Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 237
  • Last Modified:

T1 to Firewall with VPN. Help me understand better.

Ok I'm a little bit confused.

T1 is 1.54Mbps a sec. (Captial Mbps is what? MegaBits per sec?)  So technically if I purchase a Firewall with 1.54Mbps max throughput it should handle a T1 connection fine. No?

So what I'm trying to figure out, is when do I need to go to a bigger firewall.


Client of mine has a firewall with max 150MBps, well if a T1 is 1.54, then 150 seems a lot.  Why would they need to go up to say, 200, or 275MBps.  Or why even 1.54Gbps, which I've seen on some high end ones.

Is there a way I can determine easliy?

Then there is the matter of VPN.

This client example has one main location with a T1, that firewall is only 150Mbps Max Througput and 40MBps for VPN.  So I'm thinking, ok 150 Max for the T1, that's good, and all 8 locations can get 40Mpbs max.  Of course now I'm think that adds up to 320Mbps, but they dont need all 40Mbps, if a T1 again is 1.54Mbps.    So if all 8 locations are using the firewall evenly plus the main office tha's 17.11kbps each?  

I'm just a bit confused.

So how do I properly determine what throughput a client needs if they are on a T1?

What would you recommend for 8 locations and a main office to be on VPN.  All internet, email, domain login goes through main office out T1.

Even now the VPN site takes like 8min to logon to the domain, it's awful.
1 Solution
It's not always just a question of throughput. It's a matter of CPU and memory on the firewalls, and licensing issues, and other capabilities.
Another consideration, especially for larger companies is the use of DMZ's, or protected networks that are semi-publicly accessible. Perhaps a web server farm that needs high-speed access to back-end database servers. Even though they may have an egress port only capable of 1.5Mbps, the interaction between multiple LAN interfaces may require Gigabit capabilities through the firewall. (Yes, that is Megabits per second, not MegaBytes)

Take for argument example, the Cisco PIX series. Starting with the paperback book sized little 501, the tech specs say it will handle 60Mbps cleartext throughput, 7500 concurrent connections, and 4.5 Mbps throughput over VPN with 128-bit AES encryption. Quite impressive for a box designed for SOHO (Small Office, Home Office)<10 users. Licensing is in three modes -10, 50 or unlimited users. Limitation: no capability for DMZ interfaces. It has inside and outside only. No failover capability. Limited VPN connections (10)

Next, the big boy Enterprise version of the PIX line is the 535 with up to 1.7Gbps, 500,000 connections, 256-bit AES VPN throughput up to 425Mbps, and 2000 simultaneous VPN tunnels. When you need Multiple DMZ interfaces all at gigabit speed, this the workhorse.

Many firewalls try to combine the firewall functions with packet filtering, or AntiVirus, web content control, VPN, etc. The bottom line is to look for the features that you need, at the price point that you can afford.
fredmastroAuthor Commented:

So then..

A firewall witha max 150Mbps (40Mbps VPN) at a main location with a T1 connection, and say 9 remote sites with Cable/DSL connection wanting to use VPN for Internet and Network Filesharing.

Or your opinion would be or not be sufficent?

How should I properly figure out the proper Mbps I'm going to need at the main location?
Do I need to go up to a 250Mbps and 95Mbps VPN?  I dont know.

I'll give you the points, lets just talk over this a little bit.  I really would like to know if it's not adequte.
If they're being restricted by their connection and are looking at uping the speed to accomidate the over load, a better solution might be (for a windows enviro) is to put DCs into each branch office. This will elliviate the logon problem, and reduce the congestion over the links. It would also likely work out to be cheaper then getting faster lines in.  
For filesharing a local file server with replication might be more beneficial aswell.
This can still be managed centrally at the main office.

The other question is how much traffic will there be?  Will all the offices be trasmitting/receiving constatntly at the same time ?
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

You're still getting wrapped up trying to find some magic mathematic formula and there isn't one.
Defining what is sufficient depends on defining too many other factors.
Are you still working on this? Can we be of any more assistance?
Can you close out this question?
As an interested observer and subscriber to this thread, I believe lrmoore answered it quite thoroughly...  Just an observation..


Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now