Solved

Best hardware VPN solution?

Posted on 2001-07-02
18
573 Views
Last Modified: 2013-11-16
Not that this is a hard question . . . We've finally gotten fed up with DSL and are moving to fractional T1 lines.  We have three offices in three cities and two states.  What we have now is a DSL WAN-on-the-cheap; each office sees the other through ATMP tunnels handled by Netopia routers (R7100, R7200, and R9100).  We also have a number of users who occasionally VPN into the routers, usually on "high-speed" connections.  We have three NT 4.0 domains, and about 40 employees all told.  Future expansion might see that number double in two years.

So, here's what I need:
1. Ability to set up WAN-type VPN connections between all three offices, allowing users access to resources in each of the other offices.  
2. Ability to VPN in, preferably using MS PPTP on Windows 98 clients.  I'd like to stay away from 3rd-party VPN clients, just for simplicity and familiarity.
3. Good security, as the fractional T1s will of course have public IP addresses.

Currently, we're generally happy with the Netopias.  One of my questions is whether or not we need to step up our security a notch to something like the SonicWall or WatchGuard products.  Please keep in mind that any solution has to be implemented in three offices.

So, what's your best recommendation for securing small office Internet connections?  Thanks in advance.

Jonathan
0
Comment
Question by:jonathanv_00
  • 4
  • 4
  • 3
  • +4
18 Comments
 
LVL 1

Expert Comment

by:mor4eus
ID: 6247060
Small office - Use cisco pix.  Big range, lots of support and they work.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6249091
First off, having good security and using PPTP are mutually exclusive.  Use IPsec.  Also, you'll need  not only a VPN solution but also a firewall solution.  VPN boxes by themselves make poor firewalls.  Going with an integrated VPN/firewall solution will save you money and headaches, so that's clearly the way to go.

So, here's a list of vendors to check out for small office connectivity firewall/VPN solutions:
o WatchGuard
o Netscreen
o Cisco PIX (as mor4eus pointed out)
o Intrusion.com
0
 
LVL 12

Accepted Solution

by:
Housenet earned 200 total points
ID: 6249159
-3 netscreen 5 elite's will give you the security you need to protect the offices. Using Ipsec 3des with rotating key encryption tunnels between all three offices. Vpn remote users using same Ipsec protocols can gain access to 1, 2 or all remote networks.
-People who are security conscious use these protocols to create wan connections on the net. Pix & other hardware firewalls can do this as well. The advantange of using netscreens are.. Fastest throughput using 168bit encryption, easiest configuration (very simple). Low price. & remote ipsec client works with OS's that Cisco's version of the same client does not... Like windows 2000. Netscreen also does not charge you more for the highest levels of encryption (3des) like cisco does...
-Im telling you this because I've installed many Pix's & netscreens & the netscreens are a pleasure to work with...
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6249919
IPSec should do what you need.
A free solution is FreeS/WAN (http://www.freeswan-org) based on a linux 2.4.x kernel.
You just need a Linux box on the sites you want to allow access to. My experience is that a x486 is good enough to handle a few dozend VPN connections simultaneously.
FreeS/WAN also can handle "road warriors" using W9x, NT with PGPNet, W2K also should work directly, 'cause it claims to support IPSec (I personally didN't get it working right now).
FreeS/WAN also supports a shell based API, means that after a connection have been established it starts a user-defined script, for example to setup/manipulate the firewall using iptables (kernel 2.4.x).
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6249954
Yes, there are various ways you can do this with Linux, OpenBSD, Solaris, etc.  But if you have the money doing it with dedicated appliances is going to be easier and more likely to produce a secure solution.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6249959
Also, since you guys are happy with Netopia, what about using their firewall/VPN product?  http://www.netopia.com/equipment/security/s9500/
0
 
LVL 12

Expert Comment

by:Housenet
ID: 6249977
Hey Chris, maybe netscren should start paying me for pushing their products all the time eh ? :)
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 6250012
The out-of-the-box solutions from netopia or netscreen may be a good idea for people beliefing in proprietary things.
IMHO security cannot be done by obscurity. So an open source solution using standars like IPsec might be a better solution in long terms. My experiance with FreeS/WAN also is that it has a good mailing list with a lot of people helping you solving your problems, and all for free.
I won't say that one is better than the other, just a few thoughts about ..
0
 

Author Comment

by:jonathanv_00
ID: 6250099
Boy, lotta stuff here.  Thanks, folks.  

Linux solutions?  I'd like to go that route, but I'm pretty much a one-man IT shop, so learning a new OS to the point where it's secure is a tall order.

Netopia R9500?  That would be my first choice, but unfortunately their agreement with Netscreen expired, and they no longer can support the product.  I suppose I could get one of those and then lean on Netscreen users for support . . . ?

Cisco PIX?  I'm sure it's a rockin' piece of hardware, but $1500 a pop equals almost $5000 for our three offices.  Data's important, but that's overkill for our purposes.  (I know, I know, but we have to make cost/benefit decisions.)

At this point, I'm leaning toward the Netscreen.  Any good word for the Watchguard?
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 1

Expert Comment

by:mor4eus
ID: 6250727
How about Symantec VPN, or Gauntlet by NAI.  These are two cheaper solutions which sit on a NT box.  They also secure the NT box when installed so NT insecurity is limited.

http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&PID=6747954


http://www.pgp.com/products/gauntlet/default.asp
0
 

Author Comment

by:jonathanv_00
ID: 6250789
But this wouldn't provide any protection to desktops, right?  Or are you thinking, mor4eus, that I should run my NT box as a proxy server and use one of these two software firewalls?
0
 
LVL 1

Expert Comment

by:mor4eus
ID: 6250810
Yes, sorry I should have explained a bit better.  Have all clients on a Private Subnet, then use the VPN utilities to connect the sites, you will also be able to issue keys to allow outside access.  Takes a bit of planning, but is easily achievable.
0
 
LVL 14

Expert Comment

by:chris_calabrese
ID: 6255475
These solutions are relatively difficult to setup and maintain compared to the hardware VPN solutions, and relatively expensive compared to the other software VPN solutions (i.e., free Linux or OpenBSD stuff).  Therefore it is unlikely that they will be the right fit in many organizations.  Both Symantec and NAI sell appliance bundles, but these are more expensive than the other appliances out there for small offices.
0
 
LVL 1

Expert Comment

by:mor4eus
ID: 6257790
If you want real security, I agree hardware is the best bet.  You really can't go cheap on security these days.  It ay cost a little more, but you will save in the future on maintenance and easy of set-up.  Cisco offer an upgrade service, nokia offer the same, but cost a little more.  I believe that netgear may also have a solution.  Stick with the big guns, pay a little more but save in the future.
0
 
LVL 1

Expert Comment

by:asweinstein
ID: 6260385
I have a customer using the Watchguard Firebox II's to do almost the same thing that you are. We setup 1 site with 256K FR Internet, and another site with DSL. Two NT domains are connected over the VPN, and Exchange and ERP software is located at the main site. The Fireboxes are fast, reliable, and very easy to setup and manage. They also include WebBlocker (Internet access control) which is a paid add-on to the Cisco and Netscreen solutions. LiveSecurity, which is their notification service, is also a smart choice for smaller companies without a big IT department to monitor security bugs/fixes/hacks/issues. I would avoid the PIX for this project, too much config/maintenance hassle for the VPN. Also, the WG SOHO is not a very good VPN solution, just not enough horsepower for IPSec.

That said, a Netscreen 5XP Elite retails for $995, while the WG Firebox II is about $4K, and the Netscreen has excellent VPN performance.
0
 

Expert Comment

by:goenw
ID: 6262966
my opinion after handling lots of WG firebox (i work as Tech. Support in WG distributor :D). i'll try to keep my opinion objective.
1. Its cheap
2. Its a firewall with vpn capability included (support IPSEC and PPTP)
3. For office to office IPSEC its free but for mobile user IPSEC you have to add additional cost. you can use microsoft pptp instead (free)
4. the update is quite frequent. the latest would be 4.61.
5. as mention by asweinstein, the Live Security feature provide you with monitor security bugs/fixes/hacks/issues (eventhough is not that complete :D)
6. you are provided with user login to customer web login with some of feature : report and update incident, download software / patch. as for support i have to give credit, it have lots of improvement since last year. salut.
(personal recomendation look for richard thaves, the answer from him is straight to the point, works at night shift seattle time)
7. in normal condition i should be able to install this in half an hour.

some of thing you have to consider:
1. try to ping from 1 point to the other. if the delay is too high, you need to test the VPN carefully. have encounter some problem.
2. if you are using the NAT functionality, please understand what you really want and wether the box are capable of doing it.
3. soho is not a good device, if VPN is major concern and traffic is quite high i'll recommend firebox II plus fast vpn. it has hardware vpn-adapter.

as for other vpn solution i'm afraid i can't help much.
0
 

Author Comment

by:jonathanv_00
ID: 6267060
Thanks again for the comments, folks.  Looking at the prices of everything mentioned here, and the task of learning a new OS and trusting our security to it, I've decided that either the Netscreen 5XP or the Netopia that's based on it are our best options.  And the Netopia will only work if I think I can still get some support for it.  

Now the only problem, it seems, is finding a Netscreen. No one seems to carry them (CDW, CNET had no prices -- ?), and they haven't returned my email inquiry.  Oh, well. Thanks to all for the comments.  

0
 
LVL 12

Expert Comment

by:Housenet
ID: 6267386
-Which country are you in ?
-If you're in Canada, my company can see them to you. I can even setup the whole thing for you if you like. 3 office wan connection right ?

-If you're in the U.S
-ConQwest Security is a partner of ours & reseller-NOC..
www.conqwest.com
Tel: 888.234.7404, 508.893.0111, Fax: 508.893.0110

-If you'd like to locate a place within driving distance
http://www.netscreen.com/partners/find_reseller.html
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now