Lee W, MVP
asked on
Recommendations for Hardware VPN
Here's our network configuration:
1.) GTE and SpecNet T1 lines go to a Cisco 7010 Router.
2.) From there, an Ethernet connection is made to a PIX 10000 Firewall.
3.) Two internal connections are made (both via Ethernet) : One to a DMZ,
where hosts serving web pages and mail WILL eventually reside, and the second, to our core campus switch, currently a Bay Accelar 1200 series.
4.) From there, IP is routed to numerous desktop switches (at least one in
each building, most being Bay 350's and 450's.)
As for the changes currently underway, the plan is to exchange the 350 and 450 desktop switches with Cisco 2900 and 3500 series desktop switches, the 7010 router gets replaced by a newer Cisco 7204VXR Router, and the core campus switch (Accelar) gets replaced by a Cisco Catalyst 6509 switch. Also likely is that the PIX 10000 will be replaced next year by a PIX 540 or newer model.
We want to add a hardware VPN box to this mix that will authenticate with a Windows NT/2000 directory service. The VPN box will be used probably by 20-25 clients at a time (a 50 user capable box should be more than sufficient). I'm looking for recommendations on what brand to go with. Naturally, as we move towards Cisco (and newer Cisco products) that seems like the logical solution, but I want other opinions and options and specific model recommendations. Further, the device should have client side software that essentially splits the connection - where data destined for our network goes to our network but other data comes from their standard internet connection (cable modem, DSL, modem, etc) - I'll give 50 points to each person who contributes significantly (separate questions for each person).
1.) GTE and SpecNet T1 lines go to a Cisco 7010 Router.
2.) From there, an Ethernet connection is made to a PIX 10000 Firewall.
3.) Two internal connections are made (both via Ethernet) : One to a DMZ,
where hosts serving web pages and mail WILL eventually reside, and the second, to our core campus switch, currently a Bay Accelar 1200 series.
4.) From there, IP is routed to numerous desktop switches (at least one in
each building, most being Bay 350's and 450's.)
As for the changes currently underway, the plan is to exchange the 350 and 450 desktop switches with Cisco 2900 and 3500 series desktop switches, the 7010 router gets replaced by a newer Cisco 7204VXR Router, and the core campus switch (Accelar) gets replaced by a Cisco Catalyst 6509 switch. Also likely is that the PIX 10000 will be replaced next year by a PIX 540 or newer model.
We want to add a hardware VPN box to this mix that will authenticate with a Windows NT/2000 directory service. The VPN box will be used probably by 20-25 clients at a time (a 50 user capable box should be more than sufficient). I'm looking for recommendations on what brand to go with. Naturally, as we move towards Cisco (and newer Cisco products) that seems like the logical solution, but I want other opinions and options and specific model recommendations. Further, the device should have client side software that essentially splits the connection - where data destined for our network goes to our network but other data comes from their standard internet connection (cable modem, DSL, modem, etc) - I'll give 50 points to each person who contributes significantly (separate questions for each person).
Did you check out the VPN products from Shiva ? (or Intel as they have bought Shiva). Take a look at www.shiva.com. The clients side functionality you are looking for is available there.
ASKER
I'll take a look at it... but I'm rejecting your answer because I want more than one perspective and with a locked question, people aren't likely to read it.
Another product worth a look at is from Modulo at http://www.modulo.com.br/ingles/produto/vpn-over.htm.
Specs:
Throughput
In excess of 7 Mbps
Lan Interface
Two BNC ports, two 10BaseT Ethernet Ports
Capacity
1024 concurrent NetFortress Connections
Dimensions
3" H x 14" D x 14" W
Weight
9.8 lb./2.4 kg
Power Requirements
115/230 volts AC, 50-60 Hz
Safety Certification
UL Approved, FCC Class B
Encryption Type
Network Layer
Encryption Algorithms
128-bit IDEA, 56-bit DES, 168-bit DES3
Key Management
Diffie-Hellman permanent common key with dynamic random key exchange at intervals determined by the customer
Software :
Manager 1.0 provides systems administrators with an easy-to-use tool for managing VPN and remote unit in the Virtual Private Network.
Specs:
Throughput
In excess of 7 Mbps
Lan Interface
Two BNC ports, two 10BaseT Ethernet Ports
Capacity
1024 concurrent NetFortress Connections
Dimensions
3" H x 14" D x 14" W
Weight
9.8 lb./2.4 kg
Power Requirements
115/230 volts AC, 50-60 Hz
Safety Certification
UL Approved, FCC Class B
Encryption Type
Network Layer
Encryption Algorithms
128-bit IDEA, 56-bit DES, 168-bit DES3
Key Management
Diffie-Hellman permanent common key with dynamic random key exchange at intervals determined by the customer
Software :
Manager 1.0 provides systems administrators with an easy-to-use tool for managing VPN and remote unit in the Virtual Private Network.
Another product from Extend Systems at http://www.extendsys.com/prodinfo/pdf/vpn_fambrochure.pdf might be worth a look
I would suggest first looking into building a PKI infrastructure to hand out the certs. Next you can utilize this infrastructure with many of the VPN / Encrypted tunnel solutions available on the market right now.
We use Entrust PKI to store the certs and then have Shiva Lanrover Gateways load-balanced on either side of our DMZ as we want secure tunnels inbound on either side of the DMZ (an egg-drop can just as easily come from within).
We have sites that have there own 2611 or 4000 series routers using IOS 12.0 crypto keys generated via Entrust and then create access-lists for psuedo policy based routing by client IP.
Next we have our home or mobile users that use Shiva client 6.5 on NT or W9x with various profiles based on client needs (some profiles will only allow access to the DMZ for webmasters, while others actually provide access to the entire corporate network).
We have connected 3rd party call-center sites via mobile IP (Shiva feature) where NAT'd addresses can run a seperate client behind PIX or a router.
Cisco has their own line of VPN access solutions now with the Cisco AS5300 NAS server. Follow this link for more info:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/vpn_soln/l2fcase/l2ftask3.htm
Cheers,
Gary
We use Entrust PKI to store the certs and then have Shiva Lanrover Gateways load-balanced on either side of our DMZ as we want secure tunnels inbound on either side of the DMZ (an egg-drop can just as easily come from within).
We have sites that have there own 2611 or 4000 series routers using IOS 12.0 crypto keys generated via Entrust and then create access-lists for psuedo policy based routing by client IP.
Next we have our home or mobile users that use Shiva client 6.5 on NT or W9x with various profiles based on client needs (some profiles will only allow access to the DMZ for webmasters, while others actually provide access to the entire corporate network).
We have connected 3rd party call-center sites via mobile IP (Shiva feature) where NAT'd addresses can run a seperate client behind PIX or a router.
Cisco has their own line of VPN access solutions now with the Cisco AS5300 NAS server. Follow this link for more info:
http://www.cisco.com/univercd/cc/td/doc/cisintwk/intsolns/vpn_soln/l2fcase/l2ftask3.htm
Cheers,
Gary
ASKER
Thanks, and I may yet accept your answer, but I still want other people's input - we haven't made the purchase yet!
Check out Altiga, http://www.altiga.com
They have a range of VPN boxes that scale with your requirements, the bottom of the range being upgradable to the top of the range, which is a good idea. This product won Network Computings editors choice award and they verified you can have it up and running in about five minutes, as advertised. They also claim that it will work with the Win2k native IPsec/L2TP VPN client virtually out of the box also. The product will also support intranet VPNs'. Last but not least, this company have just been bought by Cisco who will be offering it as one of their front line VPN products and with the amount of money Cisco have in the bank they could probably have afforded to buy just about any VPN hardware manufacturer they wanted, but they chose Altiga.
They have a range of VPN boxes that scale with your requirements, the bottom of the range being upgradable to the top of the range, which is a good idea. This product won Network Computings editors choice award and they verified you can have it up and running in about five minutes, as advertised. They also claim that it will work with the Win2k native IPsec/L2TP VPN client virtually out of the box also. The product will also support intranet VPNs'. Last but not least, this company have just been bought by Cisco who will be offering it as one of their front line VPN products and with the amount of money Cisco have in the bank they could probably have afforded to buy just about any VPN hardware manufacturer they wanted, but they chose Altiga.
ASKER
Thanks, I'll have a look at that company again - I think I already did and even spoke to a salesperson.
Actually - does anyone know if Cisco's PIX firewall, with VPN support has a client for both the Mac and the PC that will differentiate the network traffic as per my stated needs?
Actually - does anyone know if Cisco's PIX firewall, with VPN support has a client for both the Mac and the PC that will differentiate the network traffic as per my stated needs?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.