Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium


Need advice on VPN/Firewall devices

Posted on 2005-03-09
Medium Priority
Last Modified: 2008-01-09
I've already posted this question under routers, and am surprised not to have received any comments yet, so I'm posting here, too. You can pick up some more points for providing any new info at http://www.experts-exchange.com/Hardware/Routers/Q_21339222.html


Please advise on the pros/cons of available Firewall/VPN devices for my network.

Here's my current setup for 50 LAN users and 20 VPN users:
-     2 T1 routers with basic firewalls
-     Xincom XC-DPG502 Twin-WAN router
-     PPTP VPN handled by Windows 2000 Server
-     1 NIC on the server for Internet
-     2nd NIC on the server for LAN
-     All LAN and VPN clients getting DHCP config from server

I'd like to have VPN and DHCP handled by a stand-alone device so I can take my server offline without affecting Internet availability for clients. I’d also like VPN authentication to be handled by Active Directory so I don’t have to keep track of users separately on the VPN device. I’ve looked at CyberGuard, WatchGuard and Cisco Pix devices, as well as cheaper devices like the Linksys RV016. I don’t understand how a $400 device like the Linksys RV016 differs from a more expensive device like a Cisco PIX, for which you have to pay additionally for more than 10 VPN clients.

Also, I’m only using one of my public IPs now, though I’ll need to start using more so I can have multiple web servers. How will that affect my choice of devices?

Also, will an IPSec VPN behave any differently than the PPTP I’m using now?

Thanks in advance.

Question by:dekroon
  • 3
  • 2
  • 2
  • +5
LVL 17

Expert Comment

ID: 13499774
Well, I'd look at Sonicwall Pro firewalls, with Enahnced OS on they can handle your dual-WAN config, including allowing the incoming VPN connections to use either, and *comprehensive* firewall rules.

But I'd have thought any firewall worth its name can support the multi-NAT situation.

What the cheap unit probably can't do is

- offer anything *like* the flexibility of the bigger boxes
- cope with more than one or two concurrent VPN sessions


Expert Comment

ID: 13500311
I would look at IpCop (Smoothwall derivitive). Free, very cool, well supported. We run roughly the same setup here and it works a treat.

Good luck.


Author Comment

ID: 13500506
Hmmm. . . IPCop reminds me of the "freesco" project, Geoff. Looks like something I'd use if I had the time to set it up. But time's an issue here.

Enhanced Intelligibility Without Cable Clutter

Challenge: The ESA office in Brussels wanted a reliable audio conference system for video conferences. Their requirement - No participant must be left out from the conference and the audio quality must not be compromised.


Author Comment

ID: 13500560
The Linksys RV016 and others in its class seem to have all the features of the more expensive units, at least on paper. The RV016 handles 50 simultaneous VPN connections, whereas more than 10 on the Pix incurs additional cost. What's the difference?

Expert Comment

ID: 13501737
I have a small network and only a few VPN connections being made usually outside office hours. I spent a lot of time searching a cost effective firewall option for use to use with our T1 connection. Our T1 router has no firewall abilities at all.

The biggest difference between the lower and higher cost units is performance, and then there are things such as number of users, VPN connections and scaleability.

Based on our needs now and a best guess down the road we went with a lower end Sonicwall TZ170. By the numbers you are showing I would stay with middle to upper level products so your stress point is not in the firewall itself.

As for the DHCP being handled by the firewall or other device, this is where performance is critical.  They have much smaller processor and memory than your server. I started using the firewall for DHCP and went to the server because of other setup issues and my active directory but still let it handle the DHCP for only my VPN connections.

Good luck...

Expert Comment

ID: 13506122
Not that I am pushing IpCop or anything but I have never seen anything easier to implement. Literally took me half an hour at both sites (I have a inter office VPN) to get it working and ever since its been stable as a judge.

Just my two cents....

Expert Comment

ID: 13506460
Check out Http://www.winproxy.com

Does virus scanning, content filtering, spyware/malware scanning before anything hits your network and acts as complete firewall. Also has many more features as configurable access times and limiting protocals. Has a free full dem for 15 or 30 days. Easy to configure.

Works well as I have been using it for 3 years with 50 computers and 2 WANs.

It works best on a standalone system. I have not setup VPN yet ( in 2 mos I will ), but does have vpn support.

Check them out, the support pages will help with any configs you may have.

Expert Comment

ID: 13506515
Also I dont know if you would need another machine with winproxy or just another NIC for the separate router/T1 I will make a call and let you know.


Expert Comment

ID: 13507435
One of the leading appliances for Firewall/VPN is Proventia M30 by ISS

For consulting try www.odysseyconsultants.com

Expert Comment

ID: 13508071
With cisco pix what you are paying for is the Name - They more or less the standard

Most hardware vpns will run slower then the window stuff.

PPTP vs IPSEC. IPSEC can put a heavy load on the cpu.


Author Comment

ID: 13570621
Here' what I've learned so far:

- Hardware VPNs are slower than Windows server-based VPNs, and IPSEC is more computationally expensive than PPTP. (Thanks, gjohnson99 and AZweb)
- There are lots of software-based alternatives, though as I indicated in the question, I'm not interested in those. I don't want to run anything else on my sever (I want to be able to take my server offline without affecting the rest of the LAN) and I don't have time to set up another computer as a firewall.

Nobody has really answered my question completely about how the devices like the Cisco differ from the devices like the Linksys. The features are the same on paper. And the Cisco and Linksys are both owned by Cisco. Obviously they're targeting different users.

What exactly does "performance" mean, AZweb, when you say that that's the difference between higher and lower-priced units?

The number of clients supported (on paper) is no different for my purposes. Will NAT be slower or something?

Expert Comment

ID: 13570868
This is an example of performance:

Cisco PIX 501  (partial specs)

Performance Summary

Cleartext throughput: Up to 60 Mbps
Concurrent connections: 7,500
56-bit DES IPsec VPN throughput: Up to 6 Mbps
168-bit 3DES IPsec VPN throughput: Up to 3 Mbps
128-bit AES IPsec VPN throughput: Up to 4.5 Mbps
Simultaneous VPN peers: 10*
* Maximum number of simultaneous site-to-site or remote access IKE Security Association (SAs) supported
Technical Specifications

Processor: 133-MHz AMD SC520 Processor
Random access memory: 16 MB of SDRAM
Flash memory: 8 MB
System bus: Single 32-bit, 33-MHz PCI
Environmental Operating Ranges

I can't find detailed specs on a Linksys unit.

Accepted Solution

modulo earned 0 total points
ID: 14251056
PAQed with no points refunded (of 500)

Community Support Moderator

Featured Post

Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines why you need to choose a backup solution that protects your entire environment – including your VMware ESXi and Microsoft Hyper-V virtualization hosts – not just your virtual machines.
Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
The Relationships Diagram is a good way to get an overall view of what a database is keeping track of. It is also where relationships are defined. A relationship specifies how two tables connect to each other. As you build tables in Microsoft Ac…
Suggested Courses

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question