LDAP, etc
Lowest Cost Pricing Structure• Most features included with core price• Flat fee failover device
Easy Maintenance & Deployment• Award-winning GUI• Visual Based Policy Editor• Home page and GUI localizationScalability
• Up to 2,000 conc. users• Up to 20,000 conc. user clustering• Scale with LTM Integration
Productivity• Secure Remote Access - Any Time, Any Place - Any Application - Any Device
The FirePass 4100 is the best remote access solution we've seen to date. It trumps other SSL VPN offerings with its ease of use, industrial strength hardware platform and advanced security features for unmanaged endpoint devices, one of the biggest risks emerging in this space. --George Wrenn - editor, Information Security Magazine
Product cited in Best IPSec/SSL VPN category of Reader Trust Awards 2007
Network World 2006 ‘Best of Tests’ Finalist Award
Frost & Sullivan Award for Market Penetration Leadership Award
Reader Trust
Network World
Frost & Sullivan
EAL-2ADV_SDMALC_FLR.1
October 2007
36
FirePass ClusteringCluster Nodes can be located anywherePolicy, Resource, Access information is distributed– Logs are centralized
IP config is not distributed– IP, DNS, Routes are local to
cluster– For example, the same
RADIUS server can be defined identically but will resolve differently
Cluster master
EMEA
APAC
US
37
FirePass platform selection guide1200 4100 4300
SME Medium Enterprise Medium to Large Enterprise, Service Providers
Target company size(# of Employees) 50 to 250 250 to 5500 2500 to several 10,000s
Recommended conc. users (per price/performance)* 100 500 2000
Max. conc. users per device 100 2000 2000Included Ethernet ports 2 (10/100) 4 (10/100/1000) 4 (10/100/1000)
CPU SpeedSingle Core
Two Single Core (Better Performance)
Two Dual Core (Best Performance)
Base memory 512 MB4GB (on 4110, 4120, 4130)
and 8 GB (4140, 4150) 8GB
Redundant Power Supply No Optional Yes (Built-in)
Optional fiber ports No No Yes (2)
Clustering No Yes Yes
Failover Yes Yes Yes
*Pricing is same on 4100 and 4300 for 1000 conc. users and above
38
FirePass Product RangeSmall to Medium
EnterpriseMedium to Large
Enterprise
FirePass 1200 Series FirePass 4100 Series FirePass 4300 Series
• 1U rack-mount server• Single core CPU• Non-expandable• 10 – 100 concurrent users• Host adapter• Mobile adapter
• 2U rack-mount server• 2 Single core CPU• Cluster expandable to 10 nodes – 1 master node and 9 slave nodes• Recommended concurrent
user add-ons: up to 500 concurrent users per node, 20,000 max in a cluster• Host Adapter• Hardware factory options
• SSL Card• FIPS SSL card• Additional memory
• 2U rack-mount server• 2 Dual core CPU• Cluster expandable to 10 nodes – 1 master node and 9 slave nodes• Recommended concurrent user • add-ons: up to 2000 concurrent users per node, 20,000 max in a cluster• Host adapter• Hardware factory options
• SSL Card• FIPS SSL Card• Additional memory
Entry level server designed for the small to medium enterprise; supports from 10 to 100 concurrent users
Designed for the medium size enterprise; recommended up to 500 concurrent users per server
Designed for the medium to large enterprise; supports up to 2000 concurrent users per server
39
FirePass Customers
Large enterprises, small/medium enterprises (SME)Service providers (Carriers & MSP)Government organizationsMultiple industries
Reference Success Stories on F5.com
40
Key Discovery Questions
Who are the remote users (employees/partners/suppliers etc.) ?
What applications do your users need to access securely ?
What client devices/OS do you allow on your network ?
How many concurrent users require secure access ?
How do you enforce your endpoint security policy ?
How are your users authenticated ?
41
Who are the FirePass Competitors?
Juniper– Secure Access (SA) Platform
Citrix– NetScaler
Cisco– ASA
Aventail– EX Series
Others – Microsoft Internet Access Gateway, NeoAccel, Nortel, Array, and
many more….
42
Key DifferentiatorsBest Endpoint Security Solution– Protected Workspace and Cache Cleaner– OS and AV inspection– Group Policy Templates
Broader Client & Application Interoperability – Windows, iMac and Linux– iPhone and WinMobile Devices– Browser based and standalone client
software
Simplified Management and Deployment – Visual Policy Editor– Integration with BIG-IP GTM
43
Resource HelpPMM/TMM– Peter Silva – TMM– Andy Oehler - PM– Jonathan George - PMM
Product Management Engineers– Technical Team working with Product Management
• Keith R. FirePass, MSM, EM• Brian T. WanJet, Web Accelerator• Dan G. ASM, LTM• Nat T. New Technology Research • Mike L. LTM, GTM, Everything Else
Resources:– *CAT (Outlook): Searchable Archives!– Mainstreet Site (Competitive Repository Goldmine)
• http://mainstreet/sites/sales/competitive/• “Engaging the CAT team” PDF
– “Monthly” Newsletter
44
Resource Help
F5.com - Product– http://f5.com/products/firePass
F5.Com White Papers– http://f5.com/solution-center/white-papers
EdgeSite being refreshed – complete by Feb 7th– Sales/customer presentations– Collateral– White Papers– Deployment Guide
45
What Can I Do To Expand FirePass Market Share?
Start talking about it– Get a “buzz” going today for sales tomorrow– Leverage existing customers; many still don’t know we have a
remote access security solution– It is old news for us, but the majority of folks are still not educated
on the advantages of SSL VPN and/or FirePass in particularKnow the product, and have confidence in it– Customers can smell fear and uncertainty; Juniper excels at
creating both– The product is only as saleable as the people selling it
Leverage the F5 name– F5 is synonymous with success!
Theme: Market Leading Remote Secure Access Strategy -New releases in April will make us a True market leader in: Unified Access
46
F5 Strengths
F5 is the Application Delivery Networking Leader!– BIG-IP dominates all the markets where it participates– TMOS platform is revolutionary approach that no one else can
offer– Strong partnerships with leading application vendors
• Microsoft, Oracle, SAP, etc.– Applications are our core competence
• Most of our competitors have first begun to focus on the ADN market within the last couple of months; they are not prepared to make the transition (i.e. Juniper, Citrix, Cisco, etc.)
– F5 now has a market leading security solutions strategySummary: We own the secure application delivery networking space, so own the SSL VPN!
47
FirePass Look-ahead StrategyFirePass will continue to support new features and product support for some time by supporting a separate FirePass and BIG-IP product lineFirePass will maintain product competitiveness by adding further product feature differentiationFirePass will focus on functionality that can be leveraged by both FirePass and BIG-IP SAMFirst release of BIG-IP SAM will support Granular Network Access only. Will adopt FirePass Application access proxy and other features over time
48
Summary: FirePass DeliversKey Features– Enterprise-class, High Availability platform– Built-in, load balanced clustering– Visual Policy Editor and 30 Minute install– Supports Windows, Mac, Linux, Solaris and other clients– Built-in Protected Workspace and end-point security – Integrates with existing enterprise infrastructure and applications
Key differentiators– Comprehensive end-point security– Powerful, easy to use management interface– Scalability, Performance and Reliability– Breadth of clients, applications and infrastructure
Competitive Advantage– Best combination of capabilities, usability and security– Lowest Total Cost of Ownership and Highest ROI
49
