F5 device enforces LAN access

LAS VEGAS – F5 Networks is getting ready to speed up its remote access SSL VPN gear so it can act as a policy enforcer for devices wired to LANs.

The company later this year will boost the capacity of its FirePass VPN gear from 2,000 concurrent users to 20,000 concurrent users, according to F5 executives interviewed at Interop. This will give the devices enough capacity to handle the load of screening workstations seeking access to large corporate LANs, and enforcing whether they are admitted.

FirePass SSL VPN gear already performs access control on computers trying to gain access remotely over the Internet. With greater capacity, these devices could check whether endpoints on a corporate network comply with security policies such as having patched operating systems and updated anti-virus software. Those that pass would be admitted according to authorization set by network executives. Those that fail would be rejected or diverted to a LAN segment where they could download software needed to bring them into compliance.

The company last fall added the ability for its FirePass devices to divert non-compliant machines to remediation sites. At that time it also announced the devices had been integrated with F5’s Big IP load balancers so the Big IPs could front the VPN gear and distribute incoming requests, making it possible for a network to use multiple FirePass devices acting as a single device.

With the boosted capacity, the Big IP devices will no longer be needed for networks requiring more than 200 but less than 20,000 users. The upgraded FirePass devices also will be able to deploy the FirePass gateways in pairs for high availability. It will be possible to array them in active-active standby or active-passive, the company says.

The architecture is similar to Juniper’s scheme for network access control called Infranet in that they both use SSL VPN technology to check whether endpoints have the appropriate security posture and to block admission to a network when they don’t.

In addition, the company on May 22 plans to announce FirePass Version 6.0 that will enhance the ability of the management platform to define policies about access and remediation of devices that fail to meet configuration policies.

The plan is to make the remediation so simple that users can upgrade their machines themselves to come into compliance and gain network access.

Separately this summer, the company will announce a tool in its Global Traffic Manager software to grant multiple administrators different privileges for configuring its devices. So network administrators might be allowed to add a user to a group that can gain access to a network but not alter the security policies for the group, while security administrators might be able to alter the policies but not add new users.