Cisco edges F5 in VPN shootout

Connecting remotely to network servers is a fact of life for millions of end users. Whether working from a PC or a mobile device, users rely on secure, reliable remote connections to maintain their productivity.

We tested five products that deliver remote SSL/VPN connectivity: WatchGuard SSL 560, Barracuda SSL VPN 380, Dell SonicWall EX-7000, F5 Networks BIG-IP Edge Gateway 3900 Platform and Cisco's ASA 5515-X security appliance.

We found each of these products to be capable, fully mature and established in the marketplace, which made it a bit of a challenge to choose a winner. Our top pick, the Cisco ASA 5515-X security appliance narrowly edged out the competition. While it didn't dominate in every category, the Cisco ASA 5515-X won top billing due to its rich feature set, powerful and granular configuration options and overall balance of capacity and features.

The other four products were essentially all runners-up, each with unique features that make them suitable for implementation, depending upon individual remote connectivity requirements. The SonicWall EX-7000 and F5 Big-IP appliances are higher capacity units that can handle up to 5,000 and 60,000 concurrent users respectively.

The Barracuda SSL VPN 380 and WatchGuard SSL 560 fall more into the mid-range with the ability to handle concurrent users in the hundreds. Beyond capacity, which may narrow the field for organizations needing to support large numbers of users in a high throughput environment, choosing an SSL VPN solution is largely a matter of matching features to remote connectivity requirements.

[ALSO: Cisco has a long history with VPNs]

The SonicWall EX-7000 maintained a slight edge in endpoint control and logging features; while the Barracuda SSL VPN 380 proved to be more capable in creating resources and displaying system status. Both products offer an efficient web admin interface that streamlines administration tasks.

The WatchGuard SSL 560 had a somewhat dated interface and lacked the ability to dynamically link to external directories, for example, Active Directory and LDAP. On the other hand, setup and deployment was a breeze with this unit compared to all the other products we tested. The WatchGuard SSL 560 is truly a 'no fuss' solution that is ready to roll right out of the box, very appealing for any shop needing to get up and running quickly. (Watch a slideshow version of this story.)

The F5 has a lot of firepower and features, but we found configuration to be an arduous task compared to the competition. Configuring the F5 unit was time-consuming and sometimes cumbersome, even with the use of built-in wizards. On the plus side, the F5 appliance has an impressive client interface and excellent reporting capabilities. Did we mention mind-boggling capacity and throughput?

How we did it

We set out to test several scenarios; access to a remote LAN including file shares, remote desktop, internal Web resources and applications, as well as the basic mobile capabilities of each product. Some of the appliances tested were primarily SSL VPN solutions whereas others include additional features such as firewall, anti-virus and network accelerators, to name a few. Generally speaking, the more features, the steeper the learning curve, but this is only logical.

Our main focus was remote connectivity for end users. We were able to successfully create client connections to remote networks and network resources using the access methods provided with each product. Product differences came down to features, such as the granularity and flexibility of access control, together with administration capabilities and ease-of-use/deployment.

We did not evaluate performance as this involves too many parameters that can vary widely in production environments. However, we found performance acceptable and consistent across the products tested in our lab.

[ALSO: Microsoft DirectAccess impresses

Java security questions answered]

Here are the individual reviews:

WatchGuard SSL 560

We hooked this unit up to a server via Ethernet ports and performed the basic set up in just a few minutes using the quick start guide. The Web admin interface is not the most sophisticated, but navigation is intuitive and relies on simple wizards to perform common tasks such as adding users and creating resource access rules.

Users are authenticated against a built-in database, as the WatchGuard SSL 560 does not have the ability to dynamically link to an external directory. However, you can use an external directory such as Active Directory, OpenLDAP or Novell eDirectory to create users or you can import a file containing user names. When linking to an external directory you will need to synchronize changes made to the external directory by using a refresh tool.

Using the aforementioned wizards we quickly and easily created users and configured network resources. Next we checked out the client interface. After logging in, the remote user is presented with a choice of authentication methods: SSL password, SSL challenge, mobile text, SSL Synchronized or SSL Web.

Resources can be accessed via tunnel or Web resource -- the tunnel resource can be a full tunnel to a local network or one with more limited access, such as a home directory, file share or Outlook Client.

Examples of available Web resources are Microsoft SharePoint, Outlook Web Access, ActiveSync or any other internal Web resources such as a website. Once a type of resource has been selected, a built-in wizard can be used to configure the details and to set up rules to determine who has access to that resource.

We also tested access from an iOS device and found the mobile app easy to navigate with the up and down scroll only, as well as mobile-appropriate fonts and buttons.

This appliance does provide some endpoint control for Windows clients in ensuring that certain criteria are met before access is allowed. The WatchGuard SSL 560 doesn't provide any built-in rules, but rules can be created to enforce access prerequisites, such as an application (e.g. anti-virus software), or for the existence of a registry key or file.

The reporting and logging capabilities of the WatchGuard SSL 560 are adequate with several built-in reports and some customization options such as date range and basic filtering. Reports can be exported to PDF and we discovered a useful 'Complete Report' that creates a PDF with nicely formatted data filtered by date/time.

The Web admin interface displays system overview information similar to the other products we tested, although not as well-organized or graphically appealing. On the plus side, the SSL 560 is a very easy system to manage, both from an admin standpoint and from the client standpoint. We referred to the context-sensitive help section only once or twice and, unlike our experience with a couple of other products, we did not need to contact technical support to clear hurdles.

Barracuda SSL VPN 380

The initial configuration of the Barracuda SSL VPN 380 can be completed directly from a console on the appliance or through a Web interface. We elected to use the console to initially configure the IP settings and then switched over to the Web admin interface. The appliance has a built-in user database which we used for testing, but the Barracuda SSL VPN 380 can also link dynamically to external user data directories such as LDAP, Open LDAP and Active Directory. The ability to utilize external user directories is important in production environments, especially those with large numbers of end users.

The Barracuda SSL VPN 380 Web admin interface has an appealing look and the status screen displays a number of useful parameters ranging from CPU fan speed and temperature to the number of users and session types. Most of the functionality is easy to locate using helpful tabs for each category.

There are also sub-tabs that quickly point you in the correct direction when configuring the appliance. Another handy feature is the messaging at the top of each screen that alerts users to items that need attention, such as unsaved settings. The same message area also alerts administrators each time an item is changed and saved.

As previously noted, users can be authenticated against a built-in database or an external directory. Creating user accounts is a straightforward process using a single-screen dialog with just a few parameters, such as user name, password and email address. You can also optionally assign users to groups.

After creating test users we configured several common network resources that could be remotely accessed from the client portal. The Barracuda SSL VPN 380 offers a number of choices for resource types, ranging from Web forwards and network places to applications and tunnel resources. Each resource can be configured from a single screen.

While wizards are always a nice touch for beginners, a single-screen configuration is an important feature for busy administrators. At the bottom of each configuration screen is a list of existing resources for that category. One change we would find helpful would be to color-code the active tabs in a way that would easily identify the task at hand, vs. shades of blue that were sometimes a bit confusing.

We created and configured several resources (SSL tunnel, RDP and a Web application) on the Barracuda SSL VPN 380 before switching to the Web client portal where, after logging in, our previously configured resources were displayed as icons. The client portal is basic with no frills, consisting of the login screen, a help section and the ability for the client to update some system information.

For mobile access, the Barracuda SSL VPN allows devices secure access to the network by using the VPN protocol native to the device (iOS, Android, Windows Mobile).

We found the logging capability of the Barracuda SSL VPN 380 to be adequate, but not as full-featured as some of the other products we tested. The Barracuda SSL VPN 380 does have a very good reporting module with the ability to add parameters and export capabilities to multiple formats such as PDF, XML, HTML and CSV.

The unit also ships with built-in endpoint controls that can validate against certain criteria before allowing the connection. Items that can be evaluated include OS and browser versions, anti-virus capability and whether an OS is up to date with all hot fixes (Windows only).

Dell SonicWall EX-7000

SonicWall was acquired by Dell in 2012, and Dell is now in the process of becoming a privately-held entity, but at least for now it appears the company is keeping the SonicWall name for this line of Internet appliances. Our test appliance was a Dell SonicWall EX-7000.

The initial setup of IP and DNS settings was done using the display and buttons found on the front of the appliance. After the initial setup, we connected the appliance to the test network and completed the remaining configuration tasks from the Web admin interface. The Aventail Management Console is efficient and easy to navigate, with the initial dashboard displaying key information in an easy to read format. We liked the checklist that shows any pending items needing attention with the ability to drill down for details.

There are three main client access methods available: Network tunnel client, Web proxy agent and client/server proxy agent. End users can connect remotely using methods such as a connect tunnel client, connect mobile client and on-demand tunnel agent.

However, the main access point is the Aventail WorkPlace portal, which provides access to Web-based resources. We especially liked the ability to customize the portal for different audiences, such as associates or customers. The Dell SonicWall EX-7000 supports the Mobile Connect client on iOS and Android devices, as well as most mobile browsers.

Users can be authenticated against network repositories such as Active Directory, LDAP and RADIUS, through a single sign-on server or using a local database. The SonicWall appliance uses 'realms' to tie together authentication, resource access, user management and endpoint control. This is visually displayed in flow chart-like display from the Admin interface, making it easy to see what is currently configured, with the option of managing each item from one location.

Similar to other appliances we tested, the Dell SonicWall EX-7000 uses rules for access control. We liked the way rules are enforced -- once a client requests access, the rules are evaluated in order of precedence, and once a matching rule is found, the appropriate action is applied. If no matching rule is found, access is denied. Access rules are tied to available configured resources such as file shares, RDP access, applications, Web resources or host.

We found that the Dell SonicWall EX-7000 had robust end point configuration capabilities, allowing us to ensure that clients connecting to the network met our configuration prerequisites, such as operating system and anti-virus protection, or even more granular requirements such as matching equipment IDs or client certificates.

Although the SonicWall does not offer direct reporting from the admin interface, the logging features of the appliance are robust and they can be offloaded to a separate application called Aventail Advanced Reporting (AAR), which is built on the Sawmill log parsing/analysis application. The AAR allows administrators to drill down and query the logs to show specific user and application access information over any date/time range.