ITBusiness.ca

Cisco firewall hits small business sweet spot

There are two ways to look at the Cisco SA 520 network security appliance.

On one hand, it offers a solid array of features: 65Mbps IPSec VPN throughput, 100Mbps overall throughput, integrated firewall (limited to 100 rules), built-in filtering for common services like IM and P2P networking, SSL VPN, IPS, DDNS, and multi-WAN support. On the other hand, it has nearly no relation to the rest of Cisco’s security solutions.

The Cisco SA 520 is physically similar to the old Cisco PIX 501, and it offers similar basic functionality. However, that’s where the similarities stop: Whereas the PIX 501 ran PIXOS, the SA 520 runs a Linux-based operating system. Where the PIX 501 was as easy to manage as its bigger brothers, the SA 520 runs a completely different OS, has no console port, and no CLI. It’s administered via a somewhat cranky Web-based UI.

Related Story: Four steps to better network and infrastructure security

From the perspective of a small business looking for a firewall that offers some relatively advanced features, the Cisco SA 520 is suitable. For a network professional looking for a small-site VPN endpoint device, the SA 520 is a mixed bag. It fits the bill in terms of capacity, features, and throughput, but from a management perspective, it promises headaches. Given that scenario, I’m going to address both viewpoints.

Cisco SA 520: Good for small business

The Cisco SA 520 ($419 street) provides a wealth of options as a small-business security appliance. There’s a little of everything here, from basic firewalling tasks through SSL VPN features, including SSL VPN portal pages. On the back end, it will integrate with Active Directory or standard LDAP authentication services to allow users to to log into the VPN with their domain credentials.

However, the stock model is outfitted with only two SSL VPN licenses, expandable to 25 by purchasing more. Two might not be the loneliest number, but it certainly seems tiny in this case. Oddly, the SA 520 allows for 50 IPSec tunnels out of the box. It’s hard to see anyone in the small-business space needing 50 IPSec tunnels but only two client-based SSL VPN tunnels.

There’s also support for multiple WAN interfaces and load balancing, so you can leverage multiple Internet connections within a single device. Further, you can create rules that apply to total traffic passed through each Internet connection to ensure you don’t go over ISP-imposed limits, if any should exist.

Coupled with that are basic QoS rules that allow traffic classification based on TCP or UDP port, source addresses, VLAN, or even a physical port. This traffic can be prioritized into high, medium, or low priorities. The SA 520 also supports 802.1p traffic prioritization that adds much more granularity, though you’ll need to classify traffic with 802.1p internally for this to function.

You can also use some higher-end features, including URL filtering, traffic allowance based on approved client lists, and malware and spam filtering through licensed Trend Micro technology. Another separately licensed option is the IPS (Intrusion Prevention System) that offers another layer of protection for the internal network by filtering traffic based on signatures downloaded from external resources.

With the built-in four-port switch and support for a single DMZ, I can see the SA 520 fitting in well in a small-business infrastructure.

Cisco SA 520: Bad for the remote office

I don’t feel the same way about the use of the Cisco SA 520 for remote office connectivity. While the stats on the SA 520 clearly position it as a viable candidate to link a small remote office back to headquarters via a VPN tunnel, the lack of reasonable remote-management capabilities makes it a hard sell.

For one thing, there’s no console port, so there’s no way to use a serial terminal server to access the device during a failure. There’s also no CLI, so all management must be conducted via the Web GUI, which can be very annoying. While there is the ability to download a configuration file for backup, it’s not really viable to modify the file offline, as you can for nearly all other Cisco network devices.

Remote administration is possible but can be granted to only a single source IP address, not a subnet or selection of addresses. Also, the SNMP MIB (management information base) situation with the SA 520 is somewhat perplexing. Certain aspects of the device respond to Cisco’s MIBs, while others respond to standard UCD-SNMP MIBs. Even more confusing, the MIB support has changed between firmware releases. The upshot is that you may be able to enumerate interfaces with a UCD MIB, but you won’t get any traffic data unless you’re using the Cisco MIB, or vice versa. It’s a bit of a jumble.

Also disturbing is that the SA 520 appears to have problems retaining its configuration across certain firmware updates. I updated the firmware, only to find the device return to factory settings. Should that happen with an SA 520 at a remote site with no other connectivity and no serial console that could ostensibly be connected to a modem, it would remain offline until someone can reconfigure it from the LAN through a Web browser. That’s definitely not a good situation for a remote office firewall.

However, the SA 520 supports up to 50 IPSec 3DES-to-AES256 tunnels, though working with the VPN tunnel management interface and wizard can be frustrating for experienced admins who are used to the ease and simplicity of CLI-based configuration. The IPSec VPNs did function properly with all encryption algorithms, and once I wrapped my head around how the VPN tunnel construction interface was designed, I was able to bring up tunnels to Cisco PIX and ASA firewalls without issue.

In short, the SA 520 can run an AES256 IPSec VPN up to 65Mbps, but it’ll make you work harder than you think you should to implement it and maintain proper operation.

A Cisco in name only

The Cisco SA 520 lives up to its Small Business billing, but doesn’t meet the requirements for the Pro designation, lacking adequate tools for managing a remote office endpoint for larger infrastructures. Given the specs for the device, that’s a shame, because it definitely performs like a higher-end unit, offering advanced features, including 802.1p, CDP (Cisco Discovery Protocol) RADIUS, and syslog support.

If all you’re looking for is a small-business firewall, you can get one cheaper than the SA 520, albeit without some of the extended features. If you’re looking to terminate a VPN at a remote office, you might find that paying more for another device that has the necessary management capabilities makes sense in the end.

If you’re in the middle, needing a small-business firewall with content filtering and dual-WAN capabilities, the SA 520 might be just the ticket, but I’m not sure how many of those businesses exist these days.

Exit mobile version