Field Systems Engineer F5 Networks Central Europe SSL VPN - FirePass This presentation provides a short overview of the F5 FirePass controller. Rainer Singer Field Systems Engineer F5 Networks Central Europe

Market Opportunity High-growth market “Spending on SSL VPN’s will grow at a 53% compound annual growth rate, and SSL VPNs will surpass traditional IPsec VPNs as the de-facto remote access security standard by 2008.” (Forrester Research)

Recognised as Best-of-Breed TOP RATED GOLD AWARD ENTERPRISE VPN SOLUTION HOT PICK “Sets a new standard for ease of use in setup and configuration, and for the wide array of client OS’s and browsers supported.” “The best remote access solution we've seen to date.” “It trumps other SSL VPN offerings with its ease of use, industrial strength hardware platform and advanced security features for unmanaged endpoint devices, one of the biggest risks emerging in this space." “Taking the primo prize is our Gold Award winner, the FirePass Controller v5.2 from F5 Networks Inc. Most important to our judges was the ease of integration that FirePass exhibits… FirePass also stands out because it offers full network access support to any IP application across multiple platforms.” FirePass 1000 F5 Networks, F5networks.com Excellent 9 criteria score weight Security Interoperability Setup Ease-of-use Value 9 30% 25% 20% 15% 10% October 2004 January 2005 January 2005

Authorized Applications FirePass® Overview Any User Any Device Authorized Applications Dynamic Policies Portal Access Secured by SSL Laptop FirePass® Specific Application Access Internet Kiosk F5’s FirePass Controller provides a comprehensive remote access solution consisting of: Access from Any User on Any Device – FirePass supports virtually any device with a web browser Dynamic policies – FirePass dynamically can adapt policies to ensure that users can only access their authorized applications. In addition, FirePass can adapt the level of access based on the type of device (e.g. corporate laptop, kiosk, mobile phone) used for remote access. Authorized applications – FirePass provides 3 types of application access Full network access – IPSec replacement with full access to all IP applications Portal access – secure access to a customer portal or a FirePass web portal Specific application access – access to specific applications, such as a single client/server application or specific web site Network Access Mobile Device Intranet Partner

Adaptive Client Security Kiosk/Untrusted PC PDA Laptop Kiosk Policy Cache/Temp File Cleaner Corporate Policy Firewall/Virus Check Mini Browser Policy One of the real strengths of a SSL VPN solution is the breadth of access. However, customers don’t want to open up access from any device to any application – this would be a huge security exposure. With adaptive client security the FirePass controller enables an administrator to enable different levels of access based on the device and user. For example: Kiosk users with the cache cleanup feature can access terminal servers, files, intranet, and email PDA users can access the intranet, email Laptop users are provided full network access with support for all client /server applications Client/Server Application Full Network Terminal Servers Files Intranet Email

Dynamic Policy Engine User / Device Security Seamless Integration Dynamically adapt user policy based on device used Seamless Integration Utilize existing AAA servers Automatic user group mapping Detailed audit trail Application level visibility Dynamic Policy Engine Application Access Mobile Device Policy Kiosk Policy Default Policy Laptop Policy The FirePass dynamic policy engine allows organizations to set up rules to match their business needs governing groups, authentication and access rights. These rules tell FirePass how the organization would like specific situations to be handled and ultimately reported on. FirePass Authentication LDAP RADIUS WIN NT/2K Web-Based Group Sales Financial Auditors etc…. Access Rights Intranet SAP Siebel File Shares Audit Usage Reporting Who accessed What was accessed From Where

Unmatched End-Point Security Anti-Virus Integration Symantec (Norton) McAfee Trend Micro Computer Associates (eTrust) F-Secure Sophos Kaspersky Lab Panda Software FRISK Software (F-Prot) Zone Labs Authentium SOFTWIN (BitDefender) Grisoft (AVG) Doctor Web Eset (NOD32) Firewall Integration Zone Labs Sygate Microsoft McAfee Symantec Tiny Software OS Integration Presence and absence of any specific process OS service packs IE service packs System registry settings Routing table entry change detection Digital certificates Trusted IP or MAC etc. Checks for presence and prevents any information from being cached or indexed.

Visual Policy Editor Visual policy editor graphically associates a policy relationship between end-points, users and resources. Makes it extremely easy to setup even sophisticated policies lowering TCO. Reduces configuration mistakes and avoid security holes Graphically associates a policy relationship between end-points, users and resources

FirePass – Positioning VPN Connector Network Access Portal Access Application Access My Intranet Windows & Unix File Adapter Mobile Email Adapter App Tunnels Terminal Server Adapter Host Access X-Windows In V5 the FirePass webifyer features are grouped into major usage modes. These include: Network Access – SSL-VPN or VPN Connector Portal Access – Web based access to files, emails, web applications – intranet & extranet portals Application Access – AppTunnels or specific client/server application access Desktop Access Helps to make it easier to communicate and message Depending on customer requirements they may need to use FirePass in one or more of these use-scenarios

Network Access VPN Connector

Comprehensive Application Access Extend Network Access Corporate Laptop Corporate Network Microsoft Exchange Server Browser Network Access FirePass® SSL VPN Tunnel Mobile users today often utilize an IPSec client to extend the corporate network to the client laptop. FirePass offers a similar, yet superior solution by using SSL to deliver all of the same applications as an IPSec client without the hassles of installation and support of a IPSec client. Application access - With FirePass laptop users can connect using any standard browser. Using the FirePass VPN connector users establish a tunnel connection to any TCP/UDP applications. This indeed does replace IPSec for client-to-site. FirePass provides the same functionality, same transparent access, same access to applications without all the frustrations, costs and limitations associated with IPSec. Strong security - FirePass checks the integrity of the client (active firewall, antivirus) before allowing a full network connection – these policies are all maintained centrally on the FirePass controller. Plus FirePass provides flexibility so you can provide full network access when appropriate, or limit that access as necessary. It’s the best of both worlds Enterprise integration - Finally, FirePass integrates with the existing security infrastructure to simplify deployment. Users do not have to preinstall a VPN client (the necessary client technology is installed via the browser) so deployment is greatly simplified when compared to IPSec solutions. Secure access to all IP applications Client support – Windows, Linux, MacOS – Java/ActiveX download – Windows client Enterprise integration – Automated deployment – Centralized policies – Client quarantine Application access – Any IP-based application UDP, TCP, ICMP

Extending Secure Access to All Desktops Mac Users Execs • Marketing • Graphic Designer • Non-technical users Linux Users System Administrators ● Developers ● Technicians Windows (~ 85%) Mac (~10%) Linux (~ 5%) Add developers Extending secure access to all the users in an organization “Our most strategic users needing secure remote access are developers and they use Linux.” - Oracle Technology Business Unit

Policy Checking with Network Quarantine Deep Integrity Checking – Specific antivirus checks – Windows OS patch levels – Registry settings Quarantine Policy Support – Ensure Policy Compliance – Direct to quarantine network Full Network FirePass® Quarantine Network Please update your machine!

Portal Access My Intranet Windows & Unix File Adapter Mobile Email

Portal Access Policy-based security controls Corporate Network Kiosk/Home PC Protected Workspace (WIN2K/XP) • Web • Email • File Servers Content Inspection Engine Portal Access FirePass® SSL Mobile users today often utilize an IPSec client to extend the corporate network to the client laptop. FirePass offers a similar, yet superior solution by using SSL to deliver all of the same applications as an IPSec client without the hassles of installation and support of a IPSec client. Application access - With FirePass laptop users can connect using any standard browser. Using the FirePass VPN connector users establish a tunnel connection to any TCP/UDP applications. This indeed does replace IPSec for client-to-site. FirePass provides the same functionality, same transparent access, same access to applications without all the frustrations, costs and limitations associated with IPSec. Strong security - FirePass checks the integrity of the client (active firewall, antivirus) before allowing a full network connection – these policies are all maintained centrally on the FirePass controller. Plus FirePass provides flexibility so you can provide full network access when appropriate, or limit that access as necessary. It’s the best of both worlds Enterprise integration - Finally, FirePass integrates with the existing security infrastructure to simplify deployment. Users do not have to preinstall a VPN client (the necessary client technology is installed via the browser) so deployment is greatly simplified when compared to IPSec solutions. Secure access to corporate portals Client protection Protected workspace Secure virtual keyboard SSO Integration – SSO interoperability – FirePass autologin Content Inspection – Application security – Virus scanner – Block access

Secure Portal Access from Un-Trusted Clients Protected Workspace – Private workspace for all downloaded files – Removes any trace of downloaded files after session – Separate I/O (protected boundary) Secure Virtual Keyboard – Keyless password entry protects from key-stroke loggers – Patent pending

Enterprise SSO Integration Netegrity SiteMinder Dynamic Policies 1. User ID, Password FirePass® 2. Session Cookie Internet Web Servers 3. Session Cookie HTTP forms-based authentication Single sign-on to all web applications Major SSO & Identify Mgmt Vendor Support Netegrity, Oblix and others

Application Security X Policy-based virus scanning Integrated scanner Web Servers ICAP AntiVirus 1. SQL Injection X FirePass® Internet Policy-based virus scanning File uploads Webmail attachments Integrated scanner Open ICAP interface Web application security Cross-site scripting Buffer overflow SQL injection Cookie management

Application Access X-Windows Terminal Server Host App Tunnels Adapter

Specific Application Access Secure Extranet or Employee Access Partner PC Corporate Network Browser • Terminal Servers • Legacy Hosts • Desktops • Client/Server Applications Application Access FirePass® SSL VPN Tunnel Mobile users today often utilize an IPSec client to extend the corporate network to the client laptop. FirePass offers a similar, yet superior solution by using SSL to deliver all of the same applications as an IPSec client without the hassles of installation and support of a IPSec client. Application access - With FirePass laptop users can connect using any standard browser. Using the FirePass VPN connector users establish a tunnel connection to any TCP/UDP applications. This indeed does replace IPSec for client-to-site. FirePass provides the same functionality, same transparent access, same access to applications without all the frustrations, costs and limitations associated with IPSec. Strong security - FirePass checks the integrity of the client (active firewall, antivirus) before allowing a full network connection – these policies are all maintained centrally on the FirePass controller. Plus FirePass provides flexibility so you can provide full network access when appropriate, or limit that access as necessary. It’s the best of both worlds Enterprise integration - Finally, FirePass integrates with the existing security infrastructure to simplify deployment. Users do not have to preinstall a VPN client (the necessary client technology is installed via the browser) so deployment is greatly simplified when compared to IPSec solutions. Benefits: • Strong Security • Application-level auditing Client support – Standard web browsers – Java/ActiveX capable Restricted access – Defined applications – No network connection Detailed logging – Session details – Specific applications

FirePass Product Line FirePass 600 FirePass 1000 FirePass 4100 A product sized and priced appropriately for every customer FirePass 600 Small Business VPN FirePass 1000 Medium Enterprise FirePass 4100 Large Enterprise 10-25 Concurrent Users 25-100 Concurrent Users 100-2000 Concurrent Users 10 to 100 employees Easy to install and use Cost-effective 100% Channel Product Standard support Limited Featureset 25 to 500 employees Comprehensive access End-to-End security Flexible support Failover 500+ employees High performance platform Comprehensive access End-to-End security Flexible support Failover Cluster up to 10

Summary: FirePass Delivers Key Features Enterprise-class, High Availability platform Built-in, load balanced clustering SSL acceleration and server side caching Visual Policy Editor and 30 Minute install Supports Windows, Mac, Linux, Solaris and other clients Built-in Protected Workspace and end-point security Integrates with existing enterprise infrastructure and applications Key differentiators Out-of-box Scalability, Performance and Reliability Powerful, easy to use management interface Breadth of clients, applications and infrastructure Comprehensive Risk Management including end-point security Competitive Advantage Best combination of capabilities, usability and security Lowest Total Cost of Ownership and Highest ROI

Questions ?