Which site-to-site VPN is best?
I have a small company with no more than 40 people in two locations. I want to enable a persistant VPN tunnel to join the LAN's together.
I see my options as:
1. Windows 2003 Server persistant site-to-site VPN solution.
2. Windows ISA Server Gateway-to-Gateway VPN
3. Some third party VPN hardware like Sonicwall or Netscreen.
Which is best for a small company?
Thanks
I see my options as:
1. Windows 2003 Server persistant site-to-site VPN solution.
2. Windows ISA Server Gateway-to-Gateway VPN
3. Some third party VPN hardware like Sonicwall or Netscreen.
Which is best for a small company?
Thanks
I would also recommend terminating the VPN to a secondary network card on the ISA box & reconfiguring it to provide some filtering & protection for VPN users terminated within the tunnel.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
>Windows 2003 VPN, once setup correctly and secured correctly provides same security as PIX
LOL! Sounds like a microsoft press release - windows should never be exposed to the public internet (in other words, a windows box should always be behind a firewall). I agree with a 3rd party hardware solution - I think Sonicwalls are junk, and the PIX is not that much better (but it *is* better). If you can afford Astaro, I'd go with that.
>A. but it pays off, because you will not have any capability issues with other MS software like Outlook, Exchange and many
>others.
>B. Plus you will save quite a bit of money
Assertion A is incongruent with assertion B - If you cannot make your network interoperate with anything other than microsoft, you will always be trapped into purchasing their products, regardless of what they decide to make you pay (and historically, they have made folks pay out the wazoo).
>you can even use Certs with 16k bits keys, PIX can’t do that
Do you have a link for that? I'm having trouble finding those specific specs...
Cheers,
-Jon
LOL! Sounds like a microsoft press release - windows should never be exposed to the public internet (in other words, a windows box should always be behind a firewall). I agree with a 3rd party hardware solution - I think Sonicwalls are junk, and the PIX is not that much better (but it *is* better). If you can afford Astaro, I'd go with that.
>A. but it pays off, because you will not have any capability issues with other MS software like Outlook, Exchange and many
>others.
>B. Plus you will save quite a bit of money
Assertion A is incongruent with assertion B - If you cannot make your network interoperate with anything other than microsoft, you will always be trapped into purchasing their products, regardless of what they decide to make you pay (and historically, they have made folks pay out the wazoo).
>you can even use Certs with 16k bits keys, PIX can’t do that
Do you have a link for that? I'm having trouble finding those specific specs...
Cheers,
-Jon
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you are looking for an inexpensive alternative... Go with Netgear FVS318 router (aournd $120 each, Netgear part of Nortel Networks).. It allows you to have up to 8 locations connected at one time. Right now i have 7 locations connected to my location using the Netgear FVS318, Small business about 50 users.. If you were interested in people connecting from home get the Netgear FVS328 (around $180 each) Software is available for users to vpn into the netgear FVS328 from home..
Hi,
Everybody has right to it’s own opinion, Windows is as safe as other OSes, if you know what you are doing, there was almost 120 vulnerabilities found in windows that were fixed within 15 days, compare that with RedHat over 200 holes that average took over 30 days to fix, but nobody jumps on the Nix world because is open source and there is no one company you can blame.
If you look at TCO Ms solution is still cheaper, and there is more documents that are explaining how to, try to learn how to configure PIX the way that really is doing it’s job, good luck there is not a lot of documents. Everything is money, it will take you quite a few days\weeks to learn PIX if you charge 50$ per hour it will come up to nice amount.
Go with PIX if the company that you are setting the network is loaded and can afford that, but with 40 users network regular RRAS tunnel is more than you need.
I saw networks with PIX that have all outbound ports open, because admin didn’t know how to publish properly RPC, what is the PIX good in that situation for?
Everybody has right to it’s own opinion, Windows is as safe as other OSes, if you know what you are doing, there was almost 120 vulnerabilities found in windows that were fixed within 15 days, compare that with RedHat over 200 holes that average took over 30 days to fix, but nobody jumps on the Nix world because is open source and there is no one company you can blame.
If you look at TCO Ms solution is still cheaper, and there is more documents that are explaining how to, try to learn how to configure PIX the way that really is doing it’s job, good luck there is not a lot of documents. Everything is money, it will take you quite a few days\weeks to learn PIX if you charge 50$ per hour it will come up to nice amount.
Go with PIX if the company that you are setting the network is loaded and can afford that, but with 40 users network regular RRAS tunnel is more than you need.
I saw networks with PIX that have all outbound ports open, because admin didn’t know how to publish properly RPC, what is the PIX good in that situation for?
I would go with two small Cisco routers, running an IPSec/GRE tunnel for a more robust solution. Two Linksys VPN Routers would certainly do the job (for about $300) BUT they are not "industrial grade" by any means. Here is a possible scenario using two small Cisco routers, and two PIX 501s ( acting as stateful firewalls, not VPN devices):
LAN > PIX > Router > Internet < Router < PIX < LAN
The problems with a Linksys:
1. They have a factory reset button. I repeat, they have a factory reset button!
2. No way to remotely reload.
3. Diagnostics are poor.
Don't get me wrong- Linksys offers a great device for the money- but it's "plug and play and PRAY". I'm not sure how far apart your locations are, and if you have a technical contact at the remote site- this should all be taken into consideration.
The above solution gives you the ultimate in control, for around $3500. I bet if you looked on Ebay, you could find a great deal.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you everyone for your most insightfull input and opionions. ;-)
In this particular case I am going to use a persistant site to site connection between two Windows 2003 servers. I think the Windows servers could be secured, however Then will also be placed behind a cheaper hardware firewall passing the vpn to the server. I this was the best choice in this situation because we already have this equipment and can implement it without any additional cost.
I took a look at the Astaro firewall and was impressed with its features, however I thought it was rather expensive.
Thanks again for all the input!! CHEERS!
In this particular case I am going to use a persistant site to site connection between two Windows 2003 servers. I think the Windows servers could be secured, however Then will also be placed behind a cheaper hardware firewall passing the vpn to the server. I this was the best choice in this situation because we already have this equipment and can implement it without any additional cost.
I took a look at the Astaro firewall and was impressed with its features, however I thought it was rather expensive.
Thanks again for all the input!! CHEERS!
My recommendation is always a hardware VPN as it provides you greater security. The Cisco PIX 501's ($700Au 10 User VPN Bundle) are cheaper then the Sonics and more secure (IMO). The site to site VPN can be performed via a GUI Wizard so are a piece of cake to setup. You will need to have at least one site with a static IP address.
It is preferable for your users to access the internet via ISA as a proxy server, else you may need more then a 10 user license. You can run 10 VPN Tunnels concurrently regardless.
Cheers!