Go Back   AnandTech Forums > Hardware and Technology > Networking

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 07-29-2008, 08:10 PM   #1
Jamsan
Senior Member
 
Join Date: Sep 2003
Posts: 789
Default SSL VPN

I'm curious as to who runs SSL VPN devices, and if you do, what type of hardware you decided to go with and why. We're coming down to the final selection of a hardware SSL VPN solution and am curious as to what you guys use/have used.

If anyone has any reccomendations, we've narrowed the choices down to the F5 FirePass, Juniper SA 2500, and ASA 5510 VPN Edition. I can provide more details if required, but bare minimum, we're looking for an SSL solution that can provide full application tunneling, the ability to limit what resources are applicable, end-point security, and lastly, the ability to establish the connection prior to logging into Windows.

Thanks!
__________________
My Heat
My Ebay
Jamsan is offline   Reply With Quote
Old 07-29-2008, 08:14 PM   #2
spidey07
No Lifer
 
spidey07's Avatar
 
Join Date: Aug 2000
Posts: 65,450
Default SSL VPN

Juniper, easiest to use.
__________________
___
(\__/)
(='.'=)
(")_(")
spidey07 is offline   Reply With Quote
Old 07-29-2008, 08:42 PM   #3
RadiclDreamer
Diamond Member
 
RadiclDreamer's Avatar
 
Join Date: Aug 2004
Posts: 8,108
Default SSL VPN

So whats the deal with these things, we are looking to buy one soon as well. Do they basically work as a website that when you login it creates an SSL tunnel to pass the data that would have normally been passed by a VPN client?
__________________
CCENT, CCNA, A+, Net+
RadiclDreamer is offline   Reply With Quote
Old 07-29-2008, 10:12 PM   #4
Jamsan
Senior Member
 
Join Date: Sep 2003
Posts: 789
Default SSL VPN

Quote:
Originally posted by: RadiclDreamer
So whats the deal with these things, we are looking to buy one soon as well. Do they basically work as a website that when you login it creates an SSL tunnel to pass the data that would have normally been passed by a VPN client?
For the most part, yes. If you want to do full network tunneling for client/server apps, there's usually some sort of activex or other type of client that gets installed when logging in through the website.

Quote:
Originally posted by: spidey07
Juniper, easiest to use.
I had a feeling someone would choose that one. Is there anything else besides ease of use that makes it a better product? The 100 concurrent SSL license + hardware comes to $16k or so. The ASA solution for 100 concurrent (plus it has IPSec if need be, SA is add-on) is only about $7k. Still awaiting pricing on the firepass.
__________________
My Heat
My Ebay
Jamsan is offline   Reply With Quote
Old 07-29-2008, 11:02 PM   #5
spidey07
No Lifer
 
spidey07's Avatar
 
Join Date: Aug 2000
Posts: 65,450
Default SSL VPN

Jamsan, don't look at the cost of the gear so much - it's the lesser of what it will cost you over the long run. People and operational expense to administer that gear are very expensive and are the bulk of the overall cost of ownership. I am a hardcore cisco fanboi, but in this arena netscreen (purchased by juniper) are the clear winner, they practically invented the SSL vpn.

You can't choose network gear on specs, you must deal with total cost of ownership - this is where cisco excels in many areas and totally fails at others. Where Cisco fails is administration of security gear.

A single problem and spending a few hours clunking through a poor user interface of the ASA vs. the netscreen more than pays for itself.
__________________
___
(\__/)
(='.'=)
(")_(")
spidey07 is offline   Reply With Quote
Old 07-30-2008, 09:12 PM   #6
Boscoh
Senior Member
 
Join Date: Jan 2002
Posts: 501
Default SSL VPN

Narrow it down to Juniper and Cisco. Contact account teams from both companies and request a demo box to play with.

We used Juniper (Netscreen/Neoteris) where I worked before joining Cisco and it was great. 3 years ago, Juniper owned Cisco on SSL VPN...now they don't. ASA 8.0 has very easy to use SSL VPN wizards in the ASDM GUI, and offers a ton of customization.

Are you looking at the box as only an SSL VPN appliance? As you noted, you also get IPSec with the ASA in addition to firewalling and the ability to add IPS.

As far as administration, Juniper really isn't any better. Especially if you're adding SSL appliances to the mix - completely different interface from ScreenOS, and not manageable by any tools that can also manage a ScreenOS or JunOS device.
Boscoh is offline   Reply With Quote
Old 07-30-2008, 09:31 PM   #7
Jamsan
Senior Member
 
Join Date: Sep 2003
Posts: 789
Default SSL VPN

This box would primarily be a SSL VPN device. We're getting an SSG 350 for the firewall/IPS/content filtering portion, and didn't want to add VPN on top of it. If the Cisco can do alot of the stuff we need it for via the SSL VPN (as mentioned in my previous post), it might be the better option for us right now.

I'll take your suggestion of getting some test boxes out to play with.
__________________
My Heat
My Ebay
Jamsan is offline   Reply With Quote
Old 07-31-2008, 09:41 PM   #8
Cable God
Diamond Member
 
Cable God's Avatar
 
Join Date: Jun 2000
Location: Not far from Atlanta
Posts: 3,250
Default SSL VPN

We use a couple Juniper SA SSL VPN's and they perform very well.
__________________
"Truth is treason in the empire of lies."
Cable God is offline   Reply With Quote
Old 01-21-2013, 01:13 AM   #9
booya_donka
Junior Member
 
Join Date: Jan 2013
Posts: 1
Default

sorry for replying such a long untouch post. But I think F5 is the best SSL VPN in the market for now. And for those that just need simple GUI such as ASDM (no offense Boscoh ), then try F5.
You will be amazed by the beauty of F5's visual policy editor that could give you the greatest granular control over your company policy. All features you ask
"full application tunneling, the ability to limit what resources are applicable, end-point security, and lastly, the ability to establish the connection prior to logging into Windows."
are just sitting right there.

We have 1 and I think it's very beautiful. moreover you can combined so many things inside a single box.

Quote:
Originally Posted by Boscoh View Post
Narrow it down to Juniper and Cisco. Contact account teams from both companies and request a demo box to play with.

We used Juniper (Netscreen/Neoteris) where I worked before joining Cisco and it was great. 3 years ago, Juniper owned Cisco on SSL VPN...now they don't. ASA 8.0 has very easy to use SSL VPN wizards in the ASDM GUI, and offers a ton of customization.

Are you looking at the box as only an SSL VPN appliance? As you noted, you also get IPSec with the ASA in addition to firewalling and the ability to add IPS.

As far as administration, Juniper really isn't any better. Especially if you're adding SSL appliances to the mix - completely different interface from ScreenOS, and not manageable by any tools that can also manage a ScreenOS or JunOS device.
booya_donka is offline   Reply With Quote
Old 01-21-2013, 07:40 AM   #10
Genx87
Lifer
 
Join Date: Apr 2002
Location: Earth
Posts: 36,193
Default

Been using Sonicwalls NSA 3500 for the past 2 years. It is pretty straightforward and capable. Though I am not sure it would meet your requirements.
__________________
"Communism can be defined as the longest route from capitalism to capitalism."
"Capitalism is the unequal distribution of wealth. Socialism is the equal distribution of poverty"
"Because you can trust freedom when it is not in your hand. When everybody is fighting for their promised land"

Last edited by Genx87; 01-21-2013 at 07:43 AM.
Genx87 is offline   Reply With Quote
Old 01-21-2013, 07:46 AM   #11
Railgun
Senior Member
 
Railgun's Avatar
 
Join Date: Mar 2010
Location: ORD-->LHR
Posts: 986
Default

Juniper here as well.
Railgun is offline   Reply With Quote
Old 01-21-2013, 05:34 PM   #12
m1ldslide1
Platinum Member
 
m1ldslide1's Avatar
 
Join Date: Feb 2006
Location: PDX
Posts: 2,322
Default

I've only used ASA and Anyconnect, and I thought it was pretty easy to set up and use. Agree with Boscoh that new wizards in ASDM make a world of difference. Maybe also look at performance - how many concurrent users? How much throughput? If either of those are very high then consider the 5512-X, which is the newer appliance and has better scalability #'s for nearly the same price as 5010.

Also agree with Spidey that the main factor is ease of use - if you pick a solution based on cheaper hardware cost, you may regret it some Sunday at 2am when you're trying to fix something and don't fully understand the interface. I find the ASDM to be easy to use, but to each his own. If you do the demo like someone else said and find the more expensive box to make a lot more sense, then its worth the $$$ IMHO.
__________________
One's mind, once stretched by a new idea, never regains its original dimensions.
--Oliver Wendell Holmes

Crunching for Team AnandTech!
m1ldslide1 is offline   Reply With Quote
Old 01-21-2013, 07:07 PM   #13
Jamsan
Senior Member
 
Join Date: Sep 2003
Posts: 789
Default

Holy bumpage - figured I'd reply since someone took the time to bring this back from the past.

We ended up going with the ASA way back then. It's honestly been very easy to use and would recommend them hands down. The AnyConnect is a breeze and the SSL VPN portal meets the needs for our basic requirements (File sharing, internal web sites, some CIFS, RDP, etc.).

We're looking to get a 2nd (finally) for HA.
__________________
My Heat
My Ebay
Jamsan is offline   Reply With Quote
Old 01-22-2013, 11:39 AM   #14
m1ldslide1
Platinum Member
 
m1ldslide1's Avatar
 
Join Date: Feb 2006
Location: PDX
Posts: 2,322
Default

Quote:
Originally Posted by Jamsan View Post
Holy bumpage - figured I'd reply since someone took the time to bring this back from the past.

We ended up going with the ASA way back then. It's honestly been very easy to use and would recommend them hands down. The AnyConnect is a breeze and the SSL VPN portal meets the needs for our basic requirements (File sharing, internal web sites, some CIFS, RDP, etc.).

We're looking to get a 2nd (finally) for HA.
Ha! I didn't even see the original posting date. Looks like a Junior Member with a post count of 1 brought it back to spam about F5. Probably should be deleted on those grounds alone.

Glad it worked out either way.
__________________
One's mind, once stretched by a new idea, never regains its original dimensions.
--Oliver Wendell Holmes

Crunching for Team AnandTech!
m1ldslide1 is offline   Reply With Quote
Old 01-25-2013, 10:04 AM   #15
GobBluth
Senior Member
 
GobBluth's Avatar
 
Join Date: Sep 2012
Posts: 373
Default

Using Cisco AnyConnect here.
__________________
"The last time a Russian hit a Brother that hard,
Ivan Drago killed Apollo Creed!" Fedor v. Rogers
GobBluth is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 02:03 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.