Secure your Small Business using Cisco SA 520W Security Appliance


Cisco Small Business Pro SA 520W Security Appliance allows small business employees to securely connect to the Internet and provides the following capabilities:

  • 4 LAN Ports (For connecting Computers/ Printers/ Network Switches in the LAN) and 1 WAN Port (To connect Internet – broadband, etc)
  • 1 Optional Port that can be configured as LAN Port (or) WAN Port (For providing fail over Internet Connection / Load-balancing) (or) DMZ Port
  • DMZ Port – For connecting the web facing internal servers of the company securely (like web server, partner portal, mail server, etc).
  • Built-in DHCP Server in order to provide IP addresses to all the clients (PC, Laptop, Printer, etc) connecting to it.
  • Firewall for creating Network Access Rules (LAN & WAN) – Example: Blocking Internet Access to certain computers (by their IP addresses), blocking access to Instant Messenger applications, etc.
  • Virtual Private Network (VPN) – The Cisco Small Business Pro SA 520W has the capability to create both Site to Site VPN as well as Site to Client VPN using IPSec (50 Licenses In-built) and SSL (2 Licenses In-built) VPN.
  • Wireless Network – This security appliance targeted at small business has a Wireless (Wi-Fi) radio built-in (with three external antennas) that support IEEE 802.11 b/g/n and operates in the 2.4 Ghz spectrum for maximum throughput and performance.

Apart from the above features that are available out of the box, there are four additional optional features that enhance the security of small businesses and enable them to implement all the security policies that are important for today’s web based enterprises. The optional features are:

Cisco ProtectLink Web/Email Gateway – This module provides all the important security features to be applied to all the users accessing the Internet/ Email through the SA 520W appliance. The security features include anti-spam, anti-virus, anti-spy-ware, anti-phishing etc, for all the incoming mails. Further, administrators can control which websites can be accessed by the users, and which ones they cannot from over 80+ categories in to which most of the websites are sorted out (For example, access may be denied to sports and movie based websites to all users). Further, all the web-threats and malicious activities like injection of spyware, botnets etc on employee’s computers are monitored for and automatically blocked.

This is an on-line cloud based service provided by Trend Micro – Users/ Companies need not invest in centralized servers, etc on their premises for providing centralized security services but these servers are hosted centrally at various data centers around the world and the service is provided on a subscription basis (per year) to the users. The licenses are available for 25/100 users.

Cisco ProtectLink Endpoint – This module consists of down-loadable security software that can be installed in individual Computers/ Laptops which ensures that these devices remain safe from the Internet based threats even when they are used to connect to Internet at public places/ homes. This is also provided as a cloud based service like the above and personal anti-virus module from Trend Micro is included for PC/Laptops in addition to protection from web based threats. This is also a subscription based model which comes in 5/25 License packs.

Intrusion Prevention System (IPS) – This optional module for SA 520W Security appliance is helpful in detecting and protecting from the harmful web based attacks and hackers. There are signatures available for a number of known attacks and signatures are being developed for various new attacks as well, which can be used by the SA 520W Security appliance to detect and prevent any unauthorized access by hackers etc, into the network.

VeriSign Two Factor Authentication – When remote users access the corporate network using VPN service, they authenticate themselves using user-names and passwords. But what if some one steals these user-names and passwords? What if some one notices them from behind when they are accessing the network from a public hot-spot? To prevent this situation, along with the user-name and password, there is another fixed digit secret code that is required to be entered by users in order to access the network. This fixed digit secret code changes very frequently and hence even if it is noted by a third party, by the time they try to access the network, the secret code would have changed! VeriSign generates these fixed codes and sends it to the users in a number of ways including their mobile phones, secure tokens, secure cards etc.

Common Usage Scenario – Architecture Diagram:

Small Business Secure Connectivity Architecture using Cisco SA 520W Security ApplianceIn the above diagram, there are two sites (branches) of the same company (enclosed by blue dotted lines) that each have a Cisco Small Business Pro SA 520W Security Appliance. There is also a remote user shown in the top left hand side. Both the branches connect to the Internet through the Internet Modem (broadband) and in the first case, there are two Internet connections terminating on Cisco SA 520W which can be load balanced/ toggled in case of fail-over. This provides redundancy for Internet connectivity.

There is a DMZ port in the SA 520W appliance to which the Internet facing servers like Web servers, mail servers, etc are connected. This is necessary to isolate the other internal servers from Internet traffic and hence protect them. One of the LAN ports of the SA 520W appliance is connected to the Network Switch, which is further connected to a number of computers and printers thereby forming a Local Area Network (LAN). Certain Laptops are connected to the LAN over the Wireless Network (Wi-Fi) through the in-built radio available in SA 520W appliance. The other branch is similar, except that there is only one Internet Connection. Please note that the one optional port can be configured as an additional WAN port or DMZ port.

A Site to Site IPSec Virtual Private Network is formed between the PC’s and Laptops in the first location and the PC’s and the Laptops in the second location through the SA 520W appliances over the Internet. So, all the communications within the two branches are passed over secure tunnels and encrypted. Even the remote PC connects to the main branch through a Site to Client based VPN (Either through a pre-installed IPSec Client or through SSL browser based VPN). All the Internet/ Email traffic coming in to the network are scanned in the cloud based Web/ Email security gateways (Data Centers) – shown in the upper right corner before being sent to the respective users so that users can securely communicate through the Internet.

All the configurations of the Cisco Small Business Pro SA 520W Security appliance can be done easily through the GUI (Graphical User Interface) based web interface, and hence the initial configuration and the ongoing maintenance becomes easier and faster.

You can follow the latest Computer Networking/IT Products released for homes/small businesses & reviews by subscribing to this blog with your email address in the top right-hand sidebar box: ‘Follow by E-mail’. You can expect one mail per week (max).