Solved

Suggestions needed for a budget Firewall and VPN infrastructure with Cisco and Sonicwall equipment

Posted on 2008-06-15
11
581 Views
Last Modified: 2010-05-18
Hello Everyone,

The company where I work is very budget conscientious, except with regards to the IT department,  where funds are almost impossible to obtain.  Please keep in mind that when answering this question, all the hardware will be bought off Ebay.  Also, I am  very familiar with SonicOS and fairly familiar with IOS (studying for my CCNP)

We now have a requirement to establish a VPN with a dozen or so warehouses in the US.  Traffic over this Site-to-Site VPN will be Active Directory, DNS, Exchange, file sharing and possibly VoIP.

The current infrastructure is as follows:  The head office has two internet connections, 5mbit ADSL and 100mbit Fiber which are connected to the WAN and OPT interfaces on a Sonicwall TZ170 with Enhanced firmware.  Each of the warehouses have a T1, Cable or DSL and a TZ170 Standard.  Most of the warehouses are currently participating in a VPN for VoIP.

I'm concerned that the TZ170 at the head office will not be able to handle all of the traffic from the VPN.  Also, the TZ170 has the ability for 10 VPN Site-to-Site connections in the SonicOS (not sure if more can be purchased or not).  

I'm thinking that a PIX Firewall of some kind and a 3640 (is a PIX required if the IOS has FW capabilities?), but I'm not sure what exactly to get to ensure the best security, as well as top reliability and performance.

What would you do on a shoe string budget sticking to used Sonicwall and Cisco equipment?

Thanks!
0
Comment
Question by:encoad
  • 4
  • 3
  • 2
  • +2
11 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 21790623
If I was on a shoe string budget, I would use Linux and iptables and a spare PC.

Instead of a PIX I would see if you could get a ASA box on e-bay.  If you really want a PIX, what class are you looking at?  If you think a TZ170 can't handle it, then you would need a PIX 525 or 535.

If you have a router with FW options, then you would not really need another firewall, unless you wanted to offload the overhead of doing firewall functions.

0
 
LVL 13

Expert Comment

by:kdearing
ID: 21790723
Take a look at smoothwall, an open-source hardened Linux solution. There are also commercial versions that are more powerful and fairly inexpensive.
http://www.smoothwall.org

If you want to go with Cisco, I would choose the ASA 5500 series. You can pick up a basic 5505 bundle solution for about $400 on ebay.
0
 
LVL 7

Expert Comment

by:naughton
ID: 21791327
I'd choose a CISCO 1800 series router.  they are better suited to site-to-site vpn's.

the firewall feature set will cover most events, and unless you went with an ASA 5510 or similar, the elements that would be missed are failover / traffic management.  If you're on a shoestring budget, then i'm unsure if these are important criteria.

an ASA 5505 does not have a DMZ capability, and the vpn capabilities are better with the 5510.

0
 
LVL 6

Assisted Solution

by:raptorjb007
raptorjb007 earned 50 total points
ID: 21793831
The ASA5505 does have a DMZ capability, however with he base license it is restricted to 3 VLANS, one of which is restricted to communicating with only one other VLAN. You can purchase the Security+ License for the ASA5505 which will unlock the ability for active/passive fail over and additional VLANS, however this will double the cost of the firewall.

Regarding which ASA is the best model for this purpose, the ASA5510 would be the better choice, the ASA5505 may run into a CPU bottleneck with the kind of traffic you will be pushing on the VPN's, not to mention a base license limit of 10 above which you would require the Security+ License.

As for a budget is concerned, you may be able to purchase a used Pix model on EBay, just get a model 525 or higher.

I have not used a smoothwall so I am unable to speak for its performance and/or capabilities.

Cisco ASA 5500 Series Adaptive Security Appliances Models Comparison
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
0
 

Author Comment

by:encoad
ID: 21793904
Thanks to all who have responded thus far.  

I've considered the Linux option, but I don't think it's feasible.  I've found Cisco products to be essentially flawless (almost flawless for the sonicwall), but once I start running a server to handle the internet traffic I've got to worry about dead CPU fans, corrupted hard drives, flaky memory and toasted power supplies.  Also, the Cisco support base is alot larger then Smoothwall or the other linux options.  (don't get me wrong, I'm a Linux fan, using Ubuntu right now).

The ASA5510 looks great, but its also pretty expensive, especially once you license it up.

Any reason why I couldn't use a 3640?  Any features it would be lacking?

Thanks
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 

Author Comment

by:encoad
ID: 21794972
Or perhaps a 3745?
0
 
LVL 6

Expert Comment

by:raptorjb007
ID: 21824953
I'm not familiar enough with using the routers hardware to answer that question for you.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 75 total points
ID: 21825272
Well I would choose the 3745 over the 3640.  Just for the reason that the 3640 is no longer supported, so if you wanted to get support your out of luck.

As for the ASA vs. 3745.  What is the pricing for a 3745 with the IOS Firewall Module?


Cisco has a FAQ on the IOS Firewall:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5710/ps1018/prod_qas09186a008010a40e.html

0
 

Author Comment

by:encoad
ID: 21825341
Hello,

Yeah clearly the 3745 is a better choice.

I found a 3745 with the advanced Enterprise IOS for 900 on ebay.  I'm assuming that's the right IOS to get.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 21825912
Should be a good starting point.  Then you have to buy the IOS Firewall.
0
 

Author Closing Comment

by:encoad
ID: 31467454
Thanks for the information, you guys have clarified things for me.  I think that the 3745 with IOS fw will be best.  The links were very helpful.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now