A High Level BIGIP Pitch

1
SSL VPN The new trend of secure remote
access 10 November, 2003
2
Why Firepass is the best remote solution for you

• Speaker Mr. Dan Matte, Vice President of Product
  Management and Marketing, F5 Networks

3
F5 Company Overview

• Pioneers in Internet Application Traffic
  Management
• Solid financial position
• 6000 customers
• 2 Market share in L4 L7
• 1 in SSL
• 500 employees worldwide
• NASDAQ FFIV
• FY02 Revenue 108 M
• Key Strategic Partners

4
Leadership Position
Web Infrastructure Optimization Magic Quadrant
for 2002
Challengers
Leaders

• We still consider F5 to be the thought leader in
  the market. They continue to add to a broad
  product offering and include a dizzying array of
  features, some of which competitive companies
  have built entire product offerings around.
• We believe F5 will continue to add capabilities
  that are compelling to the enterprise and broaden
  their offering to concentrate on the natural
  consolidation points within the IDC.
  Mark Fabbi,
  Gartner

F5 Networks
Cisco
Radware
Ability to Execute
Nortel
Foundry
Array Networks
Netscaler
Redline
Niche players
Visionaries
Completeness of Vision
Gartner, October 2002
5
6000 Enterprise Clients
Financial
Media
Other
IT
Transport
Telco/ISP
6
F5 Partners ready solution set
Applications Application availability and
optimal performance
Systems Management Rapid troubleshooting,
service management, lower cost
RDP, OpenView
and many more
7
F5s FirePass eliminates the need for IPSec VPNs
for secure remote access.
8
Whats Being Said

• Enterprises that want easier and more flexible
  ways to deploy secure remote access should
  consider SSL VPNs for new investments, and as
  upgrades for legacy VPNs. John Girard, Gartner
• SSL VPNs not only offer better security than
  IPSec VPNs, they can offer substantial savings -
  Dana Hendrickson, Breakaway Marketing
• We expect SSL-based solutions to eventually be
  the dominant security protocol for user and
  application level remote access
• Zeus Karavalla, Yankee Group
• SSL Based VPNs are likely to replace IPSec VPNs
  for secure remote access - Tolly Group, January
  2003
• We believe by 2005/06 SSL-based solutions will be
  the dominant method for remote access, with 80
  of users utilizing SSL. - David Thompson, Meta
  Group 11/02
• SSL remote access is 45 less expensive than
  IPSec solutions and 72 cheaper than dial-up (not
  including toll costs)
• Yankee Viewpoint - 10/02

9
SSL VPN Market Forecast
10
Industry Breakdown
11
Drivers of Secure Remote Access
Growth of Mobile Device Applications
Partner, Supplier, Customer, Channel Access
Disaster Planning and Recovery
Reliable Access
Teleworkers
Mobile Workforce
12
Remote Access Business Goals
TCO
Policy-Based Control
Availability
Security
13
Remote Access Alternatives
RAS
IPsec
Many
Application Support
Terminal Services
Basic SSL VPN Solution
Few
Web Enabled Applications
Security
Coarse
Fine
14
New Threats to the EnterpriseApplication
Security Risk
Current network Security devices DO NOT PREVENT
application attacks!
Unauthorized User From A Valid Terminal
Partner
Employee
Customer
Corporate IP Network
Corporate Apps Data
Invalid Transaction From A Valid System
Current Network Perimeter Security (Firewall,
Virus Scan, IDS, etc.)
15
New Threats to the EnterpriseApplication
Security Risk
Securing user or transaction access to
applications and data is critical to completely
securing enterprise IT
Unauthorized User From A Valid Terminal
F5 Application Security Gateway User/transaction
validity App data access auth.
Partner
Employee
Customer
Corporate IP Network
Corporate Apps Data
Invalid Transaction From A Valid System
Network Perimeter Security (Firewall, Virus
Scan, IDS, etc.)
16
How does IPSec compare?
Any User
Employee Partner Supplier
Any Application
Any Location
Hotel Kiosk Hot Spot
Web Client/Server Legacy Desktop
Any Devices
Highly Available
Laptop Kiosk Home PC PDA/Cell Phone
Global LB Stateful Failover Disaster Recovery
Secure
Ease of Integration
Data Privacy Device Protection Network
Protection Granular App Access
AAA Servers Directories Instant Access
Ease of Use
Clientless Simple GUI Detailed Audit Trail
17
Why SSL VPN Over IPSec for Remote Access?

• Reduced support costs and increased productivity
• Works everywhere
• Impervious to network hurdles
• Easy to administer
• Lower TCO with SSL VPNs
• 80,000 to 260,000 savings over 3 years compared
  to IPSec
• Breakaway Marketing Group August 2003
• Rich client activity logging auditing
• Superior security
• Precise appropriate access
• IPSec was the best alternative at the time
• Times have changed

18
F5 VPN Deployment FirePass vs. CheckPoint
Note 300 End Users High-Availability
Configuration
19
Firepass - the best remote solution for you
20
Competitive ChallengeClientless Application
Access
Provide Secure remote access from a home computer
to enterprise applications
Home Computer
Corporate Network
Corporate Desktop
UNIX/Linux System
Email / Terminal Server
Mainframe
Web Server
21
F5 SSL VPN Value Proposition

• F5s SSL VPN solution offers
• The most comprehensive application access to
  enhance workforce and business partner
  productivity
• Dynamic policy-based access for greater security
  and network control
• Complete application security for internal and
  external users

22
F5 FirePass SSL VPN Solution
Dynamic Policies
Any Application
Ubiquitous Delivery
Secured by SSL
Laptop
Mainframe
Internet
Kiosk
Server
Mobile Device
Desktop
Partner
23
Adaptive Client Security
Laptop
Kiosk
PDA
C/S Application Full Network
Terminal Servers
Files
Intranet
Email
24
Management - User Authentication

• External Server
• RADIUS Server (Win2K, other)
• LDAP (e.g Active Directory)
• WinNT (NTLM) Server (V4.0)
• HTTP basic login (V4.0)
• HTTP forms-based login (V4.0)

• Flexible server support
• External AAA server
• Internal database
• RADIUS server is the most common solution
• Available with Win2K
• Other vendors solutions available

SSL Connection
FirePass Internal Database
SSL Connection
25
Management - 2-Factor Authentication

• 2-Factor Authentication
• Something you have
• Token card
• Something you know
• PIN Code
• RSA SecurID
• Via RADIUS
• Vasco
• Integrated server
• No external Vasco server required
• Client-side certificate
• Validate for user access

RSA SecurID
ACE/Server RADIUS
SSL Connection
Vasco Security
SSL Connection
26
Dynamic Policy Engine

• User / Device Security
• Dynamically adapt user policy based on device
  used
• Seamless Integration
• Utilize existing AAA servers
• Automatic user mapping from directory
• Detailed audit trail
• Application level visibility

Dynamic Policy Engine
Application Access
Mobile Device Policy
Kiosk Policy
Default Policy
Laptop Policy
FirePass
Authentication LDAP RADIUS WIN NT/2K Web-Based
Group Sales Financial Auditors etc.
Access Rights Intranet SAP Siebel File Shares
Audit Usage Reporting Who accessed What was
accessed From Where
27
FirePass Controller Architecture
Secure Sockets Layer (SSL)
Dynamic PolicyEngine
28
Full Network Access - F5 IPSec Replacement
Corporate Network

• Full network access
• Access to any IP application (TCP, UDP)
• Application transparent
• Split tunneling option
• Data Privacy
• SSL encryption with selectable crypto levels
• Enterprise Protection
• Group-based ACLs
• Client-side cert validation

Corporate Laptop
Browser
FirePass
29
Client Integrity Checking

• Client security
• Check for required processes
• e.g. personal firewall
• Check for undesired processes
• e.g. key logger
• Disconnect on Windows routing table changes
• Validate client certificate before connecting
• Group-based address pools
• Enforce IP-based restrictions internally

• VPN Connector
• Active process check
• Routing table disconnect
• Client-side certificate

Corporate Network
FirePass
Group 1 - IP Pool 1 Group 2 IP Pool 2 Group 3
IP Pool 3
30
F5 Application Connector
Corporate Network

• Access to client/server applications
• Administrator can restrict access
• Audit trail of application access
• Application layer security prevents intrusions

Partner PC
Browser
Client/Server Applications
Client- Server
FirePass
31
Application Connector

• Access to select client-server applications
• CRM (SAP, Oracle)
• Client-based email (Outlook, Notes)
• FTP, HTTP, HTTPS
• Custom (static TCP port)
• Client requirement
• ActiveX / Plugin
• Simple GUI
• Simplified troubleshooting
• Multiple AppTunnels in a single browser window

32
F5 Intranet/Extranet Access

• Web adapter
• Access to HTTP/HTTPS applications
• Enterprise protection
• Group-based controls
• Session timeout / limits
• Cookie management

Corporate Network
Kiosk/Home PC
Browser
Web Servers
Web Adapter
FirePass
33
Web Adapter Traffic Inspection
Cross Site Scripting User-Defined
Policy Engine Scan value(s) in a TCP/IP header or
payload.
Dynamic Policy Engine
Web Adapter
Internet
FirePass Server
Intranet

• Cross-site scripting attack prevention
• FirePass scans for suspicious characters and
  strings
• Content inspection and transformation
• FirePass can patch and clean web content

34
F5 Remote Control

• Terminal server adapter
• Secure access to Windows XP remote desktop
• Desktop adapter
• Secure access to Windows desktop systems
• Enterprise protection
• Centralized provisioning of desktop access
• Data privacy
• Optional end to end SSL security

Corporate Network
Kiosk/Home PC
Desktops WinXP Win32 Desktop
Browser
Desktop Adapter
FirePass
35
Feature - Host Adapter

• Legacy host access
• 3270 mainframe (Java)
• 5250 AS/400 (ActiveX)
• VTxxx (Java)
• VT320 (HTML)
• SSH (Java)
• Client requirements
• Automatic download of required applet for end
  user operation

36
Feature - UNIX System Adapter

• X Window access
• FirePass connects to UNIX system via command line
  interface
• X Windows application is re-directed to FirePass
• Flexible client support
• Java / ActiveX plugins supported
• NO X Windows software
• Increased productivity
• Access UNIX servers from any browser

37
Terminal Server Adapter

• System support
• Citrix Metaframe
• Windows XP Remote Desktop
• Win2k Terminal Server
• VNC
• Features
• Option to run in separate window or full screen
• Ability to launch applications print
• Optional hard drive mapping
• Automatic logon
• Client requirements
• Automatic download and seamless install of
  terminal server client (ActiveX)

38
Feature - Email Adapter

• Email access
• Web view of email on standard POP / IMAP servers
• Webmail not required
• Standard email features send, receive, reply,
  etc.
• Client requirements
• No download required
• Mobile device access
• Automatic formatting for mobile devices (PDA,
  cell phone)

39
F5 Remote Desktop Access
Corporate Network

• Secure access to Windows XP remote desktop or X
  Window (UNIX / Linux) hosts
• Secure access and collaboration on Windows
  desktop systems
• Centralized provisioning of desktop access

Kiosk/Home PC
Desktops WinXP Win32 Desktop
Browser
UNIX / Linux
Desktop Adapter
FirePass
40
Feature - Desktop Adapter

• Remote control
• WIN32 systems
• Remote printing
• Java / ActiveX access from standard browser
• Guest access / collaboration
• Invite up to 10 guests
• Desktop access
• Email / file access
• Seat license
• Desktop software install required

41
Raising the Bar

• Disaster Recovery
• Link Load Balancing
• High Availability

Corporate Headquarters
SSL
SSL-VPN
Corporate Desktop
UNIX/Linux Desktop
Email / Terminal Server
Mainframe
Web Server
42
Why F5?

• Most Comprehensive Product
• Best High Availability Solution
• Financially Sound
• Profitable
• Publicly traded on NASDAQ FFIV
• Under 90 days from acquisition to product

• SSL Traffic Management Leadership
• F5 world wide market share leader
• Global Presence
• Support locations in NA, Asia EMEA
• FirePass Market Experience

43
Looking to the Future
Additional Functionality
Time
44
Firepass Demonstration
Bill Whitson Professional Service Director, APAC
Slides are available at
http//f5hkpartner.lesliebilly.net/www/temp/firepa
ssmedia.ppt