Solved

Secure VPN hardware options

Posted on 2009-04-10
11
469 Views
Last Modified: 2013-11-16
Secure VPN solution

 I have been supporting small local business for just over 5 years now in my own business and prior to that I work for International Paper as a network Analyst. During my time with IPaper I was forced to keep all my certs updated and to continually learn new products, since going into business for myself I have not done any of that as most of my client base ranges from 20-40 PCs and most are single-site networks.

 The problem:

 Although I went through the Cisco Network Academy  and passed the CCNA back in 2001
I have not had a need to use the products on a small scale, so I really dont remember the Cisco OS and now find myself with 2 different clients needing greater VPN security.

 One client has recently won a new 10-year contract that stipulates a greater degree of security and the other client is now doing more and more work for the military and has requested greater sure access.

 Currently these site are running the Cisco/Linksys RV042 with everything secure setting maxed out. I probally have about 38-40 of these router in the field and they are really easy to work with and although I have heard nightmares from other techs regarding this line of routers, I myself have had great success and very few returns to Linksys. And for about $145 the price id right in the clients eyes.

Since receiving this new request today I have been looking around and hoping not to have to breakout the Cisco OS books again. One option I wanted to ask you guys about is the Juniper line of routers and specifically the SA2500 SSL VPN Appliance.

Does anyone has experience with Juniper and the SA2500 and if so how easy is it to manage.

 And does anyone have another secure hardware solution that is easily managed without learning a specific OS.

Money is not a problem with both  these clients but I would also like to have another low-cost alternate to the RV042 option that I have been using for the past 5 years.

As always, Im indebted to all the Experts who have help me other the years, I appreciate the effort.  

My best and Happy Easter!


0
Comment
Question by:Magothytech1
11 Comments
 
LVL 68

Accepted Solution

by:
Qlemo earned 250 total points
Comment Utility
First of all, SSL VPN do not allow for site-2-site VPNs. If you are after "dial-in" type VPNs with easy access, it's ok. However, I for myself get nuts if a customer mentions he has one of those SSL VPN devices, and we have to use the appropriate "clientless client" - it is a client admin nightmare as it does not work in many cases.

Regarding Juniper SSL I'm on the client site only - and refuse to use it.

I'm a Juniper SSG admin, they allow for IPSec and full security (Deep Inspection, Antivirus, Antispamming, Web filter aso.). Juniper devices in general are not cheap. The WebUI can be used in 99% of the cases, there are some commands which can only be applied via CLI, but they are general configuration commands not needed in most cases.
Which might be important related to military services is that Juniper ScreenOS allows for a FIPS mode, which restricts the settings to high-security subset.

However, as you do not have to learn ScreenOS CLI language, you have to learn something about the concepts it relies on. No big deal.

There are a lot of different opinions about the different devices on the market, as you have seen already with the RV042, and so is with easy management. Just to recall the "big 5": WatchGuard, SonicWall, Juniper, Cisco (ASA/PIX), FortiGate.
0
 
LVL 16

Assisted Solution

by:ccomley
ccomley earned 250 total points
Comment Utility
Cam't vouch for (or against) the Juniper.

The Sonicwall SSL-VPN appliances are pretty straightforward to get to grips with. Nice web based GUI, nothing like Cisco IOS to learn and shudder over.


Not clear what you're trying to do though - you SHOULD be aware of the limitations of SSL-VPN. It's intended for remote users accessing host site services. As such its a great deal easier than pre-loading the remote user's machines with IPSec client software, configuring that to match the host, etc.,

BUT if what you want is full site-to-site VPN so Site A network is fully connected to Site B network, SSL-VPN is not your man. You need to look at IPSec for that.

And I'd still look at Sonicwall, as it's pretty straigth forward to both set up and monitor/manage multiple concurrent site to site VPNs.

If you're talking about dozens of remote sites accessing one central site, the central site unit needs to be pretty beefy (NSA240 say) but the remote sites can have units sized appropriately, e.g. a sites with only two or three users needs only take a TZ150, a site with 50 users still only needs a TZ190 or TZ210 unit.

0
 

Author Comment

by:Magothytech1
Comment Utility
Thank you both...I will look into the Sonicwall line. I had a bad experience long ago with their tech support when dealing with a router issue we were hung up on, not one but twice!

 Hopefully things have changed and they may be our solution.
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
If support was a nightmare twice (!), you should honestly consider Juniper. They are helpful, and proud of it. Tech support IS required on complex issues, so this is an important point.
0
 
LVL 1

Expert Comment

by:Hotwaffles
Comment Utility
I would like to add in my bad experiences with sonicwall devices.  They are a real pain to use and often times have wierd quirks about them.  We have 3 of them in a test network here and we get issues with passing traffic across them very often.  They are being replaced by cisco security devices in the near future for this reason.  Also, their lack of helpful support hasnt changed much at all.

If you do not want Cisco then I also suggest going with a Juniper solution.  They are pretty robust and not too hard to configure and they do their job well.
0
 
LVL 68

Expert Comment

by:Qlemo
Comment Utility
Shouldn't you have split points between all contributers?
0
 

Author Comment

by:Magothytech1
Comment Utility
The Sonic Wall answer was what we wew looking for after reviewing your option and then considering the pricing differences we were about to place an order for Sonic Wall and then receiced this review. We don't beleive that in in our network environment Juniper is the solution.

 We never received anything we really needed or a vialble from the group and when being pressured to "Close Open Questions" I looked at the only answer that acutally helped us in any way.

 Now if you are urging me to answer in some other fashion, other than the one tha actually help us then please elt me know how you'd like me to divide and then provide the exact point vaules to each solution and I'll gladly post acordingly.

Make it a good day!
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
By this time the large percentage of day-to-day transactions have shifted to mobile banking; here are some overriding areas QAs must investigate while testing mobile banking apps.  
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now