Best VPN firewalls

I have a corportate HQ and two (more to come) branch offices that I need to tie together.  My main objective is to get the servers talking on the same domain/forest.  If someone has a secure way to accomplish this without a VPN, I would love to hear it.  Otherwise, what is the best firewall/VPN solution?  I've looked at WatchGuard and SonicWall. Thoughts?
Who is Participating?
darthcontraConnect With a Mentor Commented:
Personally, I would look at a Cisco ASA or integrated services router for the main office.
For the branch offices it would depend on number of users, but either a smaller ASA or possibly the Linksys RVO42 router.

You are talking 3 sites currently with more to come.  Do you have an idea for how many more?  This will determine the requirements of the main office device.
One way to connect the office would be a Poitn-to-Point T-1. thats how i have  one of mine. The other few are setup on VPN tunnels using a Cisco ASA 5510.
VPN tunnel at the router level is probably the most flexible.

What about Dial in VPN in the future ?

I personally prefer the Netscreen ( juiper ) routers, reasonably priced and very powerful.
Even an NS 5 GT 201 or similar on ebay can handle 25 simultaneous  VPN tunnels - $70 - $170 each

There are newer models also available as the SSG series if needed.

I hope this helps !
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

If you dont want to do VPN, use a dedicated ethernet drop. MPLS TLS from verizon. Other providers should have something similar.

For VPN i would go with cisco asa or the cheaper route would be sonicwall.
MPLS or Point-toPoint T1 will get you the connectivity without the overhead of VPN, at the expense of potentially higher monthly costs.  Since it sounds like these are somewhat permanent locations, it might be worth looking into.

If you decide to go the VPN route, Sonicwall firewalls are very price competitive and offer a lot of other valuable features.
Have a look at Check Point UTM-1 appliances, especially the smaller Edge boxes

or Juniper small SSG/SRX range

The Newer SSGs and SRX tend to be a bit more expensive than the older NS5GTs as mentioned above.  The 5GTs are still great little bits of kit but if official vendor support is a requirement then I would not consider them.

Both of these vendors provide very good enterprise level solutions with a similar level of performance and feature parity.  Each will allow remote access VPNs, ie the dial in VPN or users to connect to the corporate LAN form hotels etc

Fred MarshallPrincipalCommented:
Juniper Networks SSG series are very capable - lots of features and possibilities.  Excellent support.  Will support  plenty of VPNs

Cisco/Linksys RV042 for VPNs is a simpler approach.  I use them standalone for VPN connections.

Using fiber MPLS private connections between sites now.  No VPN but could do if desired.

Either way, all sites are on separate subnets.  So you have to decide how to handle that.
I will second to the statements that you are best off with router based VPN.

The Juniper SSG's are great products with good performance. If you are unexperienced with routers I would recommend something like ZyXEL ZyWALL USG-100 og maybe the new USG-25 or USG-50.

They are cheaper than Juniper, checkpoint, Wtachguard and sonicwall and you will not have to pay for support and upgrades.
You only pay a regular fee if you want antivirus and intrusion detection.
In my experience most people find them reasier to set up as they have wizzards for stuff like multiple WAN and for VPN setup.

But any of the products mention will be able to do the trick!

Just be aware how you set up your DNS structure and remember that traffic is routed on different subnets. If you need site to site traffic and not only site to HQ there are ways to solve that. IMO the Junipers SSG's do this the best way, but that's just my thought.

MasterComputingAuthor Commented:
Thanks for all the input.  I think I'll go the Cisco ASA route.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.