VPN capabilities vary widely across UTM firewall devices

So here's a run-down

Despite the fact that VPNs and firewalls have been residing on the same box for over seven years, our testing of both of the site-to-site and remote access VPN capabilities showed an astonishing variation on the quality of VPN implementations.

Site-to-site VPNs are more critical in an enterprise UTM firewall, and we heavily weighted a product's ability to easily create and manage large VPNs. The three vendors standing out for their obviously enterprise-class VPNs were Check Point, Cisco, and Juniper. All three clearly deliver the underlying VPN technology and corresponding centralized management tools that make it easy to build networks of hundreds of nodes in a variety of topologies, ranging from full mesh to hub-and-spoke.

In previous tests, we have had problems with the quality and coverage of VPN-management tools provided by Cisco. With this release of Cisco Security Manager (CSM) tool, it was good to see that the management tools that the company provides have matured to the level where they match the needs of large VPNs. While there is still room for improvement in Cisco's management tool - for example, VPN rules and firewall rules are not linked, which makes policy definition more complex than it needs to be - Cisco is finally making large VPN deployments an easy process.

Good strides

Check Point and Juniper also have outstanding VPN definition and management tools for large site-to-site VPNs. Complex topologies beyond simple hub-and-spoke or full mesh are easy to define with both tools, and many of the difficult parts of handling very large VPNs (such as tunnel authentication using digital certificates) are not only made simple, but made simple in a way that doesn't compromise network security.

Cisco and Juniper also have made good strides in trying to combine site-to-site VPNs with dynamic routing to help reduce the complexity of managing a VPN with a rapidly changing network topology.

While they're not up to the level of leaders such as Check Point and Juniper, SonicWall -- another early innovator in centralized management -- also has made great strides in its VPN configuration and control capabilities. SonicWall's Global Management System lets you draw together groups of firewalls into a VPN, and then automatically configures and pushes the VPN configuration to all devices. As the topology changes and firewalls come and go, Global Management System keeps things up-to-date and fully linked.

WatchGuard, also an early innovator in making it easy to build and monitor your VPN, has not advanced and is limited in its topologies and capabilities. Site-to-site VPN is easy if you want to build single tunnels between a WatchGuard Peak firewall (such as the one we tested) and WatchGuard's branch-office devices, called Edge firewalls. However, there is no true centralized management for Peak firewalls, which means there is really no option to build large site-to-site VPNs. Tunnels have to be constructed one at a time.

Another disappointment came in IBM/ISS' management system referred to as the Site Protector appliance. With this management system, we were rocketed back to early 2001 VPN-management capabilities. Site Protector also doesn't do central management of large VPN topologies, and requires that VPNs be defined using the very traditional model of protected networks and security gateways - terminology straight out of the IPsec standards and distinctly unfriendly to anyone who wants to cleanly merge firewall and VPN policies.

Without centralized management, the Astaro ASG 425a, Fortinet FortiGate 3600A and Secure Computing Sidewinder 2150D all are back in the dark ages of site-to-site VPN capabilities. Secure Computing aims to resolve that issue soon with the release of a new central management tool based on its newly aquired CyberGuard's centralized management system, but was unable to give us even beta code for this test.

Remote-access ties

While it's unlikely that an enterprise would want to run remote access through the same box as the rest of its traffic, it could help reduce the number of systems IT staff would have to learn and control if the company's remote access demands were not too taxing.

Check Point and Cisco once again stepped up to the top of pack with their remote access VPN capabilities. Check Point gets a perfect score here for having a combination of easy configuration and powerful additional features. Setting up remote access VPN with Check Point is simple and fast for the easy case of letting remote access users into networks protected by the Check Point firewall, and if you want to beyond that, there is sufficient well-written documentation to help with all the additional bells and whistles such as split tunneling, split DNS implementation, multifirewall VPN connectivity and NAC integration.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joel Snyder

Network World

Comments

Comments are now closed.

Latest News Articles

Most Popular Articles

Follow Us

GGG Evaluation Team

Kathy Cassidy

STYLISTIC Q702

First impression on unpacking the Q702 test unit was the solid feel and clean, minimalist styling.

Anthony Grifoni

STYLISTIC Q572

For work use, Microsoft Word and Excel programs pre-installed on the device are adequate for preparing short documents.

Steph Mundell

LIFEBOOK UH574

The Fujitsu LifeBook UH574 allowed for great mobility without being obnoxiously heavy or clunky. Its twelve hours of battery life did not disappoint.

Andrew Mitsi

STYLISTIC Q702

The screen was particularly good. It is bright and visible from most angles, however heat is an issue, particularly around the Windows button on the front, and on the back where the battery housing is located.

Simon Harriott

STYLISTIC Q702

My first impression after unboxing the Q702 is that it is a nice looking unit. Styling is somewhat minimalist but very effective. The tablet part, once detached, has a nice weight, and no buttons or switches are located in awkward or intrusive positions.

Resources

Best Deals on GoodGearGuide

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?