SSL VPN

Discussion in 'Networking' started by Jamsan, Jul 29, 2008.

  1. Jamsan

    Jamsan Senior member

    Joined:
    Sep 21, 2003
    Messages:
    794
    Likes Received:
    0
    I'm curious as to who runs SSL VPN devices, and if you do, what type of hardware you decided to go with and why. We're coming down to the final selection of a hardware SSL VPN solution and am curious as to what you guys use/have used.

    If anyone has any reccomendations, we've narrowed the choices down to the F5 FirePass, Juniper SA 2500, and ASA 5510 VPN Edition. I can provide more details if required, but bare minimum, we're looking for an SSL solution that can provide full application tunneling, the ability to limit what resources are applicable, end-point security, and lastly, the ability to establish the connection prior to logging into Windows.

    Thanks!
     
  2. spidey07

    spidey07 No Lifer

    Joined:
    Aug 4, 2000
    Messages:
    65,476
    Likes Received:
    0
    Juniper, easiest to use.
     
  3. RadiclDreamer

    RadiclDreamer Diamond Member

    Joined:
    Aug 8, 2004
    Messages:
    8,481
    Likes Received:
    0
    So whats the deal with these things, we are looking to buy one soon as well. Do they basically work as a website that when you login it creates an SSL tunnel to pass the data that would have normally been passed by a VPN client?
     
  4. Jamsan

    Jamsan Senior member

    Joined:
    Sep 21, 2003
    Messages:
    794
    Likes Received:
    0
    For the most part, yes. If you want to do full network tunneling for client/server apps, there's usually some sort of activex or other type of client that gets installed when logging in through the website.

    I had a feeling someone would choose that one. Is there anything else besides ease of use that makes it a better product? The 100 concurrent SSL license + hardware comes to $16k or so. The ASA solution for 100 concurrent (plus it has IPSec if need be, SA is add-on) is only about $7k. Still awaiting pricing on the firepass.
     
  5. spidey07

    spidey07 No Lifer

    Joined:
    Aug 4, 2000
    Messages:
    65,476
    Likes Received:
    0
    Jamsan, don't look at the cost of the gear so much - it's the lesser of what it will cost you over the long run. People and operational expense to administer that gear are very expensive and are the bulk of the overall cost of ownership. I am a hardcore cisco fanboi, but in this arena netscreen (purchased by juniper) are the clear winner, they practically invented the SSL vpn.

    You can't choose network gear on specs, you must deal with total cost of ownership - this is where cisco excels in many areas and totally fails at others. Where Cisco fails is administration of security gear.

    A single problem and spending a few hours clunking through a poor user interface of the ASA vs. the netscreen more than pays for itself.
     
  6. Boscoh

    Boscoh Senior member

    Joined:
    Jan 23, 2002
    Messages:
    501
    Likes Received:
    0
    Narrow it down to Juniper and Cisco. Contact account teams from both companies and request a demo box to play with.

    We used Juniper (Netscreen/Neoteris) where I worked before joining Cisco and it was great. 3 years ago, Juniper owned Cisco on SSL VPN...now they don't. ASA 8.0 has very easy to use SSL VPN wizards in the ASDM GUI, and offers a ton of customization.

    Are you looking at the box as only an SSL VPN appliance? As you noted, you also get IPSec with the ASA in addition to firewalling and the ability to add IPS.

    As far as administration, Juniper really isn't any better. Especially if you're adding SSL appliances to the mix - completely different interface from ScreenOS, and not manageable by any tools that can also manage a ScreenOS or JunOS device.
     
  7. Jamsan

    Jamsan Senior member

    Joined:
    Sep 21, 2003
    Messages:
    794
    Likes Received:
    0
    This box would primarily be a SSL VPN device. We're getting an SSG 350 for the firewall/IPS/content filtering portion, and didn't want to add VPN on top of it. If the Cisco can do alot of the stuff we need it for via the SSL VPN (as mentioned in my previous post), it might be the better option for us right now.

    I'll take your suggestion of getting some test boxes out to play with.
     
  8. Cable God

    Cable God Diamond Member

    Joined:
    Jun 25, 2000
    Messages:
    3,251
    Likes Received:
    0
    We use a couple Juniper SA SSL VPN's and they perform very well.
     
  9. booya_donka

    booya_donka Junior Member

    Joined:
    Jan 21, 2013
    Messages:
    1
    Likes Received:
    0
    sorry for replying such a long untouch post. But I think F5 is the best SSL VPN in the market for now. And for those that just need simple GUI such as ASDM (no offense Boscoh :colbert:), then try F5.
    You will be amazed by the beauty of F5's visual policy editor that could give you the greatest granular control over your company policy. All features you ask
    "full application tunneling, the ability to limit what resources are applicable, end-point security, and lastly, the ability to establish the connection prior to logging into Windows."
    are just sitting right there.

    We have 1 and I think it's very beautiful. moreover you can combined so many things inside a single box.

     
  10. Genx87

    Genx87 Lifer

    Joined:
    Apr 8, 2002
    Messages:
    39,506
    Likes Received:
    12
    Been using Sonicwalls NSA 3500 for the past 2 years. It is pretty straightforward and capable. Though I am not sure it would meet your requirements.
     
    #10 Genx87, Jan 21, 2013
    Last edited: Jan 21, 2013
  11. Railgun

    Railgun Golden Member

    Joined:
    Mar 27, 2010
    Messages:
    1,269
    Likes Received:
    0
    Juniper here as well.
     
  12. m1ldslide1

    m1ldslide1 Platinum Member

    Joined:
    Feb 20, 2006
    Messages:
    2,322
    Likes Received:
    0
    I've only used ASA and Anyconnect, and I thought it was pretty easy to set up and use. Agree with Boscoh that new wizards in ASDM make a world of difference. Maybe also look at performance - how many concurrent users? How much throughput? If either of those are very high then consider the 5512-X, which is the newer appliance and has better scalability #'s for nearly the same price as 5010.

    Also agree with Spidey that the main factor is ease of use - if you pick a solution based on cheaper hardware cost, you may regret it some Sunday at 2am when you're trying to fix something and don't fully understand the interface. I find the ASDM to be easy to use, but to each his own. If you do the demo like someone else said and find the more expensive box to make a lot more sense, then its worth the $$$ IMHO.
     
  13. Jamsan

    Jamsan Senior member

    Joined:
    Sep 21, 2003
    Messages:
    794
    Likes Received:
    0
    Holy bumpage - figured I'd reply since someone took the time to bring this back from the past.

    We ended up going with the ASA way back then. It's honestly been very easy to use and would recommend them hands down. The AnyConnect is a breeze and the SSL VPN portal meets the needs for our basic requirements (File sharing, internal web sites, some CIFS, RDP, etc.).

    We're looking to get a 2nd (finally) for HA.
     
  14. m1ldslide1

    m1ldslide1 Platinum Member

    Joined:
    Feb 20, 2006
    Messages:
    2,322
    Likes Received:
    0
    Ha! I didn't even see the original posting date. Looks like a Junior Member with a post count of 1 brought it back to spam about F5. Probably should be deleted on those grounds alone.

    Glad it worked out either way.
     
  15. GobBluth

    GobBluth Senior member

    Joined:
    Sep 18, 2012
    Messages:
    502
    Likes Received:
    4
    Using Cisco AnyConnect here.