VPN capabilities vary widely across UTM firewall devices

So here's a run-down

Despite the fact that VPNs and firewalls have been residing on the same box for over seven years, our testing of both of the site-to-site and remote access VPN capabilities showed an astonishing variation on the quality of VPN implementations.

Site-to-site VPNs are more critical in an enterprise UTM firewall, and we heavily weighted a product's ability to easily create and manage large VPNs. The three vendors standing out for their obviously enterprise-class VPNs were Check Point, Cisco, and Juniper. All three clearly deliver the underlying VPN technology and corresponding centralized management tools that make it easy to build networks of hundreds of nodes in a variety of topologies, ranging from full mesh to hub-and-spoke.

In previous tests, we have had problems with the quality and coverage of VPN-management tools provided by Cisco. With this release of Cisco Security Manager (CSM) tool, it was good to see that the management tools that the company provides have matured to the level where they match the needs of large VPNs. While there is still room for improvement in Cisco's management tool - for example, VPN rules and firewall rules are not linked, which makes policy definition more complex than it needs to be - Cisco is finally making large VPN deployments an easy process.

Good strides

Check Point and Juniper also have outstanding VPN definition and management tools for large site-to-site VPNs. Complex topologies beyond simple hub-and-spoke or full mesh are easy to define with both tools, and many of the difficult parts of handling very large VPNs (such as tunnel authentication using digital certificates) are not only made simple, but made simple in a way that doesn't compromise network security.

Cisco and Juniper also have made good strides in trying to combine site-to-site VPNs with dynamic routing to help reduce the complexity of managing a VPN with a rapidly changing network topology.

While they're not up to the level of leaders such as Check Point and Juniper, SonicWall -- another early innovator in centralized management -- also has made great strides in its VPN configuration and control capabilities. SonicWall's Global Management System lets you draw together groups of firewalls into a VPN, and then automatically configures and pushes the VPN configuration to all devices. As the topology changes and firewalls come and go, Global Management System keeps things up-to-date and fully linked.

WatchGuard, also an early innovator in making it easy to build and monitor your VPN, has not advanced and is limited in its topologies and capabilities. Site-to-site VPN is easy if you want to build single tunnels between a WatchGuard Peak firewall (such as the one we tested) and WatchGuard's branch-office devices, called Edge firewalls. However, there is no true centralized management for Peak firewalls, which means there is really no option to build large site-to-site VPNs. Tunnels have to be constructed one at a time.

Another disappointment came in IBM/ISS' management system referred to as the Site Protector appliance. With this management system, we were rocketed back to early 2001 VPN-management capabilities. Site Protector also doesn't do central management of large VPN topologies, and requires that VPNs be defined using the very traditional model of protected networks and security gateways - terminology straight out of the IPsec standards and distinctly unfriendly to anyone who wants to cleanly merge firewall and VPN policies.

Without centralized management, the Astaro ASG 425a, Fortinet FortiGate 3600A and Secure Computing Sidewinder 2150D all are back in the dark ages of site-to-site VPN capabilities. Secure Computing aims to resolve that issue soon with the release of a new central management tool based on its newly aquired CyberGuard's centralized management system, but was unable to give us even beta code for this test.

Remote-access ties

While it's unlikely that an enterprise would want to run remote access through the same box as the rest of its traffic, it could help reduce the number of systems IT staff would have to learn and control if the company's remote access demands were not too taxing.

Check Point and Cisco once again stepped up to the top of pack with their remote access VPN capabilities. Check Point gets a perfect score here for having a combination of easy configuration and powerful additional features. Setting up remote access VPN with Check Point is simple and fast for the easy case of letting remote access users into networks protected by the Check Point firewall, and if you want to beyond that, there is sufficient well-written documentation to help with all the additional bells and whistles such as split tunneling, split DNS implementation, multifirewall VPN connectivity and NAC integration.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joel Snyder

Network World
Show Comments

Essentials

Mobile

Exec

Budget

TerraCycle Zero Waste Box Pens and Markers Small

Learn more >

Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Cathy Giles

Brother MFC-L8900CDW

The Brother MFC-L8900CDW is an absolute stand out. I struggle to fault it.

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?