Firewall/VPN recommendation

Posted on 2008-10-10
Last Modified: 2012-05-05
I am looking for a firewall/VPN solution to link up 3 locations (2 in Singapore, 1 in Europe).

Each location has high speed DSL, typically 2Mbps up and 10Mbps down link.
- Each location will have the subnet 10.0.1.x , 10.0.2.x, 10.0.3.x
- Able to setup site-to-site VPN tunnels (3 way/locations),
- We do not need a central Internet access gateway for security control,
- Only internal data traffic will traverse the site-to-site VPN tunnel,
- Internet traffic will go directly to Internet (for efficiency purpose),
- For firewall, we only need basic firewall rules - permit certain destination IP, ports to be opened, deny all others except traffic originated from internal,

Mobile staff (using laptops) should be able to access LAN servers from Internet (from home etc).

We have a total of 26 staff inclusive of 10 mobile users distributes across 3 locations.

Any suitable recommendations for firewall and VPN?

Question by:artradis
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Assisted Solution

Patricck earned 50 total points
ID: 22685506
I would prefer to make the firewall on HW basis. You will need 3 routers which provide VPN connections.

Here is an article about it:,289483,sid68_gci1039739,00.html

Assisted Solution

devangshroff earned 50 total points
ID: 22685652
best way is to buy VPN cable router , or if at all location u have ethernte thrmination , u can buy the firewall like cisco , sonicwall or fortinet .

prferablly cisco ASA 5505 foe branch and 5510 for HO
LVL 63

Assisted Solution

SysExpert earned 50 total points
ID: 22687432
Or netscreen 5 GT, which should work nicely in this setup.

I hope this helps !
Surfing Is Meant To Be Done Outdoors

Featuring its rugged IP67 compliant exterior and delivering broad, fast, and reliable Wi-Fi coverage, the AP322 is the ideal solution for the outdoors. Manage this AP with either a Firebox as a gateway controller, or with the Wi-Fi Cloud for an expanded set of management features


Accepted Solution

iw0k earned 150 total points
ID: 22688078
I would recommend you to use 3 Juniper SSG20. (
The public price of one device is around 700$.
The advantage of using those 3 routers on your sites :
   - Being able to manage the security efficiently, with scalability allowing you to evolve depends on your needs (5 interfaces... 2 Extra Card slot) without investing a LOT of money.
   - Having your 3 sites connected through each other by VPN, where each site can connect to another site directly without passing through a "hub" vpn (autoconnect feature for large scale, or 2 manual route based vpn on the 3 routers).
   - Keeping the internet usage on the local WAN without passing though a "main proxy".
   - Being able to allow people to connect remotely to their "lan" (involving the buying of the Netscreen Remote VPN software / I don't remember the exact price but I think less than 100$ for 20 users).

After, a lot of hardware can do that, Cisco, Fortigate, etc... but from my point of view, for this kind of budget and the flexibility of the screenos with virtual-routers, number of interface and performance, it would be the best choice (And of course, including some time to read the documentation of the screenos and understand how things works).

If you still have any question towards the ScreenOS and how could it suits your needs, you can still ask for more information.

Best Regards,


Assisted Solution

VCBooth earned 200 total points
ID: 22702965
Sorry but all the above is tried and tested and you are far better off with the new SonicWALL NSA 240 device.  This is a great costing device that has amazing through put and is not a Stateful Inspection Firewall (SPI) has the above products but a Deep Packet Inspection.

The SonicWALL NSA Series represents a new level of UTM protection and network control through the RFDPI (Reassembly-free Deep Packet Inspection ) and Application Firewall feature set, delivering a suite of configurable tools to prevent data leakage while providing granular application control. More than simply a security approach, RFDPI incorporates object-based contextual controls over user identity and access, application identity and access, data leakage, network optimization, as well as granular reporting, auditing and forensics.  RFDPI unifies multiple disparate products into a logical solution, without drawing artificial lines between security and productivity by allowing IT to create reusable and adaptive policy control.

Using this technology, the NSA Series provide both application level access control and data leakage functionality, as well as the ability to create pure custom signatures, creating a future proofed solution for administrators.

Take a look a the device - its amazing!

Assisted Solution

VCBooth earned 200 total points
ID: 22703007
Sorry, I pressed submit by mistake before finishing!

The device itself will allow you to have 25 VPN site-to-site tunnels.  It also comes with Unlimited node licences for each site.  Gateway AntiVirus, AntiSpyware and also Intrusion Detection & Prevention.  Oh, an application firewall and NAT load balancing should you wish to use it.  ViewPoint reporting is licenced to give you an incredibly detailed view of your firewalls statistics and you can add NetExtender Client licences to the device for you guys and gals to connect to the network remotely.  Truly amazing and well worth a look.

Assisted Solution

iw0k earned 150 total points
ID: 22703928
Well nice praise VCBooth, except between your amazing things you forgot to specify any "public" price ? :)
All you said, the NetScreen have... and even more, some are integrated by default, some need some licence to enable the functionnality (deep inspection, antispam, etc...).
By the way, i'm not praising any hardware, just the one I know well, tried, using, and work as intended.

Assisted Solution

VCBooth earned 200 total points
ID: 22716696
Sorry but I don't feel right in recommending any public price - we are from all corners of the world here so a price of circa £600 stirling may mean nothing to anybody else.  What I do know is that we have a lot of business replacing Cisco, Juniper and Fortigate firewalls with the new SonicWALL NSA 240 device because it is at least three times more powerful and currently comes with the extra licencing you talk about.


Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
AnyConnect VPN endpoint authentication/validation 4 46
SSL-VPN 1 53
VPN speed vs Internet Bandwidth 3 39
Cisco ASA 5510 Question 3 11
Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question