Secure VPN hardware options

Posted on 2009-04-10
Medium Priority
Last Modified: 2013-11-16
Secure VPN solution

 I have been supporting small local business for just over 5 years now in my own business and prior to that I work for International Paper as a network Analyst. During my time with IPaper I was forced to keep all my certs updated and to continually learn new products, since going into business for myself I have not done any of that as most of my client base ranges from 20-40 PCs and most are single-site networks.

 The problem:

 Although I went through the Cisco Network Academy  and passed the CCNA back in 2001
I have not had a need to use the products on a small scale, so I really dont remember the Cisco OS and now find myself with 2 different clients needing greater VPN security.

 One client has recently won a new 10-year contract that stipulates a greater degree of security and the other client is now doing more and more work for the military and has requested greater sure access.

 Currently these site are running the Cisco/Linksys RV042 with everything secure setting maxed out. I probally have about 38-40 of these router in the field and they are really easy to work with and although I have heard nightmares from other techs regarding this line of routers, I myself have had great success and very few returns to Linksys. And for about $145 the price id right in the clients eyes.

Since receiving this new request today I have been looking around and hoping not to have to breakout the Cisco OS books again. One option I wanted to ask you guys about is the Juniper line of routers and specifically the SA2500 SSL VPN Appliance.

Does anyone has experience with Juniper and the SA2500 and if so how easy is it to manage.

 And does anyone have another secure hardware solution that is easily managed without learning a specific OS.

Money is not a problem with both  these clients but I would also like to have another low-cost alternate to the RV042 option that I have been using for the past 5 years.

As always, Im indebted to all the Experts who have help me other the years, I appreciate the effort.  

My best and Happy Easter!

Question by:Magothytech1
LVL 72

Accepted Solution

Qlemo earned 1000 total points
ID: 24121471
First of all, SSL VPN do not allow for site-2-site VPNs. If you are after "dial-in" type VPNs with easy access, it's ok. However, I for myself get nuts if a customer mentions he has one of those SSL VPN devices, and we have to use the appropriate "clientless client" - it is a client admin nightmare as it does not work in many cases.

Regarding Juniper SSL I'm on the client site only - and refuse to use it.

I'm a Juniper SSG admin, they allow for IPSec and full security (Deep Inspection, Antivirus, Antispamming, Web filter aso.). Juniper devices in general are not cheap. The WebUI can be used in 99% of the cases, there are some commands which can only be applied via CLI, but they are general configuration commands not needed in most cases.
Which might be important related to military services is that Juniper ScreenOS allows for a FIPS mode, which restricts the settings to high-security subset.

However, as you do not have to learn ScreenOS CLI language, you have to learn something about the concepts it relies on. No big deal.

There are a lot of different opinions about the different devices on the market, as you have seen already with the RV042, and so is with easy management. Just to recall the "big 5": WatchGuard, SonicWall, Juniper, Cisco (ASA/PIX), FortiGate.
LVL 17

Assisted Solution

ccomley earned 1000 total points
ID: 24122464
Cam't vouch for (or against) the Juniper.

The Sonicwall SSL-VPN appliances are pretty straightforward to get to grips with. Nice web based GUI, nothing like Cisco IOS to learn and shudder over.

Not clear what you're trying to do though - you SHOULD be aware of the limitations of SSL-VPN. It's intended for remote users accessing host site services. As such its a great deal easier than pre-loading the remote user's machines with IPSec client software, configuring that to match the host, etc.,

BUT if what you want is full site-to-site VPN so Site A network is fully connected to Site B network, SSL-VPN is not your man. You need to look at IPSec for that.

And I'd still look at Sonicwall, as it's pretty straigth forward to both set up and monitor/manage multiple concurrent site to site VPNs.

If you're talking about dozens of remote sites accessing one central site, the central site unit needs to be pretty beefy (NSA240 say) but the remote sites can have units sized appropriately, e.g. a sites with only two or three users needs only take a TZ150, a site with 50 users still only needs a TZ190 or TZ210 unit.


Author Comment

ID: 24136103
Thank you both...I will look into the Sonicwall line. I had a bad experience long ago with their tech support when dealing with a router issue we were hung up on, not one but twice!

 Hopefully things have changed and they may be our solution.
SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

LVL 72

Expert Comment

ID: 24163456
If support was a nightmare twice (!), you should honestly consider Juniper. They are helpful, and proud of it. Tech support IS required on complex issues, so this is an important point.

Expert Comment

ID: 24209276
I would like to add in my bad experiences with sonicwall devices.  They are a real pain to use and often times have wierd quirks about them.  We have 3 of them in a test network here and we get issues with passing traffic across them very often.  They are being replaced by cisco security devices in the near future for this reason.  Also, their lack of helpful support hasnt changed much at all.

If you do not want Cisco then I also suggest going with a Juniper solution.  They are pretty robust and not too hard to configure and they do their job well.
LVL 72

Expert Comment

ID: 24212881
Shouldn't you have split points between all contributers?

Author Comment

ID: 24235969
The Sonic Wall answer was what we wew looking for after reviewing your option and then considering the pricing differences we were about to place an order for Sonic Wall and then receiced this review. We don't beleive that in in our network environment Juniper is the solution.

 We never received anything we really needed or a vialble from the group and when being pressured to "Close Open Questions" I looked at the only answer that acutally helped us in any way.

 Now if you are urging me to answer in some other fashion, other than the one tha actually help us then please elt me know how you'd like me to divide and then provide the exact point vaules to each solution and I'll gladly post acordingly.

Make it a good day!

Featured Post

Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Each password manager has its own problems in dealing with certain websites and their login methods. In Part 1, I review the Top 5 Password Managers that I've found to be the best. In Part 2 we'll look at which ones co-exist together and why it'…
Native ability to set a user account password via AD GPO was removed because the passwords can be easily decrypted by any authenticated user in the domain. Microsoft recommends LAPS as a replacement and I have written an article that does something …
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

599 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question