<< Back to article Print this page Loading page, please wait...

VPN capabilities vary widely across UTM firewall devices

So here's a run-down

Joel Snyder (Network World)
14 November, 2007 10:34

Despite the fact that VPNs and firewalls have been residing on the same box for over seven years, our testing of both of the site-to-site and remote access VPN capabilities showed an astonishing variation on the quality of VPN implementations.

Site-to-site VPNs are more critical in an enterprise UTM firewall, and we heavily weighted a product's ability to easily create and manage large VPNs. The three vendors standing out for their obviously enterprise-class VPNs were Check Point, Cisco, and Juniper. All three clearly deliver the underlying VPN technology and corresponding centralized management tools that make it easy to build networks of hundreds of nodes in a variety of topologies, ranging from full mesh to hub-and-spoke.

In previous tests, we have had problems with the quality and coverage of VPN-management tools provided by Cisco. With this release of Cisco Security Manager (CSM) tool, it was good to see that the management tools that the company provides have matured to the level where they match the needs of large VPNs. While there is still room for improvement in Cisco's management tool - for example, VPN rules and firewall rules are not linked, which makes policy definition more complex than it needs to be - Cisco is finally making large VPN deployments an easy process.

Good strides

Check Point and Juniper also have outstanding VPN definition and management tools for large site-to-site VPNs. Complex topologies beyond simple hub-and-spoke or full mesh are easy to define with both tools, and many of the difficult parts of handling very large VPNs (such as tunnel authentication using digital certificates) are not only made simple, but made simple in a way that doesn't compromise network security.

Cisco and Juniper also have made good strides in trying to combine site-to-site VPNs with dynamic routing to help reduce the complexity of managing a VPN with a rapidly changing network topology.

While they're not up to the level of leaders such as Check Point and Juniper, SonicWall -- another early innovator in centralized management -- also has made great strides in its VPN configuration and control capabilities. SonicWall's Global Management System lets you draw together groups of firewalls into a VPN, and then automatically configures and pushes the VPN configuration to all devices. As the topology changes and firewalls come and go, Global Management System keeps things up-to-date and fully linked.

WatchGuard, also an early innovator in making it easy to build and monitor your VPN, has not advanced and is limited in its topologies and capabilities. Site-to-site VPN is easy if you want to build single tunnels between a WatchGuard Peak firewall (such as the one we tested) and WatchGuard's branch-office devices, called Edge firewalls. However, there is no true centralized management for Peak firewalls, which means there is really no option to build large site-to-site VPNs. Tunnels have to be constructed one at a time.

Another disappointment came in IBM/ISS' management system referred to as the Site Protector appliance. With this management system, we were rocketed back to early 2001 VPN-management capabilities. Site Protector also doesn't do central management of large VPN topologies, and requires that VPNs be defined using the very traditional model of protected networks and security gateways - terminology straight out of the IPsec standards and distinctly unfriendly to anyone who wants to cleanly merge firewall and VPN policies.

Without centralized management, the Astaro ASG 425a, Fortinet FortiGate 3600A and Secure Computing Sidewinder 2150D all are back in the dark ages of site-to-site VPN capabilities. Secure Computing aims to resolve that issue soon with the release of a new central management tool based on its newly aquired CyberGuard's centralized management system, but was unable to give us even beta code for this test.

Remote-access ties

While it's unlikely that an enterprise would want to run remote access through the same box as the rest of its traffic, it could help reduce the number of systems IT staff would have to learn and control if the company's remote access demands were not too taxing.

Check Point and Cisco once again stepped up to the top of pack with their remote access VPN capabilities. Check Point gets a perfect score here for having a combination of easy configuration and powerful additional features. Setting up remote access VPN with Check Point is simple and fast for the easy case of letting remote access users into networks protected by the Check Point firewall, and if you want to beyond that, there is sufficient well-written documentation to help with all the additional bells and whistles such as split tunneling, split DNS implementation, multifirewall VPN connectivity and NAC integration.

Page Break

Check Point's Integrity Clientless Security, an endpoint-security package, is completely integrated into its IPsec VPN for the network manager who wants to combine IPsec VPN and NAC. Plus, Check Point includes a "visitor mode," which tunnels VPN traffic over TCP Port 443, a nice acknowledgment of the place SSL VPN is taking in the remote access VPN world.

Cisco's VPN capabilities, descended from what must be one of the most popular VPN concentrators ever (the Cisco 3000-series), are as strong in the ASA 5540 as ever. While Check Point edges out Cisco's remote access in a few areas, such as multiple entry-point connectivity and per-user firewalling features, most network managers would be happy with Cisco's remote-access VPN capabilities.

Juniper's ScreenOS remote-access VPN capabilities have long been the weakest link in Juniper's security chain. We hope that Juniper will merge the SSL VPN technology it picked up with its Neoteris purchase into ScreenOS sometime soon, but it isn't in there yet. If you want remote-access VPN from Juniper, don't look for it in ScreenOS.

Three of the devices in our test, the Astaro ASG425a, the FortiGate 3600A and the SonicWall PRO 5060, have added SSL VPN capabilities to their firewalls. However, with a SMB-ish orientation, they don't have all the controls and configurability of Check Point or Cisco, but they do let you get remote access VPN up and running fast and efficiently.

The IBM/ISS Proventia MX5010, Secure Computing Sidewinder 2150D and WatchGuard Firebox X8500e are all still sporting 1999-style IPsec VPNs for remote access. No sane network manager would roll out an enterprise-sized VPN based on this type of configuration - something WatchGuard clearly knows, because it allows no more than 50 clients on their device.