Despite the fact that VPNs and firewalls have been residing on the same box for over seven years, our testing of both of the site-to-site and remote access VPN capabilities showed an astonishing variation on the quality of VPN implementations.
Site-to-site VPNs are more critical in an enterprise UTM firewall, and we heavily weighted a product's ability to easily create and manage large VPNs. The three vendors standing out for their obviously enterprise-class VPNs were Check Point, Cisco, and Juniper. All three clearly deliver the underlying VPN technology and corresponding centralized management tools that make it easy to build networks of hundreds of nodes in a variety of topologies, ranging from full mesh to hub-and-spoke.
In previous tests, we have had problems with the quality and coverage of VPN-management tools provided by Cisco. With this release of Cisco Security Manager (CSM) tool, it was good to see that the management tools that the company provides have matured to the level where they match the needs of large VPNs. While there is still room for improvement in Cisco's management tool - for example, VPN rules and firewall rules are not linked, which makes policy definition more complex than it needs to be - Cisco is finally making large VPN deployments an easy process.
Good strides
Check Point and Juniper also have outstanding VPN definition and management tools for large site-to-site VPNs. Complex topologies beyond simple hub-and-spoke or full mesh are easy to define with both tools, and many of the difficult parts of handling very large VPNs (such as tunnel authentication using digital certificates) are not only made simple, but made simple in a way that doesn't compromise network security.
Cisco and Juniper also have made good strides in trying to combine site-to-site VPNs with dynamic routing to help reduce the complexity of managing a VPN with a rapidly changing network topology.
While they're not up to the level of leaders such as Check Point and Juniper, SonicWall -- another early innovator in centralized management -- also has made great strides in its VPN configuration and control capabilities. SonicWall's Global Management System lets you draw together groups of firewalls into a VPN, and then automatically configures and pushes the VPN configuration to all devices. As the topology changes and firewalls come and go, Global Management System keeps things up-to-date and fully linked.
WatchGuard, also an early innovator in making it easy to build and monitor your VPN, has not advanced and is limited in its topologies and capabilities. Site-to-site VPN is easy if you want to build single tunnels between a WatchGuard Peak firewall (such as the one we tested) and WatchGuard's branch-office devices, called Edge firewalls. However, there is no true centralized management for Peak firewalls, which means there is really no option to build large site-to-site VPNs. Tunnels have to be constructed one at a time.
Another disappointment came in IBM/ISS' management system referred to as the Site Protector appliance. With this management system, we were rocketed back to early 2001 VPN-management capabilities. Site Protector also doesn't do central management of large VPN topologies, and requires that VPNs be defined using the very traditional model of protected networks and security gateways - terminology straight out of the IPsec standards and distinctly unfriendly to anyone who wants to cleanly merge firewall and VPN policies.
Without centralized management, the Astaro ASG 425a, Fortinet FortiGate 3600A and Secure Computing Sidewinder 2150D all are back in the dark ages of site-to-site VPN capabilities. Secure Computing aims to resolve that issue soon with the release of a new central management tool based on its newly aquired CyberGuard's centralized management system, but was unable to give us even beta code for this test.
Remote-access ties
While it's unlikely that an enterprise would want to run remote access through the same box as the rest of its traffic, it could help reduce the number of systems IT staff would have to learn and control if the company's remote access demands were not too taxing.
Check Point and Cisco once again stepped up to the top of pack with their remote access VPN capabilities. Check Point gets a perfect score here for having a combination of easy configuration and powerful additional features. Setting up remote access VPN with Check Point is simple and fast for the easy case of letting remote access users into networks protected by the Check Point firewall, and if you want to beyond that, there is sufficient well-written documentation to help with all the additional bells and whistles such as split tunneling, split DNS implementation, multifirewall VPN connectivity and NAC integration.