Best VPN Appliance

Joel M Snyder Joel.Snyder at Opus1.COM
Thu Mar 18 15:14:25 UTC 2010


> 
> Thank-you all for reply and sugessting the VPN Box.??
> I'm in the process of evaluating different boxes and they are;??
> 
> SA4500 SSL VPN Appliance?
> http://www.juniper.net/us/en/products-services/security/sa-series/sa4500/??
> 
> Barracuda SSL VPN?
> http://www.barracudanetworks.com/ns/products/sslvpn_overview.php
> 
> F5 ??FirePass SSL VPN
> ?http://www.f5.com/products/firepass/
> 
> The problem i'm facing so far is MAC OS X compatibility. The demo box i had for Juniper was not able to run Network Connect on MAC OS 10.5.8.

The Juniper SSL VPN works great with Mac 10.6 (and prior versions going 
back about 5 years).  I'm not sure what issue you might be seeing, but 
Network Connect is very solid in that environment.  Secure Meeting also 
works fine on the Mac.  The place where you will have compatibility 
issues is the end-point security checking, but this is common to all OS 
X.  If you're not doing EPS checking, you don't care.  If you are, you 
already know that Macs have a different set of software & vocabulary 
than Windows platforms.

>>From your experience from F5, Juniper and Barracuda, which one will be best in terms of;
> 
> 1) Support
> 2) Resiliency 
> 3) Security
> 4) Scalability
> 5) Manageability

The Barracuda box is very new and I haven't looked at it, but certainly 
the Juniper and F5 boxes are top contenders; you should also be looking 
at SonicWALL (which used to be Aventail).

Your laundry list above is fairly vague, since you don't list YOUR 
requirements.  However, I did a very extensive test of SSL VPN devices a 
few years ago which is still VERY applicable to the products that were 
in it.  This is considered a fairly mature market, and the F5 box of 
today is not very different from the one of three years ago.

You might consider figuring out what you want to do with the box, and 
then measuring the contenders against that, rather than asking "which is 
the most scalable," since in the NANOG context that could mean anything 
from "two-node active/active cluster" to "geographic clustering in 40 
data centers."  (Nick will at this point chime in with his now-famous 
"string analogy")

Try reading this:

http://www.networkworld.com/reviews/2005/121905-ssl-test-intro.html?rl

It's dated 2005, so you can assume that annoying bugs are fixed, but 
product feature sets are very similar.  There's also some more recent 
SSL VPN testing I've done in Network World, such as the Netgear box (not 
  designed for the enterprise) and just last week the Microsoft one.

Note that Network World writes for enterprises, and NANOG is a service 
provider mailing list, so depending on why you're asking for this, my 
results may or may not be applicable.   For example, features like 
delegated and partitioned management, which are SP-critical but often 
ignored in the enterprise, weren't really part of my evaluation.

jms

-- 
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One       Phone: +1 520 324 0494
jms at Opus1.COM                http://www.opus1.com/jms




More information about the NANOG mailing list