Cisco SA 520 review
By Paul Venezia | InfoWorld | Published: 13:30, 10 November 2010
You can also use some higher end features, including URL filtering, traffic allowance based on approved client lists and malware and spam filtering through licensed Trend Micro technology. Another separately licensed option is the IPS (Intrusion Prevention System) that offers another layer of protection for the internal network by filtering traffic based on signatures downloaded from external resources.
With the built-in four port switch and support for a single DMZ, I can see the SA 520 fitting in well in a small business infrastructure.
I don't feel the same way about the use of the Cisco SA 520 for remote office connectivity. While the stats on the SA 520 clearly position it as a viable candidate to link a small remote office back to headquarters via a VPN tunnel, the lack of reasonable remote management capabilities makes it a hard sell.
For one thing there's no console port, so there's no way to use a serial terminal server to access the device during a failure. There's also no CLI, so all management must be conducted via the web GUI, which can be very annoying. While there is the ability to download a configuration file for backup, it's not really viable to modify the file offline, as you can for nearly all other Cisco network devices.
Remote administration is possible but can be granted to only a single source IP address, not a subnet or selection of addresses. Also, the SNMP MIB (management information base) situation with the SA 520 is somewhat perplexing. Certain aspects of the device respond to Cisco's MIBs, while others respond to standard UCD-SNMP MIBs. Even more confusing, the MIB support has changed between firmware releases. The upshot is that you may be able to enumerate interfaces with a UCD MIB, but you won't get any traffic data unless you're using the Cisco MIB, or vice versa. It's a bit of a jumble.
Also disturbing is that the SA 520 appears to have problems retaining its configuration across certain firmware updates. I updated the firmware, only to find the device return to factory settings. Should that happen with an SA 520 at a remote site with no other connectivity and no serial console that could ostensibly be connected to a modem, it would remain offline until someone can reconfigure it from the LAN through a web browser. That's definitely not a good situation for a remote office firewall.
However, the SA 520 supports up to 50 IPSec 3DES-to-AES256 tunnels, though working with the VPN tunnel management interface and wizard can be frustrating for experienced admins who are used to the ease and simplicity of CLI-based configuration.
The IPSec VPNs did function properly with all encryption algorithms and once I wrapped my head around how the VPN tunnel construction interface was designed, I was able to bring up tunnels to Cisco PIX and ASA firewalls without issue.
In short, the SA 520 can run an AES256 IPSec VPN up to 65Mbps, but it'll make you work harder than you think you should to implement it and maintain proper operation.