Solved

Yet another Firewall/VPN question...

Posted on 2004-09-28
6
675 Views
Last Modified: 2013-11-16
Ok I have been reading on here for days and think I have a pretty good idea of what I am looking for and need.  To start, I am looking to implement a VPN solution for a Small Busisness with < 30 users.  We have 5 sales people located in 2 different states and will also have at any given time 2-3 users working from remote locations (but not "site-to-site" branch locations).  We shouldn't have more than 20 concurrent vpn connections but it is possible we will have more than 10 so the Pix 501 is out.  I have been looking at the Pix 506e and have talked to Cisco Pre-Sales and that was their suggestion.  

Now to what we need this for...We want our remote users and mobile sales force to have access to our accounting files, sales databases, virus scan management software, etc, all which is located on 2 different "servers".  We are also looking into implementing an Exchange Server.  We are not worried about a "remote desktop" feel to it (we will use XP's built in remote desktop if needed), we just need our mobile/remote users access to the inside of our network and the files which reside there.  

Now after having said that here is my question....is the 506e what I need?  I have read a great deal about Watchgaurd, Netscreen, etc.  Our budget is around $1000.  What is the benefit of one over the other?  What "integrated" services does the 506e offer that the others do not?  

Please give me your suggestions or ask me if you need more information.  Thanks to all in advance.

0
Comment
Question by:r270ba
  • 3
  • 3
6 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12174887
My opinioin, the 506e is a perfect fit for your needs. Security is rock solid, the VPN capabilites are simple to setup, the client is simple to deploy, you have plenty of horsepower. What you don't get is any method of content filtering, url filtering or in-line anti-virus, or WAN link failover capability.

Compared to the features of the Fortinet Fortigate line, the PIX seems rather limited.
http://www.fortinet.com/products/telesoho.html

The Watchguard Firebox is another one that offers a few more features:
http://www.watchguard.com/products/

Bottom line - go with the features that make you comfortable, at the pricepoint that makes you comfortable, and the skills that you already possess. If you're Cisco all the way, then full steam ahead to the PIX. If not, then you have options to look at before making a final decision.

You might want to look at something like this Linksys that is now owned by Cisco as a compromise. Way under budget at arouond $350, it will do just what you want:
http://www.linksys.com/products/product.asp?prid=589&scid=29


0
 

Author Comment

by:r270ba
ID: 12175528
lrmoore I was hoping you would pick this up (from all the other posts I have read by you) :)....the links were great!!!  Couple more questions for you.  By content filtering do you mean packet shapping?  What is the url filtering and in-line antivirus?  Also, I think for WAN link failover capability you need to seperate data lines coming in...am I correct or wrong?  I also cannot seem to find on Cisco any where whether or not the 506e has a DMZ port...do you know if it does?  

Finally for which ever solution I choose how do I hook up from the router to the firewall?  I think I need a cross over cable....is this correct?  I want to eventually implement a DMZ with a web server and possibly Exchange Server.  Should the Exchange Server be on a DMZ or inside the firewall?  If you want I can add these questions to a new post for more points for you.  

Thanks for your help!!!!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12175702
>By content filtering do you mean packet shapping?
No, I mean scanning the data stream for content, like porn coming through email before it ever gets to the user desktop

>What is the url filtering and in-line antivirus?  
URL filtering means restricting user access to specific URL's, web site categories (i.e. porn, shopping, sports, etc). In-line AV means scanning the data stream for virus signatures before it ever gets to the user desktop.

>Also, I think for WAN link failover capability you need to seperate data lines coming in...am I correct or wrong?
Absolutely correct. Say you start off with a DSL line, and then you decide to add another DSL line, or perhaps a cable link for backup/failover/load sharing. The PIX won't help you out in this case, but some of the other products will.

>whether or not the 506e has a DMZ port
Nope. Only two ports -inside and outside. However, it does VLAN's on the inside if you have another Cisco switch that does VLAN's and trunking which can give you several "virtual" interfaces that you can use for DMZ's

>how do I hook up from the router to the firewall?  
Normally a crossover, but that depends on the exact router/broadband modem.

>I want to eventually implement a DMZ with a web server and possibly Exchange Server.
Web server, yes - Exchange server, no.
The Exchange and all the internal users are too dependent on the domain/Active Directory to try to make it work through the firewall. Just keep Exchange on the inside and forward SMTP through port 25 only.


0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 

Author Comment

by:r270ba
ID: 12175741
man you are the best!!!  i have been looking around at this firebox and i think i like the looks of it pretty well.  It seems to me that the Firebox has more "integrated" options.  I also like how buying licenses upgrade the product w/out having to buy hardware.  From what I have posted above do you think the Firebox X500 w/ upgraded VPN Mobile Users License will work for me?  I promise this is the last question then I will open up another case so I can give you more points!
0
 

Author Comment

by:r270ba
ID: 12175745
Oh and by the way...I just signed up here and this place is awesome!!!  The best place I have found on the net!!!!
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12175807
Watchguard products are rock solid, and their support is pretty good. I, too, like the upgrade path that they provide. I think you'll be happy with the x500 and it should serve you well for several years to come..

Glad you found us, and really glad you like it!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
This video discusses moving either the default database or any database to a new volume.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now