F5 Firepass

F5 FirePass 4100

Ensuring the secure and optimized delivery of applications for businesses worldwide.

"The FirePass 4100 is the best remote access solution we've seen to date. It trumps other SSL VPN offerings with its ease of use, industrial strength hardware platform and advanced security features for unmanaged endpoint devices, one of the biggest risks emerging in this space." George Wrenn, Information Security Magazine

F5 FirePass Overview

F5's FirePass SSL VPN appliance provides secure access to corporate applications and data using a standard web browser. Delivering outstanding performance, scalability, ease-of-use, and security, FirePass helps increase the productivity of those working from home or on the road. Businesses reap a competitive advantage because they can give key partners controlled access to applications and data. And IT departments can rest assured with a reliable solution that deploys quickly and interoperates immediately with their existing network infrastructure.

Best of all, it’s from F5 – the world leader in application delivery networking with over 10,000 enterprise customers, backed by the world-class F5 support network.

Key Benefits of the F5 FirePass

Broadest Application Support –
Access to email, web portals, network file services, terminal services, CRM and other key enterprise applications, using any device.

Integrated Endpoint Security –
Delivers a Secure Virtual Workspace, pre-login endpoint integrity checks, and endpoint trust management for peace of mind with fewer administrative hassles.

Highest Scalability –
Supports up to 2,000 concurrent sessions on a single, easy-to-manage box. Built-in load balanced clustering can support up to 20,000 sessions. More than 20,000 sessions can be supported by integration with BIG-IP.

Low Cost of Ownership –
Installs in 30 minutes or less. Visual Policy Editor delivers a point-and-click interface for managing groups, users, or devices with ease.

Market Leading Performance and Scalability –
Fast access using compression for file transfers and email; supports an unlimited number of users.

Broad Interoperability –
Supports existing network infrastructure and identity management systems via Radius, LDAP, and more. Delivers web portal integration with support for Java applets, Javascript rewrite, and more (VPNC certified).

High Availability and Reliability –
Delivers the same, state-of-the-art hardware platform as F5's award-winning BIG-IP traffic management system.

Integrated Endpoint Security

F5 FirePass prevents infected PCs, hosts, or users from connecting to your network. Automatic re-routing for infected PCs reduces help desk calls and prevents sensitive data from being snooped by keystroke loggers and malicious programs.

F5 FirePass provides:

• Automatic detection of security compliant systems, preventing infection
• Automatic integration with the largest number of virus scanning and personal firewall
solutions in the industry (over 100 different AV & Personal Firewall versions)
• Automatic protection from infected file uploads or email attachments
• Automatic re-routing and quarantine of infected or non-compliant systems to a self
remediation network – reducing help desk calls
• A secure workspace, preventing eavesdropping and theft of sensitive data
• Secure Login with a randomized key entry system, preventing keystroke logger snooping
• Full integration with the F5 FirePass Visual Policy Editor. This enables the creation of custom template policies based on the endpoints accessing your network and your company’s security profile

Portal Access - Secure Access From Public Systems For Employees, Customers and Partners

The FirePass Portal Access capability works on any client OS with a browser – Windows, Linux, Macintosh, Pocket PC's, PDAs and more.

Portal Access Available On F5 FirePass:

Web Applications

• Provides access to internal web servers, including Microsoft Outlook Web Access, Lotus iNotes, MS SharePoint Portal as easily as from inside the corporate LAN.
• Delivers granular access control to intranet resources on a group basis. For example, employees can be provided access to all intranet sites; partners can be restricted to a specific web host.
• While accessing resources, F5 FirePass dynamically maps internal URLs to external URLs, so the internal network structure does not reveal them.
• Manages user cookies at the FirePass Controller to avoid exposing sensitive information. For applications that require access to cookies, FirePass can pass cookies to the remote browser.
• User credentials can be passed to web hosts to support automatic login and other user specific access to applications. F5 FirePass also integrates with existing identity management servers (e.g. Netegrity) to enable single sign on to applications.
• F5 FirePass proxies login requests from web hosts to avoid having users cache their passwords on client browsers.
• Provides split-tunneling support for web applications, resulting in faster end user performance when accessing public web sites.
• Dynamic server-side caching for increased web application (reverse proxy) performance and faster page download times.
• Delivers out-of-the-box reverse proxy support for rewriting a wide variety of Javascript content in web pages, saving time.

• Allows users to browse, upload, download, copy, move or delete files on shared directories.
• Supports SMB Shares, Windows Workgroups; NT 4.0 and Win2000 domains; Novell 5.1/6.0 with Native File System pack, and NFS servers.

• Provides secure web-based access to POP/IMAP/SMTP email servers from standard and mobile device browsers.
• Allows users to send and receive messages, download attachments and attach network files to emails.

• Secure access from PDAs, e.g. Palm OS, cell phones, e.g. WAP and iMode phones to email and other applications.
• Dynamically formats email from POP/IMAP/SMTP email servers to fit the smaller screens of mobile phones and PDAs. Supports the sending of network files as email attachments and the viewing of text/Word documents.

Portal Access – Comprehensive Security

Client Security

• Protected Workspace – Users of Windows 2000/XP can be automatically switched to a protected workspace for their remote access session. In a protected workspace mode, the user cannot write files to locations outside the protected workspace and the temporary folders and all of their contents are deleted at the end of the session.
• Cache Cleanup – The cache cleanup control removes the following data from the client PC: Cookies, Browser history, Auto-Complete information, Browser cache, Temp files, all ActiveX controls installed during the remote access session, and empties the recycle bin.
• Secure Virtual Keyboard – For additional password security, F5 FirePass offers the patent-pending Secure Virtual Keyboard which enables secure password entry from the mouse instead of the keyboard.
• Download Blocking – For systems unable to install a "cleanup" control, F5 FirePass can be configured to block all file downloads to avoid the issue of inadvertently leaving behind temporary files – yet still allow access to applications.

Content Inspection and Web Application Security
For users accessing web applications on the corporate network, FirePass enhances application security and prevents application-layer attacks (e.g. cross-site scripting, invalid characters, SQL injection, buffer overflow) by scanning web application access for application-layer attacks – then blocking user access when an attack is detected.

Integrated Virus Protection
F5 FirePass can scan web and file uploads using either an integrated scanner or external scanner via ICAP API. Infected files are blocked at the gateway and not allowed onto email or file servers on the network, heightening protection.

The F5 FirePass Policy Engine enables administrators to easily manage user authentication and authorization privileges.

Dynamic Policy Based Access
With F5 FirePass, administrators have quick and granular control over their network resources. Through policy support, administrators can authorize access to applications based on the user and device being used.

User Authentication
By default, users are authenticated against an internal F5 FirePass database, using passwords. But F5 FirePass can also be easily configured to work with RADIUS, Active Directory, RSA 2-Factor, LDAP authentication methods, basic and formbased HTTP authentication, identity management servers (e.g. Netegrity), and Windows Domain Servers.

Two-Factor Authentication
Many organizations require "two-factor" authentication which uses something beyond knowledge of a user ID and password. FirePass fully supports RSA SecurID® token-based authentication and RSA native ACE authentication.

Client-Side Certificate/PKI Support
F5 FirePass enables the administrator to restrict or permit access based on the device being used to access the F5 FirePass Controller.F5 FirePass can check for the presence of a clientside digital certificate during user login. Based on the presence of this digital certificate,F5 FirePass can support access to a broader range of applications. FirePass can also use the client-side certificate as a form of two-factor authentication and prohibit all network access for users without a valid client-side certificate.

Group Management Access privileges can be granted to individuals or to groups of users (for example: "Sales", "Partners", "IT"). This allows F5 FirePass to restrict individuals and groups to particular resources. Partners may be allowed access only to an extranet server, while Sales staff can connect to email, the company intranet, and the CRM system.

Multiple Group Mapping – RADIUS
FirePass can query RADIUS servers for group information and automatically map multiple RADIUS groups to F5 FirePass resources groups. This simplifies deployment and lowers costs while shortening the deployment time in a large scale environment.

Session Timeouts and Limits
Administrators can configure inactivity and session timeouts to protect against a hacker attempting to take over a session from a user who forgets to logoff at a kiosk.

Role-Based Administration This gives organizations flexibility in providing some administrative functions (enrolling new users, terminating sessions, re-setting passwords) to some administrator-users, without exposing all functions to them (for example, shutting down the server, deleting a certificate).

Audit Services
FirePass provides reports from the session and activation logs. Summary reports aggregate usage by day of the week, time of day, accessing OS, features used, web sites accessed, session duration, session termination type, and other information for a user-specified time interval.

Customization of the F5 FirePass

Localized End User GUI
FirePass allows all fields on the end user web page to be localized, including the names of the feature (e.g. web Applications). This enables companies to localize all end user’s GUI, not just user favorites – improving ease of use.

Complete Login and WebTop Customization
With F5 FirePass, administrators can completely customize an entire login and webtop web page to best suit their existing corporate web site portals; F5 FirePass allows the uploading of custom pages using WebDAV capabilities for an enhanced end-user experience.

Auto Launch Applications
F5 FirePass can automatically launch one or more configured favorites upon user login, saving time in accessing resources.

Application Access - Secure Access To Specific Applications

F5 FirePass allows administrators to grant certain users – for example, business partners using equipment not maintained by the company – access to specific extranet applications and sites. F5 FirePass protects network resources by only allowing access to applications that are specifically cleared by the system administrator.

Specific Client/Server Application Access:

• Enables a native client side application to communicate back to a specific corporate application server via a secure connection between the browser and the F5 FirePass Controller.
• Does not require the user to pre-install or configure any software.
• On the network side, requires no additional enabling software on the application servers being accessed.
• Uses the standard HTTPS protocol, with SSL as the transport so it works through all HTTP proxies including public access points, private LANs, and over networks and ISPs that do not support traditional IPSec VPNs.
• Supported applications include Outlook to Exchange Clusters; Passive FTP, Citrix Nfuse, and network drive mapping.
• Administrators can also support custom applications including CRM as well as other applications that utilize static TCP ports.
• Supports auto-login to AppTunnels, Citrix, WTS applications to simplify end-user experience.
• Supports auto-launch of client side applications to simplify end-user experience and lower support costs.
• Unique support for compression of client/server application traffic over WAN to offer better performance.

• Provides secure Web-based access to Microsoft Terminal Servers, Citrix MetaFrame applications, Windows XP Remote Desktops, and VNC servers.
• Supports group access options, user authentication and automatic logon capabilities or authorized users.
• Supports automatic downloading and installation of the correct Terminal Services or Citrix remoteplatform client component, if it is not currently installed on the remote device, saving time.
• Supports remote access to XP desktops for remote troubleshooting using RDP and non-XP desktops using built-in VNC feature.

• Enables secure web-based access to legacy VT100, VT320, Telnet, X-Term, and IBM 3270/5250 applications.
• Requires no modifications to the applications or application servers.
• Eliminates the need for 3rd party host access software, reducing TCO.

F5 FirePass Network Access for Windows, Macintosh, PocketPC and Linux Systems:

• Standard features across all desktop and laptop platforms include split tunneling, compression, activity-based timeouts, and automatic application launching.
• Provides secure remote access to the entire network for all IP-based (TCP, UDP) applications.
• Unlike IPSec VPNs, provides remote access without requiring pre-installed client software and configuration of the remote device. Client or server side application changes are not required.
• Allows administrators to restrict and protect resources accessible through the connector by instituting rules that limit access to a specific network or port.
• Uses the standard HTTPS protocol with SSL as the transport, so it works through all HTTP proxies including public access points, private LANs, and over networks and ISPs that don’t support IPSec VPNs.
• Utilizes GZIP compression to compress traffic before it is encrypted, reducing the amount of traffic that is sent across the Internet and improving performance.

• Safe Split Tunneling – To protect against backdoor attacks when accessing the network with split tunneling, FirePass provides a dynamic firewall that protects Win2k/XP users when using the full network access feature. This eliminates the ability for a hacker to route through the client to the corporate network or for the user to inadvertently send traffic to the public network.


• Client Integrity Checking – FirePass increases security by detecting the presence of required processes (e.g. virus scan, personal firewalls, OS patch levels, registry settings, etc.) and the absence of other processes (e.g. key logger) on the client PC before allowing full network access.

• Standalone Windows Client - FirePass establishes a network connection after entering user credentials. Software can be automatically distributed to the client using Microsoft's MSI installer technology.
• Provides Automatic Drive Mapping - Network drives can be automatically mapped to a user's Windows PC.
• Provides Static IP Support – Assigns static IP based on the user, when the user establishes a network access VPN connection – lowering administrative support costs.

iControl SSL VPN Client API for Secure Application Access

As the only SSL VPN product with an open API and SDK, FirePass Controller enables automated, secure access for rich Win32 client applications by providing secure system-to system or application-to-application communication. Now, applications can automatically start and stop network connections transparently without requiring users to log into the VPN. This enables faster, easier connections for end users while reducing client application installation.

F5 FirePass 1000 Series
The F5 FirePass 1000 Controller is a 1U rack-mount server designed for small to medium enterprise locations. It supports up to 100 concurrent users and offers a comprehensive solution for secure web-based remote access to corporate applications and desktops.

F5 FirePass 4100 Series
The F5 FirePass 4100 Controller is a 2U rack-mount server designed for large enterprise locations. It supports up to 2000 concurrent users and offers a comprehensive solution for secure web-based remote access to corporate applications and desktops.

FIPS SSL Accelerator Hardware Option
F5 FirePass is FIPS compliant* to meet the strong security needs of government, finance, healthcare and other security conscious organizations. FirePass 4100 offers unique support for FIPS 140 Level-2 enabled tamper proof storage of SSL keys, as well as FIPS certified cipher support for encrypting and decrypting SSL traffic in hardware. FIPS SSL Accelerator is available as a factory install option to the base 4100 platform.

SSL Accelerator Hardware Option
F5 FirePass 4100 offers a unique Hardware SSL Acceleration option to offload the SSL key exchange as well as the encryption and decryption of SSL traffic. This enables significant performance gains in large enterprise environments for processor intensive ciphers such as 3DES and AES.

Clustering
F5 FirePass 4100 Controllers can be clustered to support up to 20,000 sessions on a single URL with built-in load balanced clustering option, without performance degradation. For high performance large scale clustering, customers can leverage unique integration with BIG-IP by off-loading SSL termination to BIG-IP, scale beyond the 20,000 concurrent sessions in a cluster, and maximize the SSL VPN cluster performance.

Failover
F5 FirePass Controllers can be configured for hot, stateful failover between yoked pairs of servers (an active server and a standby server), without session interruption or termination. This means that in the unlikely event of a server failure, all session data is preserved and the failover to a backup unit is invisible to the user.

F5 FirePass Specifications

Hardware Specifications

FirePass 1000

Power Supply:
180 Watt
Weight:
~10 lb
Dimensions:
16.7" x 1.7" x 11"
Certifications:
US/Canada - UL - UL 1950
European Union - Low Voltage Directive - EN 60950
European Union - EMC Directive EN 50081-2 & EN 61000-6-2
CE
Temperature (operating):
0-40 Deg C
Humidity:
5-85% @ 40 Deg C (non-condensing)

FirePass 4100

Power Supply:
400W with redundant option 
Weight:
~36 lb
Dimensions:
17.5" x 24.5" (OAL)/23.5" behind mounting ears x 3.5"
Certifications:
US/Canada - UL - UL 1950
European Union - Low Voltage Directive - EN 60950
European Union - EMC Directive EN 50081-2 & EN 61000-6-2
CE 
Temperature (operating):
5-40 Deg C
Humidity:
5-85% @ 40 Deg C (non-condensing)

F5 products address the three main areas of Application Delivery Networking: Application Security, Application Optimization and Application Availability.

Regardless of your network application pain, F5 has a solution. And because we recognize that each network issue has an impact upon other critical areas, F5 products share powerful attributes across the industry's only integrated platform - TMOS. TMOS includes the iControl API, which allows F5 products to communicate with each other and implement extremely flexible policies in the form of iRules. An active developer community, unique to F5, creates and shares customized iRules for enforcing virtually any kind of application-delivery behavior.

The result is elegant and powerful solutions to protect you from security threats, network failures and traffic congestion, while putting in place an architecture for the future.