VPN capabilities vary widely across UTM firewall devices

So here's a run-down

Despite the fact that VPNs and firewalls have been residing on the same box for over seven years, our testing of both of the site-to-site and remote access VPN capabilities showed an astonishing variation on the quality of VPN implementations.

Site-to-site VPNs are more critical in an enterprise UTM firewall, and we heavily weighted a product's ability to easily create and manage large VPNs. The three vendors standing out for their obviously enterprise-class VPNs were Check Point, Cisco, and Juniper. All three clearly deliver the underlying VPN technology and corresponding centralized management tools that make it easy to build networks of hundreds of nodes in a variety of topologies, ranging from full mesh to hub-and-spoke.

In previous tests, we have had problems with the quality and coverage of VPN-management tools provided by Cisco. With this release of Cisco Security Manager (CSM) tool, it was good to see that the management tools that the company provides have matured to the level where they match the needs of large VPNs. While there is still room for improvement in Cisco's management tool - for example, VPN rules and firewall rules are not linked, which makes policy definition more complex than it needs to be - Cisco is finally making large VPN deployments an easy process.

Good strides

Check Point and Juniper also have outstanding VPN definition and management tools for large site-to-site VPNs. Complex topologies beyond simple hub-and-spoke or full mesh are easy to define with both tools, and many of the difficult parts of handling very large VPNs (such as tunnel authentication using digital certificates) are not only made simple, but made simple in a way that doesn't compromise network security.

Cisco and Juniper also have made good strides in trying to combine site-to-site VPNs with dynamic routing to help reduce the complexity of managing a VPN with a rapidly changing network topology.

While they're not up to the level of leaders such as Check Point and Juniper, SonicWall -- another early innovator in centralized management -- also has made great strides in its VPN configuration and control capabilities. SonicWall's Global Management System lets you draw together groups of firewalls into a VPN, and then automatically configures and pushes the VPN configuration to all devices. As the topology changes and firewalls come and go, Global Management System keeps things up-to-date and fully linked.

WatchGuard, also an early innovator in making it easy to build and monitor your VPN, has not advanced and is limited in its topologies and capabilities. Site-to-site VPN is easy if you want to build single tunnels between a WatchGuard Peak firewall (such as the one we tested) and WatchGuard's branch-office devices, called Edge firewalls. However, there is no true centralized management for Peak firewalls, which means there is really no option to build large site-to-site VPNs. Tunnels have to be constructed one at a time.

Another disappointment came in IBM/ISS' management system referred to as the Site Protector appliance. With this management system, we were rocketed back to early 2001 VPN-management capabilities. Site Protector also doesn't do central management of large VPN topologies, and requires that VPNs be defined using the very traditional model of protected networks and security gateways - terminology straight out of the IPsec standards and distinctly unfriendly to anyone who wants to cleanly merge firewall and VPN policies.

Without centralized management, the Astaro ASG 425a, Fortinet FortiGate 3600A and Secure Computing Sidewinder 2150D all are back in the dark ages of site-to-site VPN capabilities. Secure Computing aims to resolve that issue soon with the release of a new central management tool based on its newly aquired CyberGuard's centralized management system, but was unable to give us even beta code for this test.

Remote-access ties

While it's unlikely that an enterprise would want to run remote access through the same box as the rest of its traffic, it could help reduce the number of systems IT staff would have to learn and control if the company's remote access demands were not too taxing.

Check Point and Cisco once again stepped up to the top of pack with their remote access VPN capabilities. Check Point gets a perfect score here for having a combination of easy configuration and powerful additional features. Setting up remote access VPN with Check Point is simple and fast for the easy case of letting remote access users into networks protected by the Check Point firewall, and if you want to beyond that, there is sufficient well-written documentation to help with all the additional bells and whistles such as split tunneling, split DNS implementation, multifirewall VPN connectivity and NAC integration.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joel Snyder

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?