Which site-to-site VPN is best?

I have a small company with no more than 40 people in two locations.  I want to enable a persistant VPN tunnel to join the LAN's together.

I see my options as:
1. Windows 2003 Server persistant site-to-site VPN solution.
2. Windows ISA Server Gateway-to-Gateway VPN
3. Some third party VPN hardware like Sonicwall or Netscreen.

Which is best for a small company?

Who is Participating?
I would recommend to go with Windows 2003 VPN, once setup correctly and secured correctly provides same security as PIX, same encryption and authentication methods, you can even use Certs with 16k bits keys, PIX can’t do that.
It takes some research to disable all unnecessary services, and implement proper policies but it pays off, because you will not have any capability issues with other MS software like Outlook, Exchange and many others. Plus you will save quite a bit of money. Use ISA if both networks need firewalls but do not use ISA just for your VPN project because you will not get more out of it.
Hi avsc,
My recommendation is always a hardware VPN as it provides you greater security.  The Cisco PIX 501's ($700Au 10 User VPN Bundle) are cheaper then the Sonics and more secure (IMO). The site to site VPN can be performed via a GUI Wizard so are a piece of cake to setup.  You will need to have at least one site with a static IP address.
It is preferable for your users to access the internet via ISA as a proxy server, else you may need more then a 10 user license.  You can run 10 VPN Tunnels concurrently regardless.

I would also recommend terminating the VPN to a secondary network card on the ISA box & reconfiguring it to provide some filtering & protection for VPN users terminated within the tunnel.
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

>Windows 2003 VPN, once setup correctly and secured correctly provides same security as PIX

LOL!  Sounds like a microsoft press release - windows should never be exposed to the public internet (in other words, a windows box should always be behind a firewall).  I agree with a 3rd party hardware solution - I think Sonicwalls are junk, and the PIX is not that much better (but it *is* better).  If you can afford Astaro, I'd go with that.

>A. but it pays off, because you will not have any capability issues with other MS software like Outlook, Exchange and many
>B. Plus you will save quite a bit of money

Assertion A is incongruent with assertion B - If you cannot make your network interoperate with anything other than microsoft, you will always be trapped into purchasing their products, regardless of what they decide to make you pay (and historically, they have made folks pay out the wazoo).

>you can even use Certs with 16k bits keys, PIX can’t do that

Do you have a link for that?  I'm having trouble finding those specific specs...

>Which is best for a small company?
That's the key question. Setting up two Microsoft servers with licensing fees, hardware, etc, is quite expensive. And, I have to agree with Jon -- With the hundreds of vulnerabilities already published about MS Server products, I would never recommend using it as the underlying OS for any security product.
What is best is what you can afford - spending the least amount of money to protect your systems to the necessary level. What kind of data are you passing around? Health care information? Financial information? Proprietary product information? Are there any laws/regulations that hold you accountable for compromise of your data? (i.e. HIPAA, SBO, GLB). Spend the money that is relative to the threat and requirements.
You you easily use two Linksys VPN end-points (like the RV042) and have everything you need for a fraction of the cost of setting up two servers or even two PIX's.
It also depends on what you already have in place. What kind of connections and equipment do you already have?
You  may already have the capability and not even know it..

If you are looking for an inexpensive alternative... Go with Netgear FVS318 router (aournd $120 each, Netgear part of Nortel Networks).. It allows you to have up to 8 locations connected at one time.  Right now i have 7 locations connected to my location using the Netgear FVS318, Small business about 50 users..  If you were interested in people connecting from home get the Netgear FVS328 (around $180 each) Software is available for users to vpn into the netgear FVS328 from home..
Everybody has right to it’s own opinion, Windows is as safe as other OSes, if you know what you are doing, there was almost 120 vulnerabilities found in windows that were fixed within 15 days, compare that with RedHat over 200 holes that average took over 30 days to fix, but nobody jumps on the Nix world because is open source and there is no one company you can blame.

If you look at TCO Ms solution is still cheaper, and there is more documents that are explaining how to, try to learn how to configure PIX the way that really is doing it’s job, good luck there is not a lot of documents. Everything is money, it will take you quite a few days\weeks to learn PIX if you charge 50$ per hour it will come up to nice amount.

Go with PIX if the company that you are setting the network is loaded and can afford that, but with 40 users network regular RRAS tunnel is more than you need.
I saw networks with PIX that have all outbound ports open, because admin didn’t know how to publish properly RPC, what is the PIX good in that situation for?

I would go with two small Cisco routers, running an IPSec/GRE tunnel for a more robust solution. Two Linksys VPN Routers would certainly do the job (for about $300) BUT they are not "industrial grade" by any means. Here is a possible scenario using two small Cisco routers, and two PIX 501s ( acting as stateful firewalls, not VPN devices):

LAN > PIX > Router > Internet < Router < PIX < LAN

The problems with a Linksys:

1. They have a factory reset button. I repeat, they have a factory reset button!
2. No way to remotely reload.
3. Diagnostics are poor.

Don't get me wrong- Linksys offers a great device for the money- but it's "plug and play and PRAY". I'm not sure how far apart your locations are, and if you have a technical contact at the remote site- this should all be taken into consideration.

The above solution gives you the ultimate in control, for around $3500. I bet if you looked on Ebay, you could find a great deal.
More .02c... Due to the dizzying number of responses, I would like to expand my opinion for your (and possibly others) benefit.

1) I have recommend against ISA. The main reasons are consequences for compromise on a non-dedicated box. If you are able to have ISA on a dedicated box (ie: that is not running file or print sharing, or domain authentication, or any other important service), depending on attack types run against the box (and lots of things), you are generally in a slightly better situation, especially if the ISA server is in a DMZ and you still have some filtering for packets from the DMZ to the LAN.

Also, as noted, I agree with the patching issue and I'd like to add that M$ seem to have the miraculous propensity for almost every single vulnerability end up with the tag "who successfully exploited this vulnerability could gain complete control over a remote computer" LOL.
NB. I have personally setup many PIX's with networks that use Exchange & Outlook and never had issues with 'incompatibilities'.

2) Why PIX's. Truth is IPSEC VPN's are an industry standard.  So you can use most any device that supports IPSec VPNs and if you've got the same brand at either end it will probably be fairly easy to setup. If you end up needing to establish a VPN with another device, that can get trickier and poor diagnostics or debugging (such as the sonicwall provides) makes life a lot harder.
I like the PIX's because they're a true hardware firewall.  Ciscos support is unmatched in my experience (I did forget to mention that you should get a Smartnet contract to access their support), and most vulnerabilites go no further then a DoS which means your data is still safe (if unavailable). Using the CLI with the PIX is tricky... It's a little like using DOS for a Windows user, however it is usually not necessary, the PDM (GUI) can do pretty much everything.  Contrary to some peoples belief, their is plenty of documentation available to assist in setting PIXs up if you want to.  There is certainly no NEED to go with the PIXs, but the money vs benefits makes them a great deal IMO.

I agree with Jons (The Captain) comments, though I have never used the Astaro.
I agree with lrmoore and wmilligia, both are great perspectives. Sebo also has a good point (or maybe two).
If your question had have been using Redhat instead of Windows, I would have provided the same answer.
avscCEOAuthor Commented:
Thank you everyone for your most insightfull input and opionions. ;-)

In this particular case I am going to use a persistant site to site connection between two Windows 2003 servers.  I think the Windows servers could be secured, however Then will also be placed behind a cheaper hardware firewall passing the vpn to the server.  I this was the best choice in this situation because we already have this equipment and can implement it without any additional cost.

I took a look at the Astaro firewall and was impressed with its features, however I thought it was rather expensive.  

Thanks again for all the input!!  CHEERS!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.