VPN capabilities vary widely across UTM firewall devices

So here's a run-down

Comments

Check Point's Integrity Clientless Security, an endpoint-security package, is completely integrated into its IPsec VPN for the network manager who wants to combine IPsec VPN and NAC. Plus, Check Point includes a "visitor mode," which tunnels VPN traffic over TCP Port 443, a nice acknowledgment of the place SSL VPN is taking in the remote access VPN world.

Cisco's VPN capabilities, descended from what must be one of the most popular VPN concentrators ever (the Cisco 3000-series), are as strong in the ASA 5540 as ever. While Check Point edges out Cisco's remote access in a few areas, such as multiple entry-point connectivity and per-user firewalling features, most network managers would be happy with Cisco's remote-access VPN capabilities.

Juniper's ScreenOS remote-access VPN capabilities have long been the weakest link in Juniper's security chain. We hope that Juniper will merge the SSL VPN technology it picked up with its Neoteris purchase into ScreenOS sometime soon, but it isn't in there yet. If you want remote-access VPN from Juniper, don't look for it in ScreenOS.

Three of the devices in our test, the Astaro ASG425a, the FortiGate 3600A and the SonicWall PRO 5060, have added SSL VPN capabilities to their firewalls. However, with a SMB-ish orientation, they don't have all the controls and configurability of Check Point or Cisco, but they do let you get remote access VPN up and running fast and efficiently.

The IBM/ISS Proventia MX5010, Secure Computing Sidewinder 2150D and WatchGuard Firebox X8500e are all still sporting 1999-style IPsec VPNs for remote access. No sane network manager would roll out an enterprise-sized VPN based on this type of configuration - something WatchGuard clearly knows, because it allows no more than 50 clients on their device.