?
Solved

Need advice on VPN/Firewall devices

Posted on 2005-03-09
15
Medium Priority
?
415 Views
Last Modified: 2008-01-09
I've already posted this question under routers, and am surprised not to have received any comments yet, so I'm posting here, too. You can pick up some more points for providing any new info at http://www.experts-exchange.com/Hardware/Routers/Q_21339222.html


Greetings.

Please advise on the pros/cons of available Firewall/VPN devices for my network.

Here's my current setup for 50 LAN users and 20 VPN users:
-     2 T1 routers with basic firewalls
-     Xincom XC-DPG502 Twin-WAN router
-     PPTP VPN handled by Windows 2000 Server
-     1 NIC on the server for Internet
-     2nd NIC on the server for LAN
-     All LAN and VPN clients getting DHCP config from server


I'd like to have VPN and DHCP handled by a stand-alone device so I can take my server offline without affecting Internet availability for clients. I’d also like VPN authentication to be handled by Active Directory so I don’t have to keep track of users separately on the VPN device. I’ve looked at CyberGuard, WatchGuard and Cisco Pix devices, as well as cheaper devices like the Linksys RV016. I don’t understand how a $400 device like the Linksys RV016 differs from a more expensive device like a Cisco PIX, for which you have to pay additionally for more than 10 VPN clients.

Also, I’m only using one of my public IPs now, though I’ll need to start using more so I can have multiple web servers. How will that affect my choice of devices?

Also, will an IPSec VPN behave any differently than the PPTP I’m using now?

Thanks in advance.

Joe
0
Comment
Question by:dekroon
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +5
15 Comments
 
LVL 17

Expert Comment

by:ccomley
ID: 13499774
Well, I'd look at Sonicwall Pro firewalls, with Enahnced OS on they can handle your dual-WAN config, including allowing the incoming VPN connections to use either, and *comprehensive* firewall rules.

But I'd have thought any firewall worth its name can support the multi-NAT situation.

What the cheap unit probably can't do is

- offer anything *like* the flexibility of the bigger boxes
- cope with more than one or two concurrent VPN sessions

0
 
LVL 4

Expert Comment

by:gdrnec
ID: 13500311
I would look at IpCop (Smoothwall derivitive). Free, very cool, well supported. We run roughly the same setup here and it works a treat.

Good luck.

Geoff
0
 

Author Comment

by:dekroon
ID: 13500506
Hmmm. . . IPCop reminds me of the "freesco" project, Geoff. Looks like something I'd use if I had the time to set it up. But time's an issue here.

Joe
0
Ransomware Attacks Keeping You Up at Night?

Will your organization be ransomware's next victim?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with our Ransomware Prevention Kit!

 

Author Comment

by:dekroon
ID: 13500560
The Linksys RV016 and others in its class seem to have all the features of the more expensive units, at least on paper. The RV016 handles 50 simultaneous VPN connections, whereas more than 10 on the Pix incurs additional cost. What's the difference?
0
 
LVL 4

Expert Comment

by:AZweb
ID: 13501737
I have a small network and only a few VPN connections being made usually outside office hours. I spent a lot of time searching a cost effective firewall option for use to use with our T1 connection. Our T1 router has no firewall abilities at all.

The biggest difference between the lower and higher cost units is performance, and then there are things such as number of users, VPN connections and scaleability.

Based on our needs now and a best guess down the road we went with a lower end Sonicwall TZ170. By the numbers you are showing I would stay with middle to upper level products so your stress point is not in the firewall itself.

As for the DHCP being handled by the firewall or other device, this is where performance is critical.  They have much smaller processor and memory than your server. I started using the firewall for DHCP and went to the server because of other setup issues and my active directory but still let it handle the DHCP for only my VPN connections.

Good luck...
0
 
LVL 4

Expert Comment

by:gdrnec
ID: 13506122
Not that I am pushing IpCop or anything but I have never seen anything easier to implement. Literally took me half an hour at both sites (I have a inter office VPN) to get it working and ever since its been stable as a judge.

Just my two cents....
0
 
LVL 3

Expert Comment

by:joe-quick
ID: 13506460
Check out Http://www.winproxy.com

Does virus scanning, content filtering, spyware/malware scanning before anything hits your network and acts as complete firewall. Also has many more features as configurable access times and limiting protocals. Has a free full dem for 15 or 30 days. Easy to configure.

Works well as I have been using it for 3 years with 50 computers and 2 WANs.

It works best on a standalone system. I have not setup VPN yet ( in 2 mos I will ), but does have vpn support.

Check them out, the support pages will help with any configs you may have.
0
 
LVL 3

Expert Comment

by:joe-quick
ID: 13506515
Also I dont know if you would need another machine with winproxy or just another NIC for the separate router/T1 I will make a call and let you know.



0
 
LVL 2

Expert Comment

by:pentiumDB
ID: 13507435
One of the leading appliances for Firewall/VPN is Proventia M30 by ISS
http://www.iss.net/products_services/enterprise_protection/proventia/m_series.php

For consulting try www.odysseyconsultants.com
0
 
LVL 6

Expert Comment

by:gjohnson99
ID: 13508071
With cisco pix what you are paying for is the Name - They more or less the standard


Most hardware vpns will run slower then the window stuff.

PPTP vs IPSEC. IPSEC can put a heavy load on the cpu.


0
 

Author Comment

by:dekroon
ID: 13570621
Here' what I've learned so far:

- Hardware VPNs are slower than Windows server-based VPNs, and IPSEC is more computationally expensive than PPTP. (Thanks, gjohnson99 and AZweb)
- There are lots of software-based alternatives, though as I indicated in the question, I'm not interested in those. I don't want to run anything else on my sever (I want to be able to take my server offline without affecting the rest of the LAN) and I don't have time to set up another computer as a firewall.

Nobody has really answered my question completely about how the devices like the Cisco differ from the devices like the Linksys. The features are the same on paper. And the Cisco and Linksys are both owned by Cisco. Obviously they're targeting different users.

What exactly does "performance" mean, AZweb, when you say that that's the difference between higher and lower-priced units?

The number of clients supported (on paper) is no different for my purposes. Will NAT be slower or something?
0
 
LVL 4

Expert Comment

by:AZweb
ID: 13570868
This is an example of performance:

Cisco PIX 501  (partial specs)

Performance Summary

Cleartext throughput: Up to 60 Mbps
Concurrent connections: 7,500
56-bit DES IPsec VPN throughput: Up to 6 Mbps
168-bit 3DES IPsec VPN throughput: Up to 3 Mbps
128-bit AES IPsec VPN throughput: Up to 4.5 Mbps
Simultaneous VPN peers: 10*
* Maximum number of simultaneous site-to-site or remote access IKE Security Association (SAs) supported
Technical Specifications

Processor: 133-MHz AMD SC520 Processor
Random access memory: 16 MB of SDRAM
Flash memory: 8 MB
System bus: Single 32-bit, 33-MHz PCI
Environmental Operating Ranges


I can't find detailed specs on a Linksys unit.
0
 

Accepted Solution

by:
modulo earned 0 total points
ID: 14251056
PAQed with no points refunded (of 500)

modulo
Community Support Moderator
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Monitor input from a computer is usually nothing special.  In this instance it prevented anyone from using the computer.  This was a preconfiguration that didn't work.
Moving your enterprise fax infrastructure from in-house fax machines and servers to the cloud makes sense — from both an efficiency and productivity standpoint. But does migrating to a cloud fax solution mean you will no longer be able to send or re…
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question