Not everything made by Cisco is made of gold

March 8th, 2010 at 3:14 PM  5 Comments

The scenario:  You’ve found yourself working at a company that is experiencing phenomenal growth.  The employees have actually decupled in the past year and show no signs of slowing in the near future (on this note, when was the last time you saw the “decupled” in print?). You have inherited a network that is truly a Frankensteinian creation that not even the original architects understand any more.  You have noticed that you neither have a working firewall nor a decent VPN system, though Cisco VPN is used by a handful of key employees to connect to a Cisco 1800 series router.  The IP scheme for the organization, which spans three sites, is using the 192.x.x.x address space. You wish to straighten everything out with a minimum of downtime and as seamless as possible for the end-users.  What do you do?

Well, instead of telling you what to do, allow me to tell you what not to do.  Not just that, let me drill into your collective skulls what not to do.  Are you ready?  Here it comes:

Do not, and this is key, so write it down… do not buy a Cisco SA 500 series device.

Did you get all that down?  Now, I know some of you are thinking, “Wait a minute there, sir!  Cisco makes excellent business systems!  I am shocked at your lack of understanding!”  For those of you saying that, you have probably used something like the Cisco ASA 5505 to wrangle your network and think Cisco walks on water.  It’s okay… until recently I was one of you.  I’m here to tell you that putting the SA 500 in the same category as the ASA 5505 is akin to putting your child’s refrigerator “art” in the same category as the Mona Lisa (sorry, moms).

Here’s the lowdown on this “Security Appliance” that will be the bane of your existence.   First, the unit is essentially and enhanced and rebranded Linksys product meant for small businesses.  Now, I like that Cisco bought Linksys when it comes to home and small business products and up until meeting this hardware from hell, I had thought the merger would never go wrong. So what is so wrong with something like this?  Well, if you like certain features like a command-line interface, support for any VPN client other the Linksys (whoops, I mean, “Cisco”) QuickVPN and other things you’ve come to expect from a Cisco device, than you’ll understand the issue I have with this product.

Second, the price points for these units are right up there with the vastly superior ASA 5505.  You’re paying the same price for this Yugo of a device as you would for one equaling a Camaro.  Why would someone in their right mind do something like this?  Let me tell you how someone could be misguided into purchasing this unit.  Unlike the ASA 5505, the SA 500 allows you to integrate Verisign’s One-Time Password service for VPN access.  Now, I understand how OTP is a good thing, but for a medium-sized company, I’ve found tying VPN access to AD Authentication (using IAS) is not a bad alternative (especially if you’re using best security practices and least user access).

So, let’s say you are okay with the lack of Cisco VPN support and you’re young, so you love purely web-based GUI interfaces (This is you if you’ve ever thought “Command line… what is this, 1985?”).  What other issues would you run into?  Well, for one, the SA 500 doesn’t allow you to activate support for QuickVPN unless you’re on a 10.x.x.x network.  So, you know, you would have to redo your entire corporate IP scheme.  If that isn’t doing it for you, keep in mind that there is a big difference between Cisco VPN and Linksys/Cisco QuickVPN:

Cisco VPN: VPN client creates a virtual interface on your computer. This allows you to route traffic to the tunnel and get an IP address from the host.  This also allows for name translation via internal DNS and other features.

QuickVPN: VPN client only encrypts the traffic to the other end. It does not use a virtual interface. You will only have your local IP address when connected (this means if the user happens to share the same IP scheme as the host, they can’t connect).  Also, QuickVPN tunnels do not pass NetBIOS broadcast packets, meaning there is no name translation without Host-file editing.

The SA 500 still looking that great to you?  Remember that since there is no CLI, you’ll be unable to simply copy the config from your old Cisco Switch over to your new model, so there will be considerable downtime.  This will be far from seamless and, I would expect, cause massive amounts of user headache.

So, if you’re going to be buying a new Cisco device, and your company has more than 10 – 20 users… do everyone a favor and purchase a Cisco ASA 5505, everyone will thank you.  Now then, I need to get back to trying to hammer this square peg into this round hole here.