SSL VPN

[Jamsan]

I'm curious as to who runs SSL VPN devices, and if you do, what type of hardware you decided to go with and why. We're coming down to the final selection of a hardware SSL VPN solution and am curious as to what you guys use/have used.

If anyone has any reccomendations, we've narrowed the choices down to the F5 FirePass, Juniper SA 2500, and ASA 5510 VPN Edition. I can provide more details if required, but bare minimum, we're looking for an SSL solution that can provide full application tunneling, the ability to limit what resources are applicable, end-point security, and lastly, the ability to establish the connection prior to logging into Windows.

Thanks!

 

[spidey07]

Juniper, easiest to use.

 

[RadiclDreamer]

So whats the deal with these things, we are looking to buy one soon as well. Do they basically work as a website that when you login it creates an SSL tunnel to pass the data that would have normally been passed by a VPN client?

 

[Jamsan]

Originally posted by: RadiclDreamer
So whats the deal with these things, we are looking to buy one soon as well. Do they basically work as a website that when you login it creates an SSL tunnel to pass the data that would have normally been passed by a VPN client?

For the most part, yes. If you want to do full network tunneling for client/server apps, there's usually some sort of activex or other type of client that gets installed when logging in through the website.

Originally posted by: spidey07
Juniper, easiest to use.

I had a feeling someone would choose that one. Is there anything else besides ease of use that makes it a better product? The 100 concurrent SSL license + hardware comes to $16k or so. The ASA solution for 100 concurrent (plus it has IPSec if need be, SA is add-on) is only about $7k. Still awaiting pricing on the firepass.

 

[spidey07]

Jamsan, don't look at the cost of the gear so much - it's the lesser of what it will cost you over the long run. People and operational expense to administer that gear are very expensive and are the bulk of the overall cost of ownership. I am a hardcore cisco fanboi, but in this arena netscreen (purchased by juniper) are the clear winner, they practically invented the SSL vpn.

You can't choose network gear on specs, you must deal with total cost of ownership - this is where cisco excels in many areas and totally fails at others. Where Cisco fails is administration of security gear.

A single problem and spending a few hours clunking through a poor user interface of the ASA vs. the netscreen more than pays for itself.

 

[Boscoh]

Narrow it down to Juniper and Cisco. Contact account teams from both companies and request a demo box to play with.

We used Juniper (Netscreen/Neoteris) where I worked before joining Cisco and it was great. 3 years ago, Juniper owned Cisco on SSL VPN...now they don't. ASA 8.0 has very easy to use SSL VPN wizards in the ASDM GUI, and offers a ton of customization.

Are you looking at the box as only an SSL VPN appliance? As you noted, you also get IPSec with the ASA in addition to firewalling and the ability to add IPS.

As far as administration, Juniper really isn't any better. Especially if you're adding SSL appliances to the mix - completely different interface from ScreenOS, and not manageable by any tools that can also manage a ScreenOS or JunOS device.

 

[Jamsan]

This box would primarily be a SSL VPN device. We're getting an SSG 350 for the firewall/IPS/content filtering portion, and didn't want to add VPN on top of it. If the Cisco can do alot of the stuff we need it for via the SSL VPN (as mentioned in my previous post), it might be the better option for us right now.

I'll take your suggestion of getting some test boxes out to play with.

 

[Cable God]

We use a couple Juniper SA SSL VPN's and they perform very well.

 

[booya_donka]

sorry for replying such a long untouch post. But I think F5 is the best SSL VPN in the market for now. And for those that just need simple GUI such as ASDM (no offense Boscoh ), then try F5.
You will be amazed by the beauty of F5's visual policy editor that could give you the greatest granular control over your company policy. All features you ask
"full application tunneling, the ability to limit what resources are applicable, end-point security, and lastly, the ability to establish the connection prior to logging into Windows."
are just sitting right there.

We have 1 and I think it's very beautiful. moreover you can combined so many things inside a single box.

Narrow it down to Juniper and Cisco. Contact account teams from both companies and request a demo box to play with.

We used Juniper (Netscreen/Neoteris) where I worked before joining Cisco and it was great. 3 years ago, Juniper owned Cisco on SSL VPN...now they don't. ASA 8.0 has very easy to use SSL VPN wizards in the ASDM GUI, and offers a ton of customization.

Are you looking at the box as only an SSL VPN appliance? As you noted, you also get IPSec with the ASA in addition to firewalling and the ability to add IPS.

As far as administration, Juniper really isn't any better. Especially if you're adding SSL appliances to the mix - completely different interface from ScreenOS, and not manageable by any tools that can also manage a ScreenOS or JunOS device.

 

[Genx87]

Been using Sonicwalls NSA 3500 for the past 2 years. It is pretty straightforward and capable. Though I am not sure it would meet your requirements.

 

[Railgun]

Juniper here as well.

 

[m1ldslide1]

I've only used ASA and Anyconnect, and I thought it was pretty easy to set up and use. Agree with Boscoh that new wizards in ASDM make a world of difference. Maybe also look at performance - how many concurrent users? How much throughput? If either of those are very high then consider the 5512-X, which is the newer appliance and has better scalability #'s for nearly the same price as 5010.

Also agree with Spidey that the main factor is ease of use - if you pick a solution based on cheaper hardware cost, you may regret it some Sunday at 2am when you're trying to fix something and don't fully understand the interface. I find the ASDM to be easy to use, but to each his own. If you do the demo like someone else said and find the more expensive box to make a lot more sense, then its worth the $$$ IMHO.

 

[Jamsan]

Holy bumpage - figured I'd reply since someone took the time to bring this back from the past.

We ended up going with the ASA way back then. It's honestly been very easy to use and would recommend them hands down. The AnyConnect is a breeze and the SSL VPN portal meets the needs for our basic requirements (File sharing, internal web sites, some CIFS, RDP, etc.).

We're looking to get a 2nd (finally) for HA.

 

[m1ldslide1]

Holy bumpage - figured I'd reply since someone took the time to bring this back from the past.

We ended up going with the ASA way back then. It's honestly been very easy to use and would recommend them hands down. The AnyConnect is a breeze and the SSL VPN portal meets the needs for our basic requirements (File sharing, internal web sites, some CIFS, RDP, etc.).

We're looking to get a 2nd (finally) for HA.

Ha! I didn't even see the original posting date. Looks like a Junior Member with a post count of 1 brought it back to spam about F5. Probably should be deleted on those grounds alone.

Glad it worked out either way.

 

[GobBluth]

Using Cisco AnyConnect here.