Solved

Whats your VPN dream setup?

Posted on 2006-11-23
18
1,203 Views
Last Modified: 2010-04-12
Hi,

So we may have some money to spend at the end of the year on some new equipment.  Right now we just have a win2k3 server behing a linksys router.  Our current setup is pretty simple.  Just have the VPN/DHCP role in win2k3 running, and users connect through the "network connection" wizard on their laptops (winxp).  Does anyone have any tips about the VPN hardware available?  So far i've looked at hotbrick, sonicwall, netgear and cisco ... But im not to sure at what i should be looking for ... or if we really even need to change our current setup.

Whats your thoughts or personal experiences with VPN setups?
0
Comment
Question by:jGams
  • 4
  • 3
  • 2
  • +5
18 Comments
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 71 total points
ID: 18005056
If you are using the "network connection", does that mean you have Small Business Server? If so you may also want to look at the built in features with Remote Web Workplace and Outlook Web Access.

Using the Windows VPN works great and no real need to switch. However moving to a hardware based VPN router should give you a little more security and slightly better performance. Security is enhanced as there is no need to open/forward ports and it will use the IPSec protocol rather than PPTP. Performance is improved by off-loading the encryption to a dedicated device.

There are dozens of VPN routers available, and most very good. However, Cisco make the best units, have the most versatility, and by far the best support. The model you require will depend on the number of on site Internet users, and the number of simultaneous VPN connections you will require. Cisco's PIX 501 is a great unit starting at about $375 US with 50 users and 10 simultaneous VPN tunnels, either site to site, or client to site.
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b18.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18005059
0
 
LVL 7

Assisted Solution

by:jasonpaine
jasonpaine earned 71 total points
ID: 18005263
Have used the sonicwall TZ170 and 2040 for small networks and they work great for the site to site and global vpn client, however the suggestion RobWill has I would go with.
We currently use the PIX501 and it is a great firewall have 2 site to sites up and running very stable and secure...
0
 
LVL 32

Assisted Solution

by:rsivanandan
rsivanandan earned 71 total points
ID: 18005671
Have you looked at products from Juniper? www.juniper.net

Invariably all the models support additional features like 'deep inspection', url filtering etc... and the performance is far better.

Cheers,
Rajesh
0
 
LVL 20

Accepted Solution

by:
calvinetter earned 74 total points
ID: 18006300
 Cisco is definitely 1st choice, followed by SonicWall.  For a business firewall, stay away from the SOHO brands like Netgear, D-Link, etc.

Advantages of Cisco:
- Absolutely rock-solid VPN
- Licensing for VPN is much more open/flexible; out of the box Cisco PIX is fully functional for the max # of client or site VPNs that a model supports; low-end ASA's have a "Security Plus" model that adds to # of licensed VPNs, etc.
- Cisco VPN client software is a free download (when you've purchased "SmartNet" support on the appliance)
- Cisco VPN client is *easy* to install, configure & use; so is SonicWall, but the GUI on the Cisco is easier to understand for a novice user.
- Options for 24/7 SmartNet support with platform-specific experts waiting to help.  Cisco also offers a "4-hr response" flavor of 24/7 SmartNet support, something that SonicWall doesn't offer.

  Which model to get?  Depends on: current # of hosts (PCs + servers) behind your Linksys, max # of simultaneous VPN users, max # of site-to-site VPNs you might want, & expected growth for all the above in the next 2 yr.  For Cisco, 1st choice would be the new ASA security appliances (sort of the next-generation PIX), closely followed by PIX.   ASA adds lots of new features beyond what the PIX provides.
  I strongly suggest you get a better box than you think you need now, since networks never stay the same but only grow & require better performance, & the more features used on a single box will require a better model.  Some general guidelines:

   For networks with <40 local hosts + up to 10 VPNs (client & site-site):
PIX 501, ASA 5505, SonicWall TZ-170   <- roughly equivalent models
   For networks with 50-100 hosts + up to 25 VPNs:
PIX 506E, ASA 5505 Security Plus (possibly ASA 5510), SonicWall 2040

   Cisco ASA series:
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
   Cisco PIX firewalls:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html
   SonicWall 2040:
http://www.sonicwall.com/products/pro2040_details.html

cheers
0
 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 71 total points
ID: 18007287
Cisco ASA 5505 - hands down. No contest.
PIX is being phased out but is good 2nd choice
0
 
LVL 9

Assisted Solution

by:tim1731
tim1731 earned 71 total points
ID: 18010872
Depending on want you want spend and what you want it today

1.Failover

SME = Draytek 3000 Corp= Stonegate

Firewall SME =Draytek,Sonicwall,Netscreen 5gt, Corp,Netscreen,cisco,checkpoint,

Need to look at SSL VPN behind your own firewall

SME = Sonicwall 200 or 2000 Corp Netscreen (Neoteris), F5
http://www.securecomputing.com/pdf/GartnerMagicQuadrantFirewalls1H06.pdf
0
 
LVL 8

Assisted Solution

by:charan_jeetsingh
charan_jeetsingh earned 71 total points
ID: 18010983
juniper & Checkpoint are good, but my Cisco is my choice for all the times due the ease of use, the ease of migration... everything is awsome with cisco.. rest all depends on what exactly your requirements are, depending on which you can decide or the best product for yourself.
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 8

Expert Comment

by:charan_jeetsingh
ID: 18010984
and not to forget Nokia VPN boxes.... they are also state of art... just a bit over complicated.
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 18011532
 Failover? Cisco's got it:
- Failover to a secondary box? Cisco PIX 7.x or Cisco ASA
- Dual-ISP failover links?  Cisco PIX 7.x or Cisco ASA

  SSL VPN? - Cisco ASA

Bottom line is, if you want the best, go with Cisco.  They've been around a long time, they invest a couple of billion $ each yr in R&D to improvements & new technology, you'll get great support, their hardware is bullet-proof, their firewalls have proven they're stable & secure, & the company will be around for years to come.

cheers
0
 
LVL 9

Expert Comment

by:tim1731
ID: 18011611
Most enterprise class have failover to another box, I meant failover to a seperate VPN link as in

http://www.stonesoft.com/en/products_and_solutions/products/vpn/index.html

Cisco SSL VPN  or Neoteris  http://www.juniper.net/company/presscenter/pr/2006/pr-060306.html

Cisco isnt the best at anything

Firewall Better Cisco = Netscreen (Firewall around longer than Pix)
Switch better than Cisco = Extreme,Foundry (Far better product)
Routers= Juniper
SSL VPN = Any other make apart from whale


0
 
LVL 2

Author Comment

by:jGams
ID: 18011919
Wow, Thanks for the replies everyone!

Looks like cisco seems to be the fav so far.  One question about the cisco box ... Do you have to use the actual cisco vpn client to connect to the VPN? or can you just use a regular winxp vpn connection?  

The reason i ask is because i know of some ppl who have to connect to multiple clients .. each with their own weird vpn setup that uses different software.  I had a few buddies who had to use the cisco client, and once installed, they were no longer able to connect with any of the other clients software. It was like the cisco client had blocked all other vpn usage ... Would this be an isolated problem, or could this potentially happen to us if we setup shop with a cisco box?

any thoughts?
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18011936
Cisco can be configured to use IPSec and their client, or PPTP and the Windows client if you prefer. I haven't had problems with the Cisco client conflicting, but I agree many VPN clients do not play well together,
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18012019
The Cisco ASA can be an endpoint for either Cisco's IPSEC VPN client, or Microsoft PPTP VPN client, or both simultaneously. Either can also be supported from an inside client going to an external vpn server.
The Cisco VPN client is preferred because YOU control all client behavior wheras the USER controls all client behavior of Microsoft client.

Many VPN clients do not play well together. Nortel and Cisco don't play nice on the same PC. Many IPSEC clients don't play nice with XP's built in IPSEC capabilities.
I've never had a problem using both Cisco VPN and Microsoft VPN on the same laptop.
0
 
LVL 20

Expert Comment

by:calvinetter
ID: 18012659
Yep Cisco VPN client won't conflict at all with Window's built-in PPTP VPN.  Agree that most 3rd-party vendors' VPN clients don't coexist well or at all on the same PC, such as Cisco & SonicWall.  *Sometimes you can work around this by temporarily disabling 1 of the 3rd party clients while you use the other, eg: stopping the Cisco VPN service daemon or disabling the vendor-specific VPN virtual interface.

cheers
0
 
LVL 2

Author Comment

by:jGams
ID: 18013252
Thanks for the help everyone.  This information has given me a good stepping stone in my search.

Cheers.
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18013279
Thanks jGams, good luck with your decision.
--rob
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

One of the Top 10  common Cisco VPN problems are not-matching shared keys. This is an easy one to fix, but not always easy to notice, see the case below. A simple IPsec tunnel between fast Ethernet interfaces of routers SW1 (f1/1) and R1(f0/0). …
Some of you may have heard that SonicWALL has finally released an app for iOS devices giving us long awaited connectivity for our iPhone's, iPod's, and iPad's. This guide is just a quick rundown on how to get up and running quickly using the app. …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now