Wednesday 28 July 2010

Cisco Small Business Pro SA 500 Series Security Appliances

We have been looking around for a security appliance to replace our SBS 2003 Premium ISA installs for a while now.

We have looked at a number of different vendors with none really standing out as the right product for our client’s needs.

Cisco however, has a relatively new product line in the Cisco Small Business Pro series. This series was born out of an initiative created when Linksys was brought on board with them.

image

When it comes to features needed with regards to replacing ISA we are looking for the ability to assign multiple static IPs to the WAN port on the appliance.

Having multiple public IPs on the WAN port allows us to publish multiple server or backend systems that the client may have that requires a dedicated SSL HTTPS connection.

We found out today that the Cisco 500 Series Security Appliances (Cisco product comparison page) have the ability to bind multiple public static IPs to the WAN port that allows us to set up rules to publish any needed internal services.

As a result, we are in the process of acquiring an SA520-K9 security appliance from one of our suppliers. Once it arrives we will evaluate the product to see if it really can meet our client’s and our needs.

If it does, our search for a reasonably priced and fully featured gateway appliance product has ended.

The bonus in all of this is that the Cisco name sells itself.

Philip Elder
MPECS Inc.
Microsoft Small Business Specialists
Co-Author: SBS 2008 Blueprint Book

*Our original iMac was stolen (previous blog post). We now have a new MacBook Pro courtesy of Vlad Mazek, owner of OWN.

Windows Live Writer

5 comments:

Anonymous said...

Have you looked at the Sonicwall NSA series?

We use these for larger sites and TZ210 for remote / home users.

Good support, CGSS pack is also very useful

Phil said...

Check out this newegg review. Lots of pros and cons in this review. RADIUS apparently is bugged without a fix yet.

http://www.newegg.com/Product/Product.aspx?Item=N82E16833150073&Tpk=cisco%20sa%20520w

Philip Elder Cluster MVP said...

A,

Yes, we looked at SonicWall. The problem was getting a straight answer on which products supported multiple IP addresses on the WAN port and how to work the rules.

Search was not necessarily the easiest way to come up with the needed answers either since each manufacturer seems to call the ability to bind multiple IPs to the WAN port something different.

Phil,

The reviews are okay.

As far as RADIUS is concerned, we would be looking at an alternative setup as most of our gateway devices will be sitting inside of a locked rack mount enclosure (Faraday Cage) which would sufficiently kill the wireless.

Thanks for the pointers.

Philip

ChrisB said...

With the SonicWall TZ/NSA models, you don't specificially bind them to a WAN port.

When we install them for our customers, we'll use one IP from their allocated public range for a WAN port. We can then use any of the other IPs in their allocation in NAT / firewall rules to provide services on those IPs.

Keith said...

For smaller sites, Draytek router/firewalls are a brilliantly simple option. http://www.draytek.co.uk/

Dead easy to configure and support a lot of advanced functionality. We use them either on their own or in tandem with a sonicwall.

We also use Checkpoint UTM-Edge firewalls. The X model has ADSL modem built in and is very neat.