r270ba
asked on
Yet another Firewall/VPN question...
Ok I have been reading on here for days and think I have a pretty good idea of what I am looking for and need. To start, I am looking to implement a VPN solution for a Small Busisness with < 30 users. We have 5 sales people located in 2 different states and will also have at any given time 2-3 users working from remote locations (but not "site-to-site" branch locations). We shouldn't have more than 20 concurrent vpn connections but it is possible we will have more than 10 so the Pix 501 is out. I have been looking at the Pix 506e and have talked to Cisco Pre-Sales and that was their suggestion.
Now to what we need this for...We want our remote users and mobile sales force to have access to our accounting files, sales databases, virus scan management software, etc, all which is located on 2 different "servers". We are also looking into implementing an Exchange Server. We are not worried about a "remote desktop" feel to it (we will use XP's built in remote desktop if needed), we just need our mobile/remote users access to the inside of our network and the files which reside there.
Now after having said that here is my question....is the 506e what I need? I have read a great deal about Watchgaurd, Netscreen, etc. Our budget is around $1000. What is the benefit of one over the other? What "integrated" services does the 506e offer that the others do not?
Please give me your suggestions or ask me if you need more information. Thanks to all in advance.
Now to what we need this for...We want our remote users and mobile sales force to have access to our accounting files, sales databases, virus scan management software, etc, all which is located on 2 different "servers". We are also looking into implementing an Exchange Server. We are not worried about a "remote desktop" feel to it (we will use XP's built in remote desktop if needed), we just need our mobile/remote users access to the inside of our network and the files which reside there.
Now after having said that here is my question....is the 506e what I need? I have read a great deal about Watchgaurd, Netscreen, etc. Our budget is around $1000. What is the benefit of one over the other? What "integrated" services does the 506e offer that the others do not?
Please give me your suggestions or ask me if you need more information. Thanks to all in advance.
ASKER
lrmoore I was hoping you would pick this up (from all the other posts I have read by you) :)....the links were great!!! Couple more questions for you. By content filtering do you mean packet shapping? What is the url filtering and in-line antivirus? Also, I think for WAN link failover capability you need to seperate data lines coming in...am I correct or wrong? I also cannot seem to find on Cisco any where whether or not the 506e has a DMZ port...do you know if it does?
Finally for which ever solution I choose how do I hook up from the router to the firewall? I think I need a cross over cable....is this correct? I want to eventually implement a DMZ with a web server and possibly Exchange Server. Should the Exchange Server be on a DMZ or inside the firewall? If you want I can add these questions to a new post for more points for you.
Thanks for your help!!!!
Finally for which ever solution I choose how do I hook up from the router to the firewall? I think I need a cross over cable....is this correct? I want to eventually implement a DMZ with a web server and possibly Exchange Server. Should the Exchange Server be on a DMZ or inside the firewall? If you want I can add these questions to a new post for more points for you.
Thanks for your help!!!!
>By content filtering do you mean packet shapping?
No, I mean scanning the data stream for content, like porn coming through email before it ever gets to the user desktop
>What is the url filtering and in-line antivirus?
URL filtering means restricting user access to specific URL's, web site categories (i.e. porn, shopping, sports, etc). In-line AV means scanning the data stream for virus signatures before it ever gets to the user desktop.
>Also, I think for WAN link failover capability you need to seperate data lines coming in...am I correct or wrong?
Absolutely correct. Say you start off with a DSL line, and then you decide to add another DSL line, or perhaps a cable link for backup/failover/load sharing. The PIX won't help you out in this case, but some of the other products will.
>whether or not the 506e has a DMZ port
Nope. Only two ports -inside and outside. However, it does VLAN's on the inside if you have another Cisco switch that does VLAN's and trunking which can give you several "virtual" interfaces that you can use for DMZ's
>how do I hook up from the router to the firewall?
Normally a crossover, but that depends on the exact router/broadband modem.
>I want to eventually implement a DMZ with a web server and possibly Exchange Server.
Web server, yes - Exchange server, no.
The Exchange and all the internal users are too dependent on the domain/Active Directory to try to make it work through the firewall. Just keep Exchange on the inside and forward SMTP through port 25 only.
No, I mean scanning the data stream for content, like porn coming through email before it ever gets to the user desktop
>What is the url filtering and in-line antivirus?
URL filtering means restricting user access to specific URL's, web site categories (i.e. porn, shopping, sports, etc). In-line AV means scanning the data stream for virus signatures before it ever gets to the user desktop.
>Also, I think for WAN link failover capability you need to seperate data lines coming in...am I correct or wrong?
Absolutely correct. Say you start off with a DSL line, and then you decide to add another DSL line, or perhaps a cable link for backup/failover/load sharing. The PIX won't help you out in this case, but some of the other products will.
>whether or not the 506e has a DMZ port
Nope. Only two ports -inside and outside. However, it does VLAN's on the inside if you have another Cisco switch that does VLAN's and trunking which can give you several "virtual" interfaces that you can use for DMZ's
>how do I hook up from the router to the firewall?
Normally a crossover, but that depends on the exact router/broadband modem.
>I want to eventually implement a DMZ with a web server and possibly Exchange Server.
Web server, yes - Exchange server, no.
The Exchange and all the internal users are too dependent on the domain/Active Directory to try to make it work through the firewall. Just keep Exchange on the inside and forward SMTP through port 25 only.
ASKER
man you are the best!!! i have been looking around at this firebox and i think i like the looks of it pretty well. It seems to me that the Firebox has more "integrated" options. I also like how buying licenses upgrade the product w/out having to buy hardware. From what I have posted above do you think the Firebox X500 w/ upgraded VPN Mobile Users License will work for me? I promise this is the last question then I will open up another case so I can give you more points!
ASKER
Oh and by the way...I just signed up here and this place is awesome!!! The best place I have found on the net!!!!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Compared to the features of the Fortinet Fortigate line, the PIX seems rather limited.
http://www.fortinet.com/products/telesoho.html
The Watchguard Firebox is another one that offers a few more features:
http://www.watchguard.com/products/
Bottom line - go with the features that make you comfortable, at the pricepoint that makes you comfortable, and the skills that you already possess. If you're Cisco all the way, then full steam ahead to the PIX. If not, then you have options to look at before making a final decision.
You might want to look at something like this Linksys that is now owned by Cisco as a compromise. Way under budget at arouond $350, it will do just what you want:
http://www.linksys.com/products/product.asp?prid=589&scid=29