November 09, 2010, 12:00 PM — There are two ways to look at the Cisco SA 520 network security appliance. On one hand, it offers a solid array of features: 65Mbps IPSec VPN throughput, 100Mbps overall throughput, integrated firewall (limited to 100 rules), built-in filtering for common services like IM and P2P networking, SSL VPN, IPS, DDNS, and multi-WAN support. On the other hand, it has nearly no relation to the rest of Cisco's security solutions.
The Cisco SA 520 is physically similar to the old Cisco PIX 501, and it offers similar basic functionality. However, that's where the similarities stop: Whereas the PIX 501 ran PIXOS, the SA 520 runs a Linux-based operating system. Where the PIX 501 was as easy to manage as its bigger brothers, the SA 520 runs a completely different OS, has no console port, and no CLI. It's administered via a somewhat cranky Web-based UI.
From the perspective of a small business looking for a firewall that offers some relatively advanced features, the Cisco SA 520 is suitable. For a network professional looking for a small-site VPN endpoint device, the SA 520 is a mixed bag. It fits the bill in terms of capacity, features, and throughput, but from a management perspective, it promises headaches. Given that scenario, I'm going to address both viewpoints.
Cisco SA 520: Good for small business
The Cisco SA 520 ($419 street) provides a wealth of options as a small-business security appliance. There's a little of everything here, from basic firewalling tasks through SSL VPN features, including SSL VPN portal pages. On the back end, it will integrate with Active Directory or standard LDAP authentication services to allow users to to log into the VPN with their domain credentials.
However, the stock model is outfitted with only two SSL VPN licenses, expandable to 25 by purchasing more. Two might not be the loneliest number, but it certainly seems tiny in this case. Oddly, the SA 520 allows for 50 IPSec tunnels out of the box. It's hard to see anyone in the small-business space needing 50 IPSec tunnels but only two client-based SSL VPN tunnels.
There's also support for multiple WAN interfaces and load balancing, so you can leverage multiple Internet connections within a single device. Further, you can create rules that apply to total traffic passed through each Internet connection to ensure you don't go over ISP-imposed limits, if any should exist.