Solved

Need a VPN capable Firewall/Router

Posted on 2004-10-20
4
562 Views
Last Modified: 2010-04-12
Okay, here goes (first time posting a question)

I need to purchase a Firewall/Router that will allow multiple concurrent VPN connections from different locations.  I have employees that travel and need access to the Office LAN.  As of now I have a Netgear FVS318 ProSafe Firewall/Router, but it only supports 8 IPSEC connections.  I want to put the new Firewall/Router "behind" the FVS318 (supports 100 IPSEC connections) to create a sort of DMZ and forward all VPN connections to the new Firewall/Router.

My questions are:

 - What are some recommendations for the new Firewall/Router that I need?  I have looked into Netgear FVL328, and my boss loves it because it is cheap, but I'm not sure how well it will perform or how easy it is to setup/use.  I've also looked briefly at a CISCO PIX 501, but the price tag is a little high and I've heard that CISCO products are tough to configure and use.

- As far as VPN protocols, I hear that IPSEC is very secure but difficult to setup and use, while PPTP is less secure but easier to use.  Any advice on which protocol to use would be helpful.  Do the security benefits of IPSEC over PPTP out weigh the ease of use benefits of PPTP?

- What else should I look for in a new Firewall/Router?  My company is not very big, but we are growing rapidly.  Do some solutions scale better than others.

Thanks In advance.
0
Comment
Question by:naj2576
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12363647
As for the PIX, the 501 only supports 10 simultaneous VPN connections, but it is easy to setup and configure. New GUI wizards makes it easy. The 506e would be more adequate for your needs and scales much higher.

IPSEC is much more secure, and very easy to configure as long as you use an easy client. Cisco VPN client (used with PIX) is extremely easy to setup and client config can be pushed with a pre-configured ini file for clients.

I would seriously consider replacing the FVS318 with something with more horsepower. If you already have some expertise with its little brother and the clients, that has value in itself. I've just never had good luck with Netgear products (I think I'm alergic to Nortel - <8-} )

You might want to consider capability to provided redundant WAN links sometime in the future. Some words of advice:
- With the prices as low as they are, get what you need now with some wiggle room. Don't spend much on extra features that you might need a year or two from now. A year or two from now when you need that function, the products will have evolved and prices lower enough that it may save money to wait.
- Spend money relative to what you are protecting. If you can go to jail for compromising a client's personal information, then spend appropriately and wisely. If the worst that can happen does not cost you anything, then spend accordingly.

Here are some low-end firewall products that you can look into:
My personal recommendation would be the PIX506e
Second on the list would be the Linksys RV082

Linksys RV082:
http://www.linksys.com/products/product.asp?prid=589&scid=29

Fortinet:
http://www.fortinet.com/products/telesoho.html

Adtran Netvanta
https://www.adtran.com/adtranpx/Rooms/DisplayPages/LayoutInitial?Product=com.webridge.entity.Entity%5BOID%5B27100B71B4B3E44D84DCAE487414CD69%5D%5D&Container=com.webridge.entity.Entity%5BOID%5B54C70AA0A26ED711A78500D0B72032D8%5D%5D&ProductCategory=com.webridge.entity.Entity%5BOID%5BCB5C5CB7C4419B4AA04F9CE1AEDD8CE7%5D%5D

Netscreen
http://www.juniper.net/products/integrated/dsheet/ds_5gt_xt.pdf

Watchguard Firebox
http://www.watchguard.com/products/

PIX 501
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2031/index.html

D-LINK w/DMZ port
http://www.dlink.com/products/?pid=66

Symantec:
http://www.symantec.com/smallbiz/gtw/

SNAP:
http://www.clearpathnet.com/snap/default.asp

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12369316
I would also recommend upgrading your existing box - it will be a lot easier to support in the long run.
Is there a bigger Netgear box you can upgrade to ?
0
 

Author Comment

by:naj2576
ID: 12371284
Irmoore,

Thank you for all the helpful advice.  I've convinced my boss to up my budget a little so that I can get a firewall with a little more horsepower behind it, but I still have to keep things under $1K.

I was almost ready to go with the PIX 506e after looking at it, but now another person I've talked to is pushing SonicWall's TZ170 or PRO 2040.  He believes they are far easier to maintain(for someone not familiar with Cisco IOS) and are more scalable than the PIX.  

Any thoughts on these firewalls or SonicWall in general?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12371417
According to SonicWall's own product chart, the TZ170 is targeted for 10 VPN connections, the 2040 at 50. In that case, I'd have to recommend the 2040.
http://www.sonicwall.com/products/vpnapp.html

However, I've tried several times to find documentation on Sonicwall's web site and it is very difficult to find anything other than the quick setup guides. Get into the documentation for the actual SonicOS, and I've found it quite overwhelming...
I'll take the PIX any day...

You'll have to make your own decision based on your own comfort level and skill sets..
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Preface Having the need * to contact many different companies with different infrastructures * do remote maintenance in their network required us to implement a more flexible routing solution. As RAS, PPTP, L2TP and VPN Client connections are no…
One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now