Cisco edges F5 in VPN shootout

The admin interface is easy to navigate and setting up rules and resources is quick and intuitive. However one thing that was a minor irritation was that we kept forgetting to hit the (required) 'pending changes' link to apply our changes. The location of the link is not very intuitive - an 'apply changes' button as you make changes would be more helpful from a usability standpoint.

The Dell SonicWall EX-7000 was a very capable appliance with all the features needed to meet demanding remote connectivity requirements. However, it was hard to avoid noticing the $70,000 price tag on our appliance (configured with all the bells and whistles for 1,000 users with one year of high priority, 24/7 support).

F5 Networks BIG-IP Edge Gateway 3900 Platform

The F5 BIG-IP appliance can be configured either via command line or through a browser based Web admin system. To keep things somewhat consistent with our testing approach for the other appliances, we switched to the Web admin interface after assigning the initial IP address using the front end display and buttons. The admin interface is full-featured, but somewhat imposing for a first time user. We chalk this up to the additional capabilities of this appliance beyond SSL VPN.

Users can be authenticated using a variety of methods such as RADIUS, LDAP, Active Directory and Kerberos. Creating a link to an authentication server was straightforward using a single-screen configuration. The left navigation on the Admin interface is well-engineered, consisting of three tabs, one each for navigation, context sensitive help and about, with the about tab providing access to a variety of resources.

What we found a bit cumbersome with the F5 was making sure we had all the pre-requisites in place in order to create a client resource. However, after a bit of trial and error and with assistance from the help resource and technical support, we were finally able to create the access policies and a public interface from which clients could access the network.

The F5 BIG-IP client is available for Windows, Mac, and Linux in addition to Windows Mobile 5.0 or higher. For iOS and Android devices there are two different apps available, the Edge Portal and the Edge Client. The Edge Portal app provides access to internal Web apps such as intranets and Microsoft SharePoint, the Edge Client app offers the same capabilities with the addition of the ability to create an optimized SSL VPN tunnel to a corporate network.

We installed the Windows desktop version and were impressed with the ease of use and how quickly it allowed us to change our destination point from one server to another. Once connected to the VPN, we were able to access and utilize network resources such as file shares and applications. The client app displays useful information about connection details and compression ratios, which are used to speed up connections.

We especially liked the F5 reporting capabilities. These were the best of all the products tested and include a number of built-in reports, such as ACL summaries, browser distribution and various session reports, to name a few. There is also a report builder that can create custom reports using flexible parameters, operators and constraints. Another great feature is the modern looking dashboard that gives administrators a single-screen view showing multiple values, including the current status with a timeline of current and previous connections by type. Several of the values are displayed in speedometer-style gauges that are sure to appeal to administrators.

F5 Networks says the BIG-IP Edge Gateway 3900 acceleration feature allows remote connections 10x faster than without acceleration, supporting up to 600 logins per second and 600 concurrent users. While we didn't independently verify these impressive-sounding numbers, acceleration sets the BIG-IP Edge Gateway 3900 apart from the other products we tested and may make this product especially appealing in demanding environments requiring very high throughput.

Cisco ASA 5515-X

Like the other appliances we tested, the ASA 5515-X from Cisco is a 1U rack mountable unit with administration options via browser-based or command-line interface. There is a lot to like about the Cisco ASDM interface, with the device dashboard providing a good status overview of parameters such as current VPN sessions, resources and traffic.

One big plus from an admin perspective was the context-sensitive help topics provided throughout as we were creating policies and configuring the appliance. One aspect of the help feature we found beneficial was the available links that allow you to navigate directly to the applicable area from which you can perform certain tasks. There are also a number of helpful wizards available to walk administrators through various tasks and we were able to take advantage of those in configuring the appliance.

The ASA is optimized for use with the Cisco AnyConnect client and although we performed a few client-less (browser only) connections, most of our testing was completed using the AnyConnect client from both stationary and mobile clients. The AnyConnect client is typically installed from a browser session to the ASA or it can be manually installed on the client or using various login scripts.

In addition to running on most desktop operating systems, AnyConnect is available for mobile on iOS and Android, and according to Cisco it will be available for Windows Mobile soon. Data can be protected by using either a SSL or IPSec tunnel, however, the SSL tunnel is only available when using the AnyConnect client.

Authentication can be accomplished against one or more external directories or using a built-in database. Setting up local users is quick through a wizard-like interface that allows you to go with the basics or expand into more advanced settings. All connections are made using client and connection profiles, which can also inherit settings from group policies. This provides for great granularity in how access is provisioned, but can be time-consuming when configuring the unit for the first time.

That being said, many settings use defaults that most users would probably use, and the built-in wizards are a great resource if you need to get something up and running quickly. This is how we created our first few policies and got up and running in a few minutes.

Similar to the other products we tested, the Dynamic Access Policy feature allows administrators to validate end point criteria before access is granted. We especially liked the ability to test a dynamic access policy on the fly before saving it.

Once the client is installed, it can be accessed from a shortcut on the desktop or from a browser window. The client software is available for most operating systems and we tested it both on Windows 7 and an iOS mobile device without any issues.

The logging and reporting capabilities of the ASDM software are very good and the real-time access to the SysLog affords administrators the ability closely observe traffic patterns and take corrective measures as needed. We would not recommend this appliance to newbies, but accomplished system administrators looking for raw power and the ultimate control over remote connections will definitely want to consider the Cisco ASA 5515-X security appliance.

Perschke is CSO for Arc Seven Technology. She is also an experienced technical writer, and has written numerous white papers for a number of organizations, including Fortune 500 companies. Susan can be reached at susan@arcseven.com.