Critical.
Authoritative.
Strategic.
Subscribe to CIO Magazine »

Cisco SA 520 firewall disappoints

The Cisco SA 520 network security appliance offers a solid array of features but it has almost no relation to the rest of Cisco's security solutions.

There are two ways to look at the [[xref:http://www.cisco.com/en/US/products/ps9932/prod_models_comparison.html]] network security appliance. On one hand, it offers a solid array of features: 65Mbps IPSec VPN throughput, 100Mbps overall throughput, integrated firewall (limited to 100 rules), built-in filtering for common services like IM and P2P networking, SSL VPN, IPS, DDNS, and multi-WAN support. On the other hand, it has nearly no relation to the rest of Cisco's security solutions.

The Cisco SA 520 is physically similar to the old Cisco PIX 501, and it offers similar basic functionality. However, that's where the similarities stop: Whereas the PIX 501 ran PIXOS, the SA 520 runs a Linux-based operating system. Where the PIX 501 was as easy to manage as its bigger brothers, the SA 520 runs a completely different OS, has no console port, and no CLI. It's administered via a somewhat cranky Web-based UI.

From the perspective of a small business looking for a firewall that offers some relatively advanced features, the Cisco SA 520 is suitable. For a network professional looking for a small-site VPN endpoint device, the SA 520 is a mixed bag. It fits the bill in terms of capacity, features, and throughput, but from a management perspective, it promises headaches. Given that scenario, I'm going to address both viewpoints.

Cisco SA 520: Good for small business

The Cisco SA 520 ($419 street) provides a wealth of options as a small-business security appliance. There's a little of everything here, from basic firewalling tasks through SSL VPN features, including SSL VPN portal pages. On the back end, it will integrate with Active Directory or standard LDAP authentication services to allow users to to log into the VPN with their domain credentials.

However, the stock model is outfitted with only two SSL VPN licenses, expandable to 25 by purchasing more. Two might not be the loneliest number, but it certainly seems tiny in this case. Oddly, the SA 520 allows for 50 IPSec tunnels out of the box. It's hard to see anyone in the small-business space needing 50 IPSec tunnels but only two client-based SSL VPN tunnels.

There's also support for multiple WAN interfaces and load balancing, so you can leverage multiple Internet connections within a single device. Further, you can create rules that apply to total traffic passed through each Internet connection to ensure you don't go over ISP-imposed limits, if any should exist.

Test Center Scorecard

 

 

20%

20%

20%

20%

10%

10%

 

Cisco SA 520 Security Appliance

 7

 9

 6

 7

 7

 7

 7.2

Good

 

Coupled with that are basic QoS rules that allow traffic classification based on TCP or UDP port, source addresses, VLAN, or even a physical port. This traffic can be prioritized into high, medium, or low priorities. The SA 520 also supports 802.1p traffic prioritization that adds much more granularity, though you'll need to classify traffic with 802.1p internally for this to function.

You can also use some higher-end features, including URL filtering, traffic allowance based on approved client lists, and malware and spam filtering through licensed Trend Micro technology. Another separately licensed option is the IPS (Intrusion Prevention System) that offers another layer of protection for the internal network by filtering traffic based on signatures downloaded from external resources.

With the built-in four-port switch and support for a single DMZ, I can see the SA 520 fitting in well in a small-business infrastructure.

Cisco SA 520: Bad for the remote officeI don't feel the same way about the use of the Cisco SA 520 for remote office connectivity. While the stats on the SA 520 clearly position it as a viable candidate to link a small remote office back to headquarters via a VPN tunnel, the lack of reasonable remote-management capabilities makes it a hard sell.

For one thing, there's no console port, so there's no way to use a serial terminal server to access the device during a failure. There's also no CLI, so all management must be conducted via the Web GUI, which can be very annoying. While there is the ability to download a configuration file for backup, it's not really viable to modify the file offline, as you can for nearly all other Cisco network devices.

Remote administration is possible but can be granted to only a single source IP address, not a subnet or selection of addresses. Also, the SNMP MIB (management information base) situation with the SA 520 is somewhat perplexing. Certain aspects of the device respond to Cisco's MIBs, while others respond to standard UCD-SNMP MIBs. Even more confusing, the MIB support has changed between firmware releases. The upshot is that you may be able to enumerate interfaces with a UCD MIB, but you won't get any traffic data unless you're using the Cisco MIB, or vice versa. It's a bit of a jumble.

Also disturbing is that the SA 520 appears to have problems retaining its configuration across certain firmware updates. I updated the firmware, only to find the device return to factory settings. Should that happen with an SA 520 at a remote site with no other connectivity and no serial console that could ostensibly be connected to a modem, it would remain offline until someone can reconfigure it from the LAN through a Web browser. That's definitely not a good situation for a remote office firewall.

However, the SA 520 supports up to 50 IPSec 3DES-to-AES256 tunnels, though working with the VPN tunnel management interface and wizard can be frustrating for experienced admins who are used to the ease and simplicity of CLI-based configuration. The IPSec VPNs did function properly with all encryption algorithms, and once I wrapped my head around how the VPN tunnel construction interface was designed, I was able to bring up tunnels to Cisco PIX and ASA firewalls without issue.

In short, the SA 520 can run an AES256 IPSec VPN up to 65Mbps, but it'll make you work harder than you think you should to implement it and maintain proper operation.

A Cisco in name onlyThe Cisco SA 520 lives up to its Small Business billing, but doesn't meet the requirements for the Pro designation, lacking adequate tools for managing a remote office endpoint for larger infrastructures. Given the specs for the device, that's a shame, because it definitely performs like a higher-end unit, offering advanced features, including 802.1p, CDP (Cisco Discovery Protocol) RADIUS, and syslog support.

If all you're looking for is a small-business firewall, you can get one cheaper than the SA 520, albeit without some of the extended features. If you're looking to terminate a VPN at a remote office, you might find that paying more for another device that has the necessary management capabilities makes sense in the end.

If you're in the middle, needing a small-business firewall with content filtering and dual-WAN capabilities, the SA 520 might be just the ticket, but I'm not sure how many of those businesses exist these days.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

More about: AES, ASA, Cisco, etwork, Intrusion, LAN, Linux, SNMP, Trend Micro
References show all

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.
Users posting comments agree to the CIO comments policy.
Login or register to link comments to your user profile, or you may also post a comment without being logged in.
Related Coverage
Related Whitepapers
Latest Stories
Community Comments
Tags: Cisco Systems, firewalls, security
Latest Blog Posts
Whitepapers
  • Oracle Exadata - Extreme performance, lowest cost.
    As organizations contend with escalating demands for greater quantities of information, more sophisticated data analysis, and a burgeoning user population, Oracle Exadata makes database workloads faster, easier to manage, and less expensive. Oracle Exadata is the world’s first database machine to provide extreme performance for both data warehousing and online transaction processing (OLTP) applications. Read this whitepaper.
    Learn more »
  • Seven SOA Practices to Unlock Business Value
    The fact is that companies are increasingly using SOA to gain competitive business advantage. Distilled down to seven essential SOA practices, the following list enables IT professionals to tightly align SOA investments with their organization’s business priorities. Using these practices can help with driving competitive advantage and adding measurable business value...and that’s a sure way for IT pros to win recognition and ongoing support within their companies.
    Learn more »
  • Case Study: NZ Bus Develops Applications 60% Faster, Improves Database Performance by up to 35%
    Key Benefits: Developed applications 60% faster, Created development and test environments in minutes compared to days and weeks previously, Reduced server costs by 30% with server virtualisation, Saved NZ$40,000 in database administrator training costs, Provided high availability features that keep the database and core applications up and running in the event of a server failure, Introduced compression capabilities that improved database performance by 30% to 35%. Read on.
    Learn more »
All whitepapers
rhs_login_lockGet exclusive access to Invitation only events CIO, reports & analysis.
Recent comments