• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 499
  • Last Modified:

Firewall/VPN recommendation

I am looking for a firewall/VPN solution to link up 3 locations (2 in Singapore, 1 in Europe).

Each location has high speed DSL, typically 2Mbps up and 10Mbps down link.
- Each location will have the subnet 10.0.1.x , 10.0.2.x, 10.0.3.x
- Able to setup site-to-site VPN tunnels (3 way/locations),
- We do not need a central Internet access gateway for security control,
- Only internal data traffic will traverse the site-to-site VPN tunnel,
- Internet traffic will go directly to Internet (for efficiency purpose),
- For firewall, we only need basic firewall rules - permit certain destination IP, ports to be opened, deny all others except traffic originated from internal,

Mobile staff (using laptops) should be able to access LAN servers from Internet (from home etc).

We have a total of 26 staff inclusive of 10 mobile users distributes across 3 locations.

Any suitable recommendations for firewall and VPN?

8 Solutions
I would prefer to make the firewall on HW basis. You will need 3 routers which provide VPN connections.

Here is an article about it:
best way is to buy VPN cable router , or if at all location u have ethernte thrmination , u can buy the firewall like cisco , sonicwall or fortinet .

prferablly cisco ASA 5505 foe branch and 5510 for HO
Or netscreen 5 GT, which should work nicely in this setup.

I hope this helps !
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

I would recommend you to use 3 Juniper SSG20. (http://www.juniper.net/products/integrated/dsheet/100176.pdf)
The public price of one device is around 700$.
The advantage of using those 3 routers on your sites :
   - Being able to manage the security efficiently, with scalability allowing you to evolve depends on your needs (5 interfaces... 2 Extra Card slot) without investing a LOT of money.
   - Having your 3 sites connected through each other by VPN, where each site can connect to another site directly without passing through a "hub" vpn (autoconnect feature for large scale, or 2 manual route based vpn on the 3 routers).
   - Keeping the internet usage on the local WAN without passing though a "main proxy".
   - Being able to allow people to connect remotely to their "lan" (involving the buying of the Netscreen Remote VPN software / I don't remember the exact price but I think less than 100$ for 20 users).

After, a lot of hardware can do that, Cisco, Fortigate, etc... but from my point of view, for this kind of budget and the flexibility of the screenos with virtual-routers, number of interface and performance, it would be the best choice (And of course, including some time to read the documentation of the screenos and understand how things works).

If you still have any question towards the ScreenOS and how could it suits your needs, you can still ask for more information.

Best Regards,

Sorry but all the above is tried and tested and you are far better off with the new SonicWALL NSA 240 device.  This is a great costing device that has amazing through put and is not a Stateful Inspection Firewall (SPI) has the above products but a Deep Packet Inspection.

The SonicWALL NSA Series represents a new level of UTM protection and network control through the RFDPI (Reassembly-free Deep Packet Inspection ) and Application Firewall feature set, delivering a suite of configurable tools to prevent data leakage while providing granular application control. More than simply a security approach, RFDPI incorporates object-based contextual controls over user identity and access, application identity and access, data leakage, network optimization, as well as granular reporting, auditing and forensics.  RFDPI unifies multiple disparate products into a logical solution, without drawing artificial lines between security and productivity by allowing IT to create reusable and adaptive policy control.

Using this technology, the NSA Series provide both application level access control and data leakage functionality, as well as the ability to create pure custom signatures, creating a future proofed solution for administrators.

Take a look a the device - its amazing!
Sorry, I pressed submit by mistake before finishing!

The device itself will allow you to have 25 VPN site-to-site tunnels.  It also comes with Unlimited node licences for each site.  Gateway AntiVirus, AntiSpyware and also Intrusion Detection & Prevention.  Oh, an application firewall and NAT load balancing should you wish to use it.  ViewPoint reporting is licenced to give you an incredibly detailed view of your firewalls statistics and you can add NetExtender Client licences to the device for you guys and gals to connect to the network remotely.  Truly amazing and well worth a look.
Well nice praise VCBooth, except between your amazing things you forgot to specify any "public" price ? :)
All you said, the NetScreen have... and even more, some are integrated by default, some need some licence to enable the functionnality (deep inspection, antispam, etc...).
By the way, i'm not praising any hardware, just the one I know well, tried, using, and work as intended.
Sorry but I don't feel right in recommending any public price - we are from all corners of the world here so a price of circa £600 stirling may mean nothing to anybody else.  What I do know is that we have a lot of business replacing Cisco, Juniper and Fortigate firewalls with the new SonicWALL NSA 240 device because it is at least three times more powerful and currently comes with the extra licencing you talk about.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now