VPN

Part 3: VPN RFP Lab Eval
SonicWALL

• Our Experience with Tech Support
• Customer Feedback
• Did SonicWALL Satisfy Our RFP?

by Lisa Phifer VP Core Competence, Inc. [November 1, 2001]

Earlier this year, ISP-Planet launched a VPN Appliance Review Series, evaluating IPsec hardware devices suitable for ISP deployment to broadband-enabled businesses of 10 to 200 employees. We gathered four responses that appeared, at least on paper, to satisfy our RFP. Our next step—a lab evaluation. By digging into each vendor's proposed solution, we hoped to compare and contrast these offerings.

Here, we publish part two of the first set of results, describing our lab experience with SonicWALL PRO-VX, SOHO2, and TELE2 Internet appliances. These devices, designed for use in small-to-midsize networks, can be centrally provisioned through SGMS, SonicWALL's central policy manager. If you need a brief review of what we've accomplished so far, start with Part One, or catch up with where we left off in Part Two.

Our Experience with Tech Support
Every SonicWALL includes standard support, renewable annually. Standard support provides a one-year warranty and the ability to submit questions to SonicWALL's website, staffed 6-6 during the business week with estimated one day turn-around. In addition, per incident phone support is available with 4-hour response time for $75. Premium support makes this telephone and web support available under annual contract, with next business day hardware replacement. 24x7x365 support contracts are available for other SonicWALL products, but not the units we tested.

Customers receive an account at mysonicwall.com that can be used to view active and available service upgrades for each registered device. The searchable on-line knowledgebase is a good source of tech notes. Firmware updates are freely available there. In our experience, tech support callbacks were prompt, if not always immediately helpful. By working through the support chain, we always reached a helpful engineer who could diagnose our problem.

SonicWALL offers Reseller, Select partner, and Preferred partner programs. Select Partners get discount pricing, priority access to technical support, and marketing support. The Preferred Partner program is by invitation only, for providers with a strategic focus on network security. Preferred Partners have access to a separate Preferred Partner website, market development funds, and additional technical training. SonicWALL has a lengthy list of announced ISP partners, including TDC Internet, Highway One, Epoch Internet, KDD, and Swisscom.

(Back to Top)

Customer Feedback
Lab evaluations kick the tires but do not offer real-world experience. For that insight, we contacted a customer identified by SonicWALL—Michael Greco of Internet Protocol. This central California network integrator designs, implements, and maintains a variety of customer networks, including VPNs for telecommuter / road warrior access and remote office connectivity.

According to Greco, "Our common setup [is] a SonicWALL PRO at the main office and SOHO2 units at all the remote offices. We usually do [a] full mesh layout because [most] of our customers want some type of fault tolerance for services [like] WINS or DNS." Network size varies, but averages 3 to 10 offices. Road warriors are given a SonicWALL VPN Client and a local Internet connection; Greco has seen 40 simultaneous users connected to a PRO without noticeable hit on firewall performance.

Device installation depends upon the customer. "We have [sent] an engineer to each location for the installation, and we have had customers do the entire setup themselves," said Greco. "We have even pre-configured a group of appliances with addressing provided by the customer's ISP and shipped pre-configured [units to] each office for a plug and play VPN."

According to Greco, the average unit requires less than 10 minutes to provision. Engineers walk customers through common tasks and let them make simple changes like adding a public web server. "Our customers don't have policy changes often enough for [maintenance] to be a real problem," said Greco. "The majority of our support calls are due to telco circuit problems, not the appliance."

Over half of Greco's customers manage their own VPNs. For those without in-house staff, Internet Protocol offers remote management. Internet Protocol uses the SonicWALL GUI and email-based monitoring of logs and alerts. "The cost of SGMS was a little high for an office of our size," said Greco. The price has since dropped, but not enough for Internet Protocol. Central provisioning offers more to NOCs that must oversee hundreds or thousands of managed devices.

Greco has been pleased with SonicWALL's pre-sales and training support. "We send all our technicians to the SonicWALL CFA training course," said Greco. "It is an excellent way to get our technicians up to speed. When a new product is being developed, our pre-sales contact is always there with detailed information." Internet Protocol does not need to call upon SonicWALL support often. "But if you are in a pinch, they are always there with the answer," said Greco.

"SonicWALL listens to us and the issues we deal with on a daily basis," he said. For example, older firmware required a reboot after many changes; a free firmware update eliminated 90 percent of these cases. "I haven't had many bad experiences, but one comes to mind," said Greco. "The initial release of the Anti-Virus product was extremely buggy, and our customers had a lot of cleanup work just to get up and going." SonicWALL has since resolved this problem. What's on Greco's wish list? "Some type of a user forum to discuss future plans and product releases. Time is important, and if I can review or post questions on the web, it would be a great help."

Greco's feedback gives us a feel for the kind of VPN provider satisfied by SonicWALL. Our own search of industry mailing lists yielded both happy and unhappy customers, with comments ranging from "We've had wonderful success with them." to "We used one for about six months and absolutely hated it." Ideally, prospective buyers should check several references with business goals that closely mirror their own.

(Back to Top)

Did SonicWALL Satisfy Our RFP?
Ultimately, our goal was to determine how well SonicWALL's proposed solution met our RFP's requirements.

After hands-on inspection, we are comfortable that all of our RFP's installation, remote activation, and software/policy update requirements are satisfied. These devices are easy to set up manually in small numbers. For midsize accounts, SGMS 1.x enables central provisioning for tens or hundreds of devices—with SGMS 2.0, perhaps more. Note: we're talking about an ISP with small-to-midsize customers, not a large enterprise or carrier VPN.

We confirmed that our basic requirements for physical, device management, firewall, and VPN features are met, with a few noteworthy exceptions. The PRO-VX offers a metal enclosure with a serial port for out-of-band management, but the SOHO2 and TELE2 do not. We'd like to see a more flexible DMZ on the PRO-VX, DH Group 2 support, and expanded VPN monitoring/logging. To better satisfy multi-vendor accounts, we'd like to see broader PKI support and ICSA VPN certification (now pending).

Functionally, we have just one real concern: support for centralized network and service monitoring. Our RFP's fictional ISP would need to build its own managed VPN monitoring system, based on logs gathered by SGMS and the alerts/traps generated by each SonicWALL.

Finally, we must consider up-front cost and revenue potential for each of our RFP scenarios:

• In the Entry-Level Scenario: The SOHO2 looks inexpensive—until you add a 50-node upgrade, VPN upgrade, and device/client Authentication Service upgrades. Nonetheless, SonicWALL's solution still falls under our $2000 MSRP cap.
• In Scenario Two: High-tech office, the PRO or PRO-VX platform can be used to deliver several value-added services, creating new revenue opportunities by satisfying broader customer needs. Of course, not every customer will want their firewall to check A/V compliance—but SonicWALL's solution makes this possible, and SGMS can be used to activate those upgrades from the NOC.
• In Scenario Three: An expanded version of the network tested, we'd need to work around DMZ constraints—for example, moving the customer's mail server from DMZ to LAN so that our VPN Clients can tunnel to it. Recall this customer had an existing firewall. Might he consider keeping it, deploying SOHO2's at branch offices? We think not—for a multitude of reasons, this scenario plays out better with a homogeneous VPN.

One final caveat—throughout this evaluation, we've cited manufacturer's suggested retail prices. However, our RFP's fictional ISP would probably join one of SonicWALL's partner programs to receive discounts.

Stay tuned over the next few weeks as we evaluate other-vendor responses. In our series closer, we'll compare and contrast all tested products and their suitability for ISP deployment to broadband-enabled small business customers. Finally, we will ask you, our readers, to vote on-line for the solution that you find the most compelling.

Update: Product upgrades released

—End—