Best VPN firewalls

Posted on 2010-08-23
Last Modified: 2012-05-10
I have a corportate HQ and two (more to come) branch offices that I need to tie together.  My main objective is to get the servers talking on the same domain/forest.  If someone has a secure way to accomplish this without a VPN, I would love to hear it.  Otherwise, what is the best firewall/VPN solution?  I've looked at WatchGuard and SonicWall. Thoughts?
Question by:MasterComputing
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 33501829
One way to connect the office would be a Poitn-to-Point T-1. thats how i have  one of mine. The other few are setup on VPN tunnels using a Cisco ASA 5510.
LVL 63

Expert Comment

ID: 33501921
VPN tunnel at the router level is probably the most flexible.

What about Dial in VPN in the future ?

I personally prefer the Netscreen ( juiper ) routers, reasonably priced and very powerful.
Even an NS 5 GT 201 or similar on ebay can handle 25 simultaneous  VPN tunnels - $70 - $170 each

There are newer models also available as the SSG series if needed.

I hope this helps !

Accepted Solution

darthcontra earned 250 total points
ID: 33502015
Personally, I would look at a Cisco ASA or integrated services router for the main office.
For the branch offices it would depend on number of users, but either a smaller ASA or possibly the Linksys RVO42 router.

You are talking 3 sites currently with more to come.  Do you have an idea for how many more?  This will determine the requirements of the main office device.
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.


Expert Comment

ID: 33502032
If you dont want to do VPN, use a dedicated ethernet drop. MPLS TLS from verizon. Other providers should have something similar.

For VPN i would go with cisco asa or the cheaper route would be sonicwall.

Expert Comment

ID: 33502091
MPLS or Point-toPoint T1 will get you the connectivity without the overhead of VPN, at the expense of potentially higher monthly costs.  Since it sounds like these are somewhat permanent locations, it might be worth looking into.

If you decide to go the VPN route, Sonicwall firewalls are very price competitive and offer a lot of other valuable features.
LVL 18

Expert Comment

ID: 33502158
Have a look at Check Point UTM-1 appliances, especially the smaller Edge boxes

or Juniper small SSG/SRX range

The Newer SSGs and SRX tend to be a bit more expensive than the older NS5GTs as mentioned above.  The 5GTs are still great little bits of kit but if official vendor support is a requirement then I would not consider them.

Both of these vendors provide very good enterprise level solutions with a similar level of performance and feature parity.  Each will allow remote access VPNs, ie the dial in VPN or users to connect to the corporate LAN form hotels etc

LVL 26

Expert Comment

by:Fred Marshall
ID: 33503464
Juniper Networks SSG series are very capable - lots of features and possibilities.  Excellent support.  Will support  plenty of VPNs

Cisco/Linksys RV042 for VPNs is a simpler approach.  I use them standalone for VPN connections.

Using fiber MPLS private connections between sites now.  No VPN but could do if desired.

Either way, all sites are on separate subnets.  So you have to decide how to handle that.

Expert Comment

ID: 33509002
I will second to the statements that you are best off with router based VPN.

The Juniper SSG's are great products with good performance. If you are unexperienced with routers I would recommend something like ZyXEL ZyWALL USG-100 og maybe the new USG-25 or USG-50.

They are cheaper than Juniper, checkpoint, Wtachguard and sonicwall and you will not have to pay for support and upgrades.
You only pay a regular fee if you want antivirus and intrusion detection.
In my experience most people find them reasier to set up as they have wizzards for stuff like multiple WAN and for VPN setup.

But any of the products mention will be able to do the trick!

Just be aware how you set up your DNS structure and remember that traffic is routed on different subnets. If you need site to site traffic and not only site to HQ there are ways to solve that. IMO the Junipers SSG's do this the best way, but that's just my thought.


Author Closing Comment

ID: 33521583
Thanks for all the input.  I think I'll go the Cisco ASA route.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor ( Top Charts is a view in which you can set seve…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question