jonathanv_00
asked on
Best hardware VPN solution?
Not that this is a hard question . . . We've finally gotten fed up with DSL and are moving to fractional T1 lines. We have three offices in three cities and two states. What we have now is a DSL WAN-on-the-cheap; each office sees the other through ATMP tunnels handled by Netopia routers (R7100, R7200, and R9100). We also have a number of users who occasionally VPN into the routers, usually on "high-speed" connections. We have three NT 4.0 domains, and about 40 employees all told. Future expansion might see that number double in two years.
So, here's what I need:
1. Ability to set up WAN-type VPN connections between all three offices, allowing users access to resources in each of the other offices.
2. Ability to VPN in, preferably using MS PPTP on Windows 98 clients. I'd like to stay away from 3rd-party VPN clients, just for simplicity and familiarity.
3. Good security, as the fractional T1s will of course have public IP addresses.
Currently, we're generally happy with the Netopias. One of my questions is whether or not we need to step up our security a notch to something like the SonicWall or WatchGuard products. Please keep in mind that any solution has to be implemented in three offices.
So, what's your best recommendation for securing small office Internet connections? Thanks in advance.
Jonathan
So, here's what I need:
1. Ability to set up WAN-type VPN connections between all three offices, allowing users access to resources in each of the other offices.
2. Ability to VPN in, preferably using MS PPTP on Windows 98 clients. I'd like to stay away from 3rd-party VPN clients, just for simplicity and familiarity.
3. Good security, as the fractional T1s will of course have public IP addresses.
Currently, we're generally happy with the Netopias. One of my questions is whether or not we need to step up our security a notch to something like the SonicWall or WatchGuard products. Please keep in mind that any solution has to be implemented in three offices.
So, what's your best recommendation for securing small office Internet connections? Thanks in advance.
Jonathan
Small office - Use cisco pix. Big range, lots of support and they work.
First off, having good security and using PPTP are mutually exclusive. Use IPsec. Also, you'll need not only a VPN solution but also a firewall solution. VPN boxes by themselves make poor firewalls. Going with an integrated VPN/firewall solution will save you money and headaches, so that's clearly the way to go.
So, here's a list of vendors to check out for small office connectivity firewall/VPN solutions:
o WatchGuard
o Netscreen
o Cisco PIX (as mor4eus pointed out)
o Intrusion.com
So, here's a list of vendors to check out for small office connectivity firewall/VPN solutions:
o WatchGuard
o Netscreen
o Cisco PIX (as mor4eus pointed out)
o Intrusion.com
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
IPSec should do what you need.
A free solution is FreeS/WAN (http://www.freeswan-org) based on a linux 2.4.x kernel.
You just need a Linux box on the sites you want to allow access to. My experience is that a x486 is good enough to handle a few dozend VPN connections simultaneously.
FreeS/WAN also can handle "road warriors" using W9x, NT with PGPNet, W2K also should work directly, 'cause it claims to support IPSec (I personally didN't get it working right now).
FreeS/WAN also supports a shell based API, means that after a connection have been established it starts a user-defined script, for example to setup/manipulate the firewall using iptables (kernel 2.4.x).
A free solution is FreeS/WAN (http://www.freeswan-org) based on a linux 2.4.x kernel.
You just need a Linux box on the sites you want to allow access to. My experience is that a x486 is good enough to handle a few dozend VPN connections simultaneously.
FreeS/WAN also can handle "road warriors" using W9x, NT with PGPNet, W2K also should work directly, 'cause it claims to support IPSec (I personally didN't get it working right now).
FreeS/WAN also supports a shell based API, means that after a connection have been established it starts a user-defined script, for example to setup/manipulate the firewall using iptables (kernel 2.4.x).
Yes, there are various ways you can do this with Linux, OpenBSD, Solaris, etc. But if you have the money doing it with dedicated appliances is going to be easier and more likely to produce a secure solution.
Also, since you guys are happy with Netopia, what about using their firewall/VPN product? http://www.netopia.com/equipment/security/s9500/
Hey Chris, maybe netscren should start paying me for pushing their products all the time eh ? :)
The out-of-the-box solutions from netopia or netscreen may be a good idea for people beliefing in proprietary things.
IMHO security cannot be done by obscurity. So an open source solution using standars like IPsec might be a better solution in long terms. My experiance with FreeS/WAN also is that it has a good mailing list with a lot of people helping you solving your problems, and all for free.
I won't say that one is better than the other, just a few thoughts about ..
IMHO security cannot be done by obscurity. So an open source solution using standars like IPsec might be a better solution in long terms. My experiance with FreeS/WAN also is that it has a good mailing list with a lot of people helping you solving your problems, and all for free.
I won't say that one is better than the other, just a few thoughts about ..
ASKER
Boy, lotta stuff here. Thanks, folks.
Linux solutions? I'd like to go that route, but I'm pretty much a one-man IT shop, so learning a new OS to the point where it's secure is a tall order.
Netopia R9500? That would be my first choice, but unfortunately their agreement with Netscreen expired, and they no longer can support the product. I suppose I could get one of those and then lean on Netscreen users for support . . . ?
Cisco PIX? I'm sure it's a rockin' piece of hardware, but $1500 a pop equals almost $5000 for our three offices. Data's important, but that's overkill for our purposes. (I know, I know, but we have to make cost/benefit decisions.)
At this point, I'm leaning toward the Netscreen. Any good word for the Watchguard?
Linux solutions? I'd like to go that route, but I'm pretty much a one-man IT shop, so learning a new OS to the point where it's secure is a tall order.
Netopia R9500? That would be my first choice, but unfortunately their agreement with Netscreen expired, and they no longer can support the product. I suppose I could get one of those and then lean on Netscreen users for support . . . ?
Cisco PIX? I'm sure it's a rockin' piece of hardware, but $1500 a pop equals almost $5000 for our three offices. Data's important, but that's overkill for our purposes. (I know, I know, but we have to make cost/benefit decisions.)
At this point, I'm leaning toward the Netscreen. Any good word for the Watchguard?
How about Symantec VPN, or Gauntlet by NAI. These are two cheaper solutions which sit on a NT box. They also secure the NT box when installed so NT insecurity is limited.
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&PID=6747954
http://www.pgp.com/products/gauntlet/default.asp
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&PID=6747954
http://www.pgp.com/products/gauntlet/default.asp
ASKER
But this wouldn't provide any protection to desktops, right? Or are you thinking, mor4eus, that I should run my NT box as a proxy server and use one of these two software firewalls?
Yes, sorry I should have explained a bit better. Have all clients on a Private Subnet, then use the VPN utilities to connect the sites, you will also be able to issue keys to allow outside access. Takes a bit of planning, but is easily achievable.
These solutions are relatively difficult to setup and maintain compared to the hardware VPN solutions, and relatively expensive compared to the other software VPN solutions (i.e., free Linux or OpenBSD stuff). Therefore it is unlikely that they will be the right fit in many organizations. Both Symantec and NAI sell appliance bundles, but these are more expensive than the other appliances out there for small offices.
If you want real security, I agree hardware is the best bet. You really can't go cheap on security these days. It ay cost a little more, but you will save in the future on maintenance and easy of set-up. Cisco offer an upgrade service, nokia offer the same, but cost a little more. I believe that netgear may also have a solution. Stick with the big guns, pay a little more but save in the future.
I have a customer using the Watchguard Firebox II's to do almost the same thing that you are. We setup 1 site with 256K FR Internet, and another site with DSL. Two NT domains are connected over the VPN, and Exchange and ERP software is located at the main site. The Fireboxes are fast, reliable, and very easy to setup and manage. They also include WebBlocker (Internet access control) which is a paid add-on to the Cisco and Netscreen solutions. LiveSecurity, which is their notification service, is also a smart choice for smaller companies without a big IT department to monitor security bugs/fixes/hacks/issues. I would avoid the PIX for this project, too much config/maintenance hassle for the VPN. Also, the WG SOHO is not a very good VPN solution, just not enough horsepower for IPSec.
That said, a Netscreen 5XP Elite retails for $995, while the WG Firebox II is about $4K, and the Netscreen has excellent VPN performance.
That said, a Netscreen 5XP Elite retails for $995, while the WG Firebox II is about $4K, and the Netscreen has excellent VPN performance.
my opinion after handling lots of WG firebox (i work as Tech. Support in WG distributor :D). i'll try to keep my opinion objective.
1. Its cheap
2. Its a firewall with vpn capability included (support IPSEC and PPTP)
3. For office to office IPSEC its free but for mobile user IPSEC you have to add additional cost. you can use microsoft pptp instead (free)
4. the update is quite frequent. the latest would be 4.61.
5. as mention by asweinstein, the Live Security feature provide you with monitor security bugs/fixes/hacks/issues (eventhough is not that complete :D)
6. you are provided with user login to customer web login with some of feature : report and update incident, download software / patch. as for support i have to give credit, it have lots of improvement since last year. salut.
(personal recomendation look for richard thaves, the answer from him is straight to the point, works at night shift seattle time)
7. in normal condition i should be able to install this in half an hour.
some of thing you have to consider:
1. try to ping from 1 point to the other. if the delay is too high, you need to test the VPN carefully. have encounter some problem.
2. if you are using the NAT functionality, please understand what you really want and wether the box are capable of doing it.
3. soho is not a good device, if VPN is major concern and traffic is quite high i'll recommend firebox II plus fast vpn. it has hardware vpn-adapter.
as for other vpn solution i'm afraid i can't help much.
1. Its cheap
2. Its a firewall with vpn capability included (support IPSEC and PPTP)
3. For office to office IPSEC its free but for mobile user IPSEC you have to add additional cost. you can use microsoft pptp instead (free)
4. the update is quite frequent. the latest would be 4.61.
5. as mention by asweinstein, the Live Security feature provide you with monitor security bugs/fixes/hacks/issues (eventhough is not that complete :D)
6. you are provided with user login to customer web login with some of feature : report and update incident, download software / patch. as for support i have to give credit, it have lots of improvement since last year. salut.
(personal recomendation look for richard thaves, the answer from him is straight to the point, works at night shift seattle time)
7. in normal condition i should be able to install this in half an hour.
some of thing you have to consider:
1. try to ping from 1 point to the other. if the delay is too high, you need to test the VPN carefully. have encounter some problem.
2. if you are using the NAT functionality, please understand what you really want and wether the box are capable of doing it.
3. soho is not a good device, if VPN is major concern and traffic is quite high i'll recommend firebox II plus fast vpn. it has hardware vpn-adapter.
as for other vpn solution i'm afraid i can't help much.
ASKER
Thanks again for the comments, folks. Looking at the prices of everything mentioned here, and the task of learning a new OS and trusting our security to it, I've decided that either the Netscreen 5XP or the Netopia that's based on it are our best options. And the Netopia will only work if I think I can still get some support for it.
Now the only problem, it seems, is finding a Netscreen. No one seems to carry them (CDW, CNET had no prices -- ?), and they haven't returned my email inquiry. Oh, well. Thanks to all for the comments.
Now the only problem, it seems, is finding a Netscreen. No one seems to carry them (CDW, CNET had no prices -- ?), and they haven't returned my email inquiry. Oh, well. Thanks to all for the comments.
-Which country are you in ?
-If you're in Canada, my company can see them to you. I can even setup the whole thing for you if you like. 3 office wan connection right ?
-If you're in the U.S
-ConQwest Security is a partner of ours & reseller-NOC..
www.conqwest.com
Tel: 888.234.7404, 508.893.0111, Fax: 508.893.0110
-If you'd like to locate a place within driving distance
http://www.netscreen.com/partners/find_reseller.html
-If you're in Canada, my company can see them to you. I can even setup the whole thing for you if you like. 3 office wan connection right ?
-If you're in the U.S
-ConQwest Security is a partner of ours & reseller-NOC..
www.conqwest.com
Tel: 888.234.7404, 508.893.0111, Fax: 508.893.0110
-If you'd like to locate a place within driving distance
http://www.netscreen.com/partners/find_reseller.html