dekroon
asked on
Need advice on VPN/Firewall devices
I've already posted this question under routers, and am surprised not to have received any comments yet, so I'm posting here, too. You can pick up some more points for providing any new info at https://www.experts-exchange.com/questions/21339222/Which-firewall-VPN-device-to-meet-my-needs.html
Greetings.
Please advise on the pros/cons of available Firewall/VPN devices for my network.
Here's my current setup for 50 LAN users and 20 VPN users:
- 2 T1 routers with basic firewalls
- Xincom XC-DPG502 Twin-WAN router
- PPTP VPN handled by Windows 2000 Server
- 1 NIC on the server for Internet
- 2nd NIC on the server for LAN
- All LAN and VPN clients getting DHCP config from server
I'd like to have VPN and DHCP handled by a stand-alone device so I can take my server offline without affecting Internet availability for clients. I’d also like VPN authentication to be handled by Active Directory so I don’t have to keep track of users separately on the VPN device. I’ve looked at CyberGuard, WatchGuard and Cisco Pix devices, as well as cheaper devices like the Linksys RV016. I don’t understand how a $400 device like the Linksys RV016 differs from a more expensive device like a Cisco PIX, for which you have to pay additionally for more than 10 VPN clients.
Also, I’m only using one of my public IPs now, though I’ll need to start using more so I can have multiple web servers. How will that affect my choice of devices?
Also, will an IPSec VPN behave any differently than the PPTP I’m using now?
Thanks in advance.
Joe
Greetings.
Please advise on the pros/cons of available Firewall/VPN devices for my network.
Here's my current setup for 50 LAN users and 20 VPN users:
- 2 T1 routers with basic firewalls
- Xincom XC-DPG502 Twin-WAN router
- PPTP VPN handled by Windows 2000 Server
- 1 NIC on the server for Internet
- 2nd NIC on the server for LAN
- All LAN and VPN clients getting DHCP config from server
I'd like to have VPN and DHCP handled by a stand-alone device so I can take my server offline without affecting Internet availability for clients. I’d also like VPN authentication to be handled by Active Directory so I don’t have to keep track of users separately on the VPN device. I’ve looked at CyberGuard, WatchGuard and Cisco Pix devices, as well as cheaper devices like the Linksys RV016. I don’t understand how a $400 device like the Linksys RV016 differs from a more expensive device like a Cisco PIX, for which you have to pay additionally for more than 10 VPN clients.
Also, I’m only using one of my public IPs now, though I’ll need to start using more so I can have multiple web servers. How will that affect my choice of devices?
Also, will an IPSec VPN behave any differently than the PPTP I’m using now?
Thanks in advance.
Joe
I would look at IpCop (Smoothwall derivitive). Free, very cool, well supported. We run roughly the same setup here and it works a treat.
Good luck.
Geoff
Good luck.
Geoff
ASKER
Hmmm. . . IPCop reminds me of the "freesco" project, Geoff. Looks like something I'd use if I had the time to set it up. But time's an issue here.
Joe
Joe
ASKER
The Linksys RV016 and others in its class seem to have all the features of the more expensive units, at least on paper. The RV016 handles 50 simultaneous VPN connections, whereas more than 10 on the Pix incurs additional cost. What's the difference?
I have a small network and only a few VPN connections being made usually outside office hours. I spent a lot of time searching a cost effective firewall option for use to use with our T1 connection. Our T1 router has no firewall abilities at all.
The biggest difference between the lower and higher cost units is performance, and then there are things such as number of users, VPN connections and scaleability.
Based on our needs now and a best guess down the road we went with a lower end Sonicwall TZ170. By the numbers you are showing I would stay with middle to upper level products so your stress point is not in the firewall itself.
As for the DHCP being handled by the firewall or other device, this is where performance is critical. They have much smaller processor and memory than your server. I started using the firewall for DHCP and went to the server because of other setup issues and my active directory but still let it handle the DHCP for only my VPN connections.
Good luck...
The biggest difference between the lower and higher cost units is performance, and then there are things such as number of users, VPN connections and scaleability.
Based on our needs now and a best guess down the road we went with a lower end Sonicwall TZ170. By the numbers you are showing I would stay with middle to upper level products so your stress point is not in the firewall itself.
As for the DHCP being handled by the firewall or other device, this is where performance is critical. They have much smaller processor and memory than your server. I started using the firewall for DHCP and went to the server because of other setup issues and my active directory but still let it handle the DHCP for only my VPN connections.
Good luck...
Not that I am pushing IpCop or anything but I have never seen anything easier to implement. Literally took me half an hour at both sites (I have a inter office VPN) to get it working and ever since its been stable as a judge.
Just my two cents....
Just my two cents....
Check out Http://www.winproxy.com
Does virus scanning, content filtering, spyware/malware scanning before anything hits your network and acts as complete firewall. Also has many more features as configurable access times and limiting protocals. Has a free full dem for 15 or 30 days. Easy to configure.
Works well as I have been using it for 3 years with 50 computers and 2 WANs.
It works best on a standalone system. I have not setup VPN yet ( in 2 mos I will ), but does have vpn support.
Check them out, the support pages will help with any configs you may have.
Does virus scanning, content filtering, spyware/malware scanning before anything hits your network and acts as complete firewall. Also has many more features as configurable access times and limiting protocals. Has a free full dem for 15 or 30 days. Easy to configure.
Works well as I have been using it for 3 years with 50 computers and 2 WANs.
It works best on a standalone system. I have not setup VPN yet ( in 2 mos I will ), but does have vpn support.
Check them out, the support pages will help with any configs you may have.
Also I dont know if you would need another machine with winproxy or just another NIC for the separate router/T1 I will make a call and let you know.
One of the leading appliances for Firewall/VPN is Proventia M30 by ISS
http://www.iss.net/products_services/enterprise_protection/proventia/m_series.php
For consulting try www.odysseyconsultants.com
http://www.iss.net/products_services/enterprise_protection/proventia/m_series.php
For consulting try www.odysseyconsultants.com
With cisco pix what you are paying for is the Name - They more or less the standard
Most hardware vpns will run slower then the window stuff.
PPTP vs IPSEC. IPSEC can put a heavy load on the cpu.
Most hardware vpns will run slower then the window stuff.
PPTP vs IPSEC. IPSEC can put a heavy load on the cpu.
ASKER
Here' what I've learned so far:
- Hardware VPNs are slower than Windows server-based VPNs, and IPSEC is more computationally expensive than PPTP. (Thanks, gjohnson99 and AZweb)
- There are lots of software-based alternatives, though as I indicated in the question, I'm not interested in those. I don't want to run anything else on my sever (I want to be able to take my server offline without affecting the rest of the LAN) and I don't have time to set up another computer as a firewall.
Nobody has really answered my question completely about how the devices like the Cisco differ from the devices like the Linksys. The features are the same on paper. And the Cisco and Linksys are both owned by Cisco. Obviously they're targeting different users.
What exactly does "performance" mean, AZweb, when you say that that's the difference between higher and lower-priced units?
The number of clients supported (on paper) is no different for my purposes. Will NAT be slower or something?
- Hardware VPNs are slower than Windows server-based VPNs, and IPSEC is more computationally expensive than PPTP. (Thanks, gjohnson99 and AZweb)
- There are lots of software-based alternatives, though as I indicated in the question, I'm not interested in those. I don't want to run anything else on my sever (I want to be able to take my server offline without affecting the rest of the LAN) and I don't have time to set up another computer as a firewall.
Nobody has really answered my question completely about how the devices like the Cisco differ from the devices like the Linksys. The features are the same on paper. And the Cisco and Linksys are both owned by Cisco. Obviously they're targeting different users.
What exactly does "performance" mean, AZweb, when you say that that's the difference between higher and lower-priced units?
The number of clients supported (on paper) is no different for my purposes. Will NAT be slower or something?
This is an example of performance:
Cisco PIX 501 (partial specs)
Performance Summary
Cleartext throughput: Up to 60 Mbps
Concurrent connections: 7,500
56-bit DES IPsec VPN throughput: Up to 6 Mbps
168-bit 3DES IPsec VPN throughput: Up to 3 Mbps
128-bit AES IPsec VPN throughput: Up to 4.5 Mbps
Simultaneous VPN peers: 10*
* Maximum number of simultaneous site-to-site or remote access IKE Security Association (SAs) supported
Technical Specifications
Processor: 133-MHz AMD SC520 Processor
Random access memory: 16 MB of SDRAM
Flash memory: 8 MB
System bus: Single 32-bit, 33-MHz PCI
Environmental Operating Ranges
I can't find detailed specs on a Linksys unit.
Cisco PIX 501 (partial specs)
Performance Summary
Cleartext throughput: Up to 60 Mbps
Concurrent connections: 7,500
56-bit DES IPsec VPN throughput: Up to 6 Mbps
168-bit 3DES IPsec VPN throughput: Up to 3 Mbps
128-bit AES IPsec VPN throughput: Up to 4.5 Mbps
Simultaneous VPN peers: 10*
* Maximum number of simultaneous site-to-site or remote access IKE Security Association (SAs) supported
Technical Specifications
Processor: 133-MHz AMD SC520 Processor
Random access memory: 16 MB of SDRAM
Flash memory: 8 MB
System bus: Single 32-bit, 33-MHz PCI
Environmental Operating Ranges
I can't find detailed specs on a Linksys unit.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
But I'd have thought any firewall worth its name can support the multi-NAT situation.
What the cheap unit probably can't do is
- offer anything *like* the flexibility of the bigger boxes
- cope with more than one or two concurrent VPN sessions