• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 369
  • Last Modified:

What is the best Router/Firewall based on use and cost

Hello Experts,

 

I am hoping you can help us with improving our WAN network, keeping in mind that cost is of importance to this project.

 

This is what we have at the present time.  At the main office we have a 501Pixs and a Cisco concentrator.  At the remote locations we are running Linksys BEFVP41s.

 

This is what we are looking for:

 

At the main location:

 

We want to keep the Cisco concentrator  so we are all set there.

 

We would like to replace the Pix with something that is easier to configure and has the following features.

 

Can do VPN IPSEC 3Des tunnels  maybe up to ten of them (this is just in case we have problems with the Cisco concentrator  a backup).

Can do 1 -1 nat

Can-do port forwarding  but in this case we would like to be able to limit the public IP addresses that are allowed to access to the port  actually we would like to limited by the sub domain address.

And would be able to handle multiple public IP addresses ( on the outside interface)

We would like to keep the cost of this unit to be around $500.00

 

At the remote locations:

 

We would like to replace the BEFVP41 with something that is more reliable and does not drop the VPN tunnel.

Can do VPN IPSEC 3Des tunnels  and communicates well with the Cisco concentrator.

Can do one  one nat

Can-do port forwarding  but in this case we would like to be able to limit the public IP addresses that are allowed to access to the port  actually we would like to limited by the sub domain address.

We would like to keep the cost of this unit to $300.00 or less.

I think I should also mention that the remote locations do not have static IPs.

 

Ive done a lot of reading on this form and others concerning Cisco, sonicwall and Net Gear. Each one seems to have its own things you need to watch out for.

 

With Cisco of course there is price, complexity to set up, and making sure you order the correct unit (ie VPN licensing, number of users).

 

With Sonicwall the pricing does not seem to be as much of an issue and you do not seem to see the comments about complexity of setup but there still seems to be the issues with making sure to order the correct unit with VPN licensing number of users and etc.

 

With net gear the question seems to be ordering the correct unit for quality and to achieve what you want to do.

 

Any input that you can give us as to what equipment to use, where you suggest to order it and what to exactly order would be greatly appreciated.

 

Thank you for your time  I really appreciate it.

 

0
DvppVanDine
Asked:
DvppVanDine
  • 4
  • 4
  • 4
4 Solutions
 
donmanrobbCommented:
Its a tad bit out of your price range but you can try a Vyatta box, there entry level runs at $800 or there is also a subscription version for $800 also. The interesting thing is they offer a free community version for testing so you can see if its worth it for you or not. The command line is similar to a juniper netscreen but they are releasing a GUI for it in a couple weeks.
0
 
MaerosCommented:
A SonicWALL TZ-190 might fit for you.  As far as configuring and managing them goes, they are easier to configure than a Cisco by an order of magnitude.  The web interface is intuitive, the units are reliable, and the security provided is solid.  It supports up to 15 VPN tunnels with a VPN throughput of 30mbps in either 3DES or AES.  The warranty is also great - if for whatever reason the unit quits on you, SonicWALL will ship you a replacement RMA unit in just a couple of days.  Definitely the best bang for your buck when it comes to choices.

http://www.sonicwall.com/us/products/TZ_Series.html
http://www.sonicwall.com/us/products/TZ_190.html
0
 
MaerosCommented:
On a more personal note, I've worked with them and have had no regrets.  The web interface makes the Cisco SDM look like basement programming and you get significantly more functionality and capability out of them than you would expect for the prices they go for.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
DvppVanDineAuthor Commented:
thank you both for your quick replies.

I got on the website for Vyatta, donmanrobb you are correct, they are bit pricey for what I am looking for especially for the remote locations.

Maeros, I looked at sonicwall, the links you gave were very helpful in understanding the different levels of the sonicwalls.  I do have a couple questions for you, I hope you do not mind.

The TZ-190 looks to be a great fit for the main location.  Here are my questions.
With that (the TZ-190) can I do 1-1nat and if I want, can I do controled port for forwarding; what I mean by that is can I open port 80 to 192.168.1.1(for example) and restrict access to that open port to certain domains or subdomains for example mydomain.com or *.mydomain.com or remote1.mydomain.com and remote2.mydomain.com.

Would it be possible to not use the TZ 190 but rather used the TZ 150  or the TZ 180 for the remote locations, they appear to have the same ability as the 190 with the only restrictions being the number of tunnels and a number of nodes.  Our remote locations only have two to three nodes and we do not expect that to go about five.

Thank you again for your quick response.
0
 
donmanrobbCommented:
I have a couple Sonicwall TZs at home (TZ 170 I think) , as far as I know you can do the NAT and the restrictions (might require the enhanced sonicos) but I can play around with them later and get back to you if you don't get an answer beforehand.
0
 
DvppVanDineAuthor Commented:
thanks donmanrobb,

That would be awesome.

My big reason for asking is that I do not want to leave the port open to just anyone and also some of the places that would be accessing the port do not have static IP that's why I want to use domain name.

You said that you have a couple Sonicwalls at home how do you like them.

Thanks again for the quick reply -- I really do appreciate it.
0
 
donmanrobbCommented:
I've used Sonciwalls off and on for various different deployments (mostly VPN related). They generally work well and the GUI is easy enough to use.
0
 
MaerosCommented:
You will need the enhanced version of the SonicOS if you wish to use the more advanced filtering options such as domain filtering.  SonicOS Enhanced has, among many things, domain access control to services.  What you would do is create an "Address Object Group" where you define the IPs/domains and a "Service Group" where you define services.  From there you would create a firewall rule using an address object and a group to either allow/deny.

As for your question regarding the various models at the various branch locations, the answer is absolutely.  Setting something up such as a TZ-190 at the main office and "smaller" TZ-150s/180s (there's also a TZ-170 which seems to have been missing from the table I gave you, my apologies) at the branch offices will definitely work.  Just keep in mind of the scope you will need for the branch offices and you should be golden.  The various TZ-series appliances are fully inter-operable.
0
 
donmanrobbCommented:
As Maeros said, you need the Enchanced OS upgrade
0
 
DvppVanDineAuthor Commented:
Thanks a bunch Maeros and donmanrobb just a few last questions to clearify:

I could use the 150 or 180 (or 170 that is not in the diagram) -- but really I can not because of my need for the Enhanced OS need (which appears to start with the 190)  - correct?

Would either of you entertain using the netgear FVX538 or any other router based on my price range and needs; Or do you feel that the sonic wall is the best choice?

The sonicwall is in our price range for what we wanted to spend on the main office; however it's about $200.00 more than we wanted to spend at remote offices-- -- but we have certain needs and it does not look to be a better choice at a lower price or even as good a choice.

I cannot tell you how much I appreciate all of your help and information; I look forward to your final response.

thank you very much!
0
 
MaerosCommented:
Actually the TZ-170 and TZ-180 does support SonicOS Enhanced, it just doesn't come with it by default (you'd just have to swipe the upgrade package to install the Enhanced firmware/OS).

As for Netgear while they make decent economy-class networking equipment, they are not very good when it comes to security (firewall, VPN, content filtering, intrusion prevention, etc).



0
 
DvppVanDineAuthor Commented:
Maeros and donmanrobb -- I want to thank you both for your help with my question. I have been a member of EE for about a half a year but I have never posted a question. meaning that I have not done the points either.

I felt that you both were a help to the answer so I wanted to award points to each of you; I hope you both agree.


one last question but I did not want to do it publicly; how do  you "swipe" the os -- if I bought a 190 would I be able to "swipe" it over to the 170 or 180  -- is that what you meant?

my email is vandine@thebettertan.com if you want to reply that way -- or if you are ok posting it publicly to this form that what be great too.

again thank you very much -- I am very grateful to all of your help and input.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now