Solved

Need a VPN capable Firewall/Router

Posted on 2004-10-20
4
564 Views
Last Modified: 2010-04-12
Okay, here goes (first time posting a question)

I need to purchase a Firewall/Router that will allow multiple concurrent VPN connections from different locations.  I have employees that travel and need access to the Office LAN.  As of now I have a Netgear FVS318 ProSafe Firewall/Router, but it only supports 8 IPSEC connections.  I want to put the new Firewall/Router "behind" the FVS318 (supports 100 IPSEC connections) to create a sort of DMZ and forward all VPN connections to the new Firewall/Router.

My questions are:

 - What are some recommendations for the new Firewall/Router that I need?  I have looked into Netgear FVL328, and my boss loves it because it is cheap, but I'm not sure how well it will perform or how easy it is to setup/use.  I've also looked briefly at a CISCO PIX 501, but the price tag is a little high and I've heard that CISCO products are tough to configure and use.

- As far as VPN protocols, I hear that IPSEC is very secure but difficult to setup and use, while PPTP is less secure but easier to use.  Any advice on which protocol to use would be helpful.  Do the security benefits of IPSEC over PPTP out weigh the ease of use benefits of PPTP?

- What else should I look for in a new Firewall/Router?  My company is not very big, but we are growing rapidly.  Do some solutions scale better than others.

Thanks In advance.
0
Comment
Question by:naj2576
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12363647
As for the PIX, the 501 only supports 10 simultaneous VPN connections, but it is easy to setup and configure. New GUI wizards makes it easy. The 506e would be more adequate for your needs and scales much higher.

IPSEC is much more secure, and very easy to configure as long as you use an easy client. Cisco VPN client (used with PIX) is extremely easy to setup and client config can be pushed with a pre-configured ini file for clients.

I would seriously consider replacing the FVS318 with something with more horsepower. If you already have some expertise with its little brother and the clients, that has value in itself. I've just never had good luck with Netgear products (I think I'm alergic to Nortel - <8-} )

You might want to consider capability to provided redundant WAN links sometime in the future. Some words of advice:
- With the prices as low as they are, get what you need now with some wiggle room. Don't spend much on extra features that you might need a year or two from now. A year or two from now when you need that function, the products will have evolved and prices lower enough that it may save money to wait.
- Spend money relative to what you are protecting. If you can go to jail for compromising a client's personal information, then spend appropriately and wisely. If the worst that can happen does not cost you anything, then spend accordingly.

Here are some low-end firewall products that you can look into:
My personal recommendation would be the PIX506e
Second on the list would be the Linksys RV082

Linksys RV082:
http://www.linksys.com/products/product.asp?prid=589&scid=29

Fortinet:
http://www.fortinet.com/products/telesoho.html

Adtran Netvanta
https://www.adtran.com/adtranpx/Rooms/DisplayPages/LayoutInitial?Product=com.webridge.entity.Entity%5BOID%5B27100B71B4B3E44D84DCAE487414CD69%5D%5D&Container=com.webridge.entity.Entity%5BOID%5B54C70AA0A26ED711A78500D0B72032D8%5D%5D&ProductCategory=com.webridge.entity.Entity%5BOID%5BCB5C5CB7C4419B4AA04F9CE1AEDD8CE7%5D%5D

Netscreen
http://www.juniper.net/products/integrated/dsheet/ds_5gt_xt.pdf

Watchguard Firebox
http://www.watchguard.com/products/

PIX 501
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2031/index.html

D-LINK w/DMZ port
http://www.dlink.com/products/?pid=66

Symantec:
http://www.symantec.com/smallbiz/gtw/

SNAP:
http://www.clearpathnet.com/snap/default.asp

0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 12369316
I would also recommend upgrading your existing box - it will be a lot easier to support in the long run.
Is there a bigger Netgear box you can upgrade to ?
0
 

Author Comment

by:naj2576
ID: 12371284
Irmoore,

Thank you for all the helpful advice.  I've convinced my boss to up my budget a little so that I can get a firewall with a little more horsepower behind it, but I still have to keep things under $1K.

I was almost ready to go with the PIX 506e after looking at it, but now another person I've talked to is pushing SonicWall's TZ170 or PRO 2040.  He believes they are far easier to maintain(for someone not familiar with Cisco IOS) and are more scalable than the PIX.  

Any thoughts on these firewalls or SonicWall in general?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12371417
According to SonicWall's own product chart, the TZ170 is targeted for 10 VPN connections, the 2040 at 50. In that case, I'd have to recommend the 2040.
http://www.sonicwall.com/products/vpnapp.html

However, I've tried several times to find documentation on Sonicwall's web site and it is very difficult to find anything other than the quick setup guides. Get into the documentation for the actual SonicOS, and I've found it quite overwhelming...
I'll take the PIX any day...

You'll have to make your own decision based on your own comfort level and skill sets..
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Cisco 800 Internet Uptime 3 107
Separating Default Gateway from VPN 2 49
Sync Azure AD to a local AD Server 4 116
Hyper-V 2012 and VPN on 2012 R2 breaking virtual switch 9 57
Sometimes, you want your microsoft VPN to route all the traffic to the remote network. Usually your employer network. This makes it possible to access all the nodes inside this remote LAN, even if they have no "public DNS" entries. To do so, you wo…
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question