Solved

Firewall/VPN recommendation

Posted on 2008-10-10
8
417 Views
Last Modified: 2012-05-05
I am looking for a firewall/VPN solution to link up 3 locations (2 in Singapore, 1 in Europe).

Each location has high speed DSL, typically 2Mbps up and 10Mbps down link.
- Each location will have the subnet 10.0.1.x , 10.0.2.x, 10.0.3.x
- Able to setup site-to-site VPN tunnels (3 way/locations),
- We do not need a central Internet access gateway for security control,
- Only internal data traffic will traverse the site-to-site VPN tunnel,
- Internet traffic will go directly to Internet (for efficiency purpose),
- For firewall, we only need basic firewall rules - permit certain destination IP, ports to be opened, deny all others except traffic originated from internal,

Mobile staff (using laptops) should be able to access LAN servers from Internet (from home etc).

We have a total of 26 staff inclusive of 10 mobile users distributes across 3 locations.

Any suitable recommendations for firewall and VPN?

Thanks.
0
Comment
Question by:artradis
8 Comments
 
LVL 3

Assisted Solution

by:Patricck
Patricck earned 50 total points
Comment Utility
I would prefer to make the firewall on HW basis. You will need 3 routers which provide VPN connections.

Here is an article about it:
http://searchwindowsserver.techtarget.com/tip/0,289483,sid68_gci1039739,00.html
0
 
LVL 5

Assisted Solution

by:devangshroff
devangshroff earned 50 total points
Comment Utility
best way is to buy VPN cable router , or if at all location u have ethernte thrmination , u can buy the firewall like cisco , sonicwall or fortinet .

prferablly cisco ASA 5505 foe branch and 5510 for HO
0
 
LVL 63

Assisted Solution

by:SysExpert
SysExpert earned 50 total points
Comment Utility
Or netscreen 5 GT, which should work nicely in this setup.


I hope this helps !
0
 
LVL 2

Accepted Solution

by:
iw0k earned 150 total points
Comment Utility
I would recommend you to use 3 Juniper SSG20. (http://www.juniper.net/products/integrated/dsheet/100176.pdf)
The public price of one device is around 700$.
The advantage of using those 3 routers on your sites :
   - Being able to manage the security efficiently, with scalability allowing you to evolve depends on your needs (5 interfaces... 2 Extra Card slot) without investing a LOT of money.
   - Having your 3 sites connected through each other by VPN, where each site can connect to another site directly without passing through a "hub" vpn (autoconnect feature for large scale, or 2 manual route based vpn on the 3 routers).
   - Keeping the internet usage on the local WAN without passing though a "main proxy".
   - Being able to allow people to connect remotely to their "lan" (involving the buying of the Netscreen Remote VPN software / I don't remember the exact price but I think less than 100$ for 20 users).

After, a lot of hardware can do that, Cisco, Fortigate, etc... but from my point of view, for this kind of budget and the flexibility of the screenos with virtual-routers, number of interface and performance, it would be the best choice (And of course, including some time to read the documentation of the screenos and understand how things works).

If you still have any question towards the ScreenOS and how could it suits your needs, you can still ask for more information.

Best Regards,

iw0k
0
Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

 
LVL 7

Assisted Solution

by:VCBooth
VCBooth earned 200 total points
Comment Utility
Sorry but all the above is tried and tested and you are far better off with the new SonicWALL NSA 240 device.  This is a great costing device that has amazing through put and is not a Stateful Inspection Firewall (SPI) has the above products but a Deep Packet Inspection.

The SonicWALL NSA Series represents a new level of UTM protection and network control through the RFDPI (Reassembly-free Deep Packet Inspection ) and Application Firewall feature set, delivering a suite of configurable tools to prevent data leakage while providing granular application control. More than simply a security approach, RFDPI incorporates object-based contextual controls over user identity and access, application identity and access, data leakage, network optimization, as well as granular reporting, auditing and forensics.  RFDPI unifies multiple disparate products into a logical solution, without drawing artificial lines between security and productivity by allowing IT to create reusable and adaptive policy control.

Using this technology, the NSA Series provide both application level access control and data leakage functionality, as well as the ability to create pure custom signatures, creating a future proofed solution for administrators.

Take a look a the device - its amazing!
0
 
LVL 7

Assisted Solution

by:VCBooth
VCBooth earned 200 total points
Comment Utility
Sorry, I pressed submit by mistake before finishing!

The device itself will allow you to have 25 VPN site-to-site tunnels.  It also comes with Unlimited node licences for each site.  Gateway AntiVirus, AntiSpyware and also Intrusion Detection & Prevention.  Oh, an application firewall and NAT load balancing should you wish to use it.  ViewPoint reporting is licenced to give you an incredibly detailed view of your firewalls statistics and you can add NetExtender Client licences to the device for you guys and gals to connect to the network remotely.  Truly amazing and well worth a look.
0
 
LVL 2

Assisted Solution

by:iw0k
iw0k earned 150 total points
Comment Utility
Well nice praise VCBooth, except between your amazing things you forgot to specify any "public" price ? :)
All you said, the NetScreen have... and even more, some are integrated by default, some need some licence to enable the functionnality (deep inspection, antispam, etc...).
By the way, i'm not praising any hardware, just the one I know well, tried, using, and work as intended.
0
 
LVL 7

Assisted Solution

by:VCBooth
VCBooth earned 200 total points
Comment Utility
Sorry but I don't feel right in recommending any public price - we are from all corners of the world here so a price of circa £600 stirling may mean nothing to anybody else.  What I do know is that we have a lot of business replacing Cisco, Juniper and Fortigate firewalls with the new SonicWALL NSA 240 device because it is at least three times more powerful and currently comes with the extra licencing you talk about.

:-)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now