Review: Cisco SA 520 firewall disappoints

By Paul Venezia, InfoWorld |  Security, Cisco, firewall


Coupled with that are basic QoS rules that allow traffic classification based on TCP or UDP port, source addresses, VLAN, or even a physical port. This traffic can be prioritized into high, medium, or low priorities. The SA 520 also supports 802.1p traffic prioritization that adds much more granularity, though you'll need to classify traffic with 802.1p internally for this to function.

You can also use some higher-end features, including URL filtering, traffic allowance based on approved client lists, and malware and spam filtering through licensed Trend Micro technology. Another separately licensed option is the IPS (Intrusion Prevention System) that offers another layer of protection for the internal network by filtering traffic based on signatures downloaded from external resources.

With the built-in four-port switch and support for a single DMZ, I can see the SA 520 fitting in well in a small-business infrastructure.

Cisco SA 520: Bad for the remote officeI don't feel the same way about the use of the Cisco SA 520 for remote office connectivity. While the stats on the SA 520 clearly position it as a viable candidate to link a small remote office back to headquarters via a VPN tunnel, the lack of reasonable remote-management capabilities makes it a hard sell.

For one thing, there's no console port, so there's no way to use a serial terminal server to access the device during a failure. There's also no CLI, so all management must be conducted via the Web GUI, which can be very annoying. While there is the ability to download a configuration file for backup, it's not really viable to modify the file offline, as you can for nearly all other Cisco network devices.

Remote administration is possible but can be granted to only a single source IP address, not a subnet or selection of addresses. Also, the SNMP MIB (management information base) situation with the SA 520 is somewhat perplexing. Certain aspects of the device respond to Cisco's MIBs, while others respond to standard UCD-SNMP MIBs. Even more confusing, the MIB support has changed between firmware releases. The upshot is that you may be able to enumerate interfaces with a UCD MIB, but you won't get any traffic data unless you're using the Cisco MIB, or vice versa. It's a bit of a jumble.

Originally published on InfoWorld |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question