Solved

Creating a brand new VPN environment

Posted on 2012-04-09
17
405 Views
Last Modified: 2012-05-01
Hello,
I need to create a VPN environment for my company. Employees want to access the network from home. I don't know where to start and what I need for.
Please give me some hints how to do this.
Thanks,
0
Comment
Question by:dongocdung
  • 7
  • 6
  • 3
  • +1
17 Comments
 
LVL 6

Assisted Solution

by:jacobstewart
jacobstewart earned 56 total points
Comment Utility
What type of firewall do you have for your company?  Will you looking to utilize server vpn or firewall vpn?

For basic client based vpn sonicwall firewalls have the global vpn client or the netextender option which is ssl based.  You can use ldap authentication with them as well.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
Comment Utility
Is this a large or small business? How many users?

I always recommend hardware VPN as it is less hassle in the long run.

I use Juniper Netscreen (very good) and Cisco Linksys (lower cost) for my clients. Juniper Netscreen are very good for small businesses and work reliabily for years.

With any of these and newer Windows 7 64-bit, NCP Secure Entry (ncp-e.com) is an excellent client application. Shrew Soft is free, but has a few limitations. You have choice here.

.... Thinkpads_User
0
 

Author Comment

by:dongocdung
Comment Utility
I will create two different VPN. One for production and one for test environment. The production use Juniper and test environment use ASA 5520. My company is small. It has around 50-60 people.
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 277 total points
Comment Utility
Juniper has the market leading product for SSL VPN, which is the most flexible type of VPN.

You would be looking at adding the Junos Pulse Gateway base system (MAG2600) which hardware is about $1,000.

Then you need licenses for the number of concurrent users that will be logged in. With about 50 employees, I suspect not more than 10 will be using it at the same time. Total cost about $2,000.

Generally, it is probably a good idea to have the same type of solution for both production and testing... simplifies support, etc.

The solution above will preferably use the Junos Pulse software on the laptops, phone, ipads, etc, that will use the VPN. With that you will be able to deny them access in case their antivirus is not up to date, etc, etc.
0
 

Author Comment

by:dongocdung
Comment Utility
Thanks for your input. I have two firewalls. Do I need to create two VPNs on these firewall (Juniper and ASA)
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
Comment Utility
You need a tunnel at each firewall if a remote site or client wishes to access that firewall. At one location it is sometimes useful to have just one active firewall.
0
 

Author Comment

by:dongocdung
Comment Utility
The firewall we have at the lab is used for developers only and the firewall at production is used for everyone in my office. This is first time, I am doing this. So, I don't have any idea. However, there should be two different VPNs.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
Comment Utility
If you have a separate IP address for the developers, with a separate firewall, that is, all separate from the production end which has a different IP address, then there should be two different VPN's because each IP goes to a different end.

If you want all the traffic coming into one IP and distributed after (LAN segments) then you only need one VPN.

... Thinkpads_User
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 17

Assisted Solution

by:pergr
pergr earned 277 total points
Comment Utility
With your Juniper boxes, the firewall has nothing to do with the SSL VPN itself.

You place the MAG device in a DMZ/zone of the firewall, and create a firewall rule/policy that allows SSL traffic from the Internet to the MAG. Then you have another rule/policy that allows traffic from the "inside" of the MAG to what ever internal zones you want to give each user access to.

If you have an SRX, then you can also implement automatic updates of the firewall rules based on the remote users identity and status (like antivirus status). However, I believe you need to get someone in to set that up - it is a bit complicated.
0
 
LVL 17

Expert Comment

by:pergr
Comment Utility
Without knowing your complete network topology, it is not necessary to have two MAG devices, but you need to connect the two firewalls and do some routing somewhere.
0
 

Author Comment

by:dongocdung
Comment Utility
We will replace the Juniper to Cisco ASA 5520. Is it still good idea to have two different VPNs?
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 277 total points
Comment Utility
If you have two firewall of the same type, it should make sense to create a cluster and get redundancy. You could still make a virtual firewall for the test environment, in case it is necessary to separate more.

For VPN, if you have a single device, you van create policy per user; maybe some should have access to both environm3bts in one connection.

The Cisco cluster can perhaps handle a few ssl connections by itself.
0
 

Author Comment

by:dongocdung
Comment Utility
Now, I am setting up the firewall in the test environment first and implement the VPN. What do I need to do first? What are requirements?
Thanks,
0
 
LVL 17

Assisted Solution

by:pergr
pergr earned 277 total points
Comment Utility
First you need to make sure the Cisco has the Anyconnect license.
0
 

Author Comment

by:dongocdung
Comment Utility
I just checked it. We have such license.
0
 
LVL 17

Accepted Solution

by:
pergr earned 277 total points
Comment Utility
Then just follow the manual (config guide) and set it up...
0
 

Author Comment

by:dongocdung
Comment Utility
I found this article for Cisco. Is it useful for me to start?
https://learningnetwork.cisco.com/docs/DOC-8414
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Data center, now-a-days, is referred as the home of all the advanced technologies. In-fact, most of the businesses are now establishing their entire organizational structure around the IT capabilities.
Meet the world's only “Transparent Cloud™” from Superb Internet Corporation. Now, you can experience firsthand a cloud platform that consistently outperforms Amazon Web Services (AWS), IBM’s Softlayer, and Microsoft’s Azure when it comes to CPU and …
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now