There are two ways to look at the Cisco SA 520 network security appliance. On one hand, it offers a solid array of features: 65Mbps IPSec VPN throughput, 100Mbps overall throughput, integrated firewall (limited to 100 rules), built-in filtering for common services like IM and P2P networking, SSL VPN, IPS, DDNS and multi-WAN support. On the other hand, it has nearly no relation to the rest of Cisco's security solutions.

The Cisco SA 520 is physically similar to the old Cisco PIX 501 and it offers similar basic functionality. However, that's where the similarities stop: Whereas the PIX 501 ran PIXOS, the SA 520 runs a Linux-based operating system. Where the PIX 501 was as easy to manage as its bigger brothers, the SA 520 runs a completely different OS, has no console port and no CLI. It's administered via a somewhat cranky web-based UI.

From the perspective of a small business looking for a firewall that offers some relatively advanced features, the Cisco SA 520 is suitable. For a network professional looking for a small site VPN endpoint device, the SA 520 is a mixed bag. It fits the bill in terms of capacity, features and throughput, but from a management perspective it promises headaches. Given that scenario, I'm going to address both viewpoints.

The Cisco SA 520 provides a wealth of options as a small business security appliance. There's a little of everything here, from basic firewalling tasks through SSL VPN features, including SSL VPN portal pages. On the back end, it will integrate with Active Directory or standard LDAP authentication services to allow users to to log into the VPN with their domain credentials.

However, the stock model is outfitted with only two SSL VPN licences, expandable to 25 by purchasing more. Two might not be the loneliest number, but it certainly seems tiny in this case. Oddly, the SA 520 allows for 50 IPSec tunnels out of the box. It's hard to see anyone in the small business space needing 50 IPSec tunnels but only two client-based SSL VPN tunnels.

There's also support for multiple WAN interfaces and load balancing, so you can leverage multiple Internet connections within a single device. Further, you can create rules that apply to total traffic passed through each Internet connection to ensure you don't go over ISP-imposed limits if any should exist.

Coupled with that are basic QoS rules that allow traffic classification based on TCP or UDP port, source addresses, VLAN or even a physical port. This traffic can be prioritised into high, medium or low priorities. The SA 520 also supports 802.1p traffic prioritisation that adds much more granularity, though you'll need to classify traffic with 802.1p internally for this to function.