Firewall/VPN recommendation

Posted on 2008-10-10
Medium Priority
Last Modified: 2012-05-05
I am looking for a firewall/VPN solution to link up 3 locations (2 in Singapore, 1 in Europe).

Each location has high speed DSL, typically 2Mbps up and 10Mbps down link.
- Each location will have the subnet 10.0.1.x , 10.0.2.x, 10.0.3.x
- Able to setup site-to-site VPN tunnels (3 way/locations),
- We do not need a central Internet access gateway for security control,
- Only internal data traffic will traverse the site-to-site VPN tunnel,
- Internet traffic will go directly to Internet (for efficiency purpose),
- For firewall, we only need basic firewall rules - permit certain destination IP, ports to be opened, deny all others except traffic originated from internal,

Mobile staff (using laptops) should be able to access LAN servers from Internet (from home etc).

We have a total of 26 staff inclusive of 10 mobile users distributes across 3 locations.

Any suitable recommendations for firewall and VPN?

Question by:artradis

Assisted Solution

Patricck earned 150 total points
ID: 22685506
I would prefer to make the firewall on HW basis. You will need 3 routers which provide VPN connections.

Here is an article about it:

Assisted Solution

devangshroff earned 150 total points
ID: 22685652
best way is to buy VPN cable router , or if at all location u have ethernte thrmination , u can buy the firewall like cisco , sonicwall or fortinet .

prferablly cisco ASA 5505 foe branch and 5510 for HO
LVL 63

Assisted Solution

SysExpert earned 150 total points
ID: 22687432
Or netscreen 5 GT, which should work nicely in this setup.

I hope this helps !
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Accepted Solution

iw0k earned 450 total points
ID: 22688078
I would recommend you to use 3 Juniper SSG20. (http://www.juniper.net/products/integrated/dsheet/100176.pdf)
The public price of one device is around 700$.
The advantage of using those 3 routers on your sites :
   - Being able to manage the security efficiently, with scalability allowing you to evolve depends on your needs (5 interfaces... 2 Extra Card slot) without investing a LOT of money.
   - Having your 3 sites connected through each other by VPN, where each site can connect to another site directly without passing through a "hub" vpn (autoconnect feature for large scale, or 2 manual route based vpn on the 3 routers).
   - Keeping the internet usage on the local WAN without passing though a "main proxy".
   - Being able to allow people to connect remotely to their "lan" (involving the buying of the Netscreen Remote VPN software / I don't remember the exact price but I think less than 100$ for 20 users).

After, a lot of hardware can do that, Cisco, Fortigate, etc... but from my point of view, for this kind of budget and the flexibility of the screenos with virtual-routers, number of interface and performance, it would be the best choice (And of course, including some time to read the documentation of the screenos and understand how things works).

If you still have any question towards the ScreenOS and how could it suits your needs, you can still ask for more information.

Best Regards,


Assisted Solution

VCBooth earned 600 total points
ID: 22702965
Sorry but all the above is tried and tested and you are far better off with the new SonicWALL NSA 240 device.  This is a great costing device that has amazing through put and is not a Stateful Inspection Firewall (SPI) has the above products but a Deep Packet Inspection.

The SonicWALL NSA Series represents a new level of UTM protection and network control through the RFDPI (Reassembly-free Deep Packet Inspection ) and Application Firewall feature set, delivering a suite of configurable tools to prevent data leakage while providing granular application control. More than simply a security approach, RFDPI incorporates object-based contextual controls over user identity and access, application identity and access, data leakage, network optimization, as well as granular reporting, auditing and forensics.  RFDPI unifies multiple disparate products into a logical solution, without drawing artificial lines between security and productivity by allowing IT to create reusable and adaptive policy control.

Using this technology, the NSA Series provide both application level access control and data leakage functionality, as well as the ability to create pure custom signatures, creating a future proofed solution for administrators.

Take a look a the device - its amazing!

Assisted Solution

VCBooth earned 600 total points
ID: 22703007
Sorry, I pressed submit by mistake before finishing!

The device itself will allow you to have 25 VPN site-to-site tunnels.  It also comes with Unlimited node licences for each site.  Gateway AntiVirus, AntiSpyware and also Intrusion Detection & Prevention.  Oh, an application firewall and NAT load balancing should you wish to use it.  ViewPoint reporting is licenced to give you an incredibly detailed view of your firewalls statistics and you can add NetExtender Client licences to the device for you guys and gals to connect to the network remotely.  Truly amazing and well worth a look.

Assisted Solution

iw0k earned 450 total points
ID: 22703928
Well nice praise VCBooth, except between your amazing things you forgot to specify any "public" price ? :)
All you said, the NetScreen have... and even more, some are integrated by default, some need some licence to enable the functionnality (deep inspection, antispam, etc...).
By the way, i'm not praising any hardware, just the one I know well, tried, using, and work as intended.

Assisted Solution

VCBooth earned 600 total points
ID: 22716696
Sorry but I don't feel right in recommending any public price - we are from all corners of the world here so a price of circa £600 stirling may mean nothing to anybody else.  What I do know is that we have a lot of business replacing Cisco, Juniper and Fortigate firewalls with the new SonicWALL NSA 240 device because it is at least three times more powerful and currently comes with the extra licencing you talk about.


Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month15 days, 4 hours left to enroll

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question