Solved

Router and a firewall in 1 device or 2 seperate devices?

Posted on 2013-01-23
21
452 Views
Last Modified: 2013-01-31
Hi all.

I've read quite a lot from Experts and the net but am still falling short on a little more direction.

Here's the scenario that I've inherited:
There are 3 sites connected with a couple of different broadband providers. There's an installation of ZeroShell software firewall at each location and a couple of Linksys RV082 routers making site-to-site connections.

I want to replace ZeroShell with a hardware firewall solution and replace the Linksys routers. I would like the ability to add 2 connections at each site for redundancy down the road. I need site-to-site vpn and would like to offer my users software vpn connectivity.

Site 1 has about 10 users and I want to plan for that number to double within 2 years.
Site 2 has about 50 users
Site 3 has about 50 users and want to plan for that number to grow by 10 - 20 in the next year or 2
There could be a Site 4 added this year and possibly a site 5.

I've had the thought to throw the Linksys routers in the trash, delete the ZeroSheel firewall, and add a hardware router/firewall at each location. Specifically, I was thinking about 1 hardware device that performs both routing and a firewall, such as an ASA.

What do you think about having 1 device opposed to having a router and firewall seperately?

Eddie
0
Comment
Question by:Eddie_1
  • 8
  • 6
  • 6
  • +1
21 Comments
 
LVL 1

Expert Comment

by:PCS707
ID: 38811616
You could set them up with Cisco PIX 501e Firewall's. We use those for our VPN connection setup. They only support up to 10 or50 users on those. You can also use latest technology which would be CISCO ASA's but they are much more expensive. I hope this helps.


Ryan Weber
Desktop Support Technician
PC Solutions of Michigan, LLC
1200 S. West Ave.
Jackson, MI 49203
Ph:  517.787.9934
Fax:  517.787.9968
rweber@pcsolutionsnow.com
www.PCSolutionsNow.com
0
 
LVL 20

Accepted Solution

by:
rauenpc earned 500 total points
ID: 38811843
There are a few things to consider here. How much bandwidth will be going through these devices? The number of users doesn't matter outside of licensing, but throughput does matter. Will all internet connections have static or dynamic IP's? Will these sites use internet locally, or do you plan to backhaul that through a single site?

I wouldn't go with the PIX platform as they are either already unsupported or will be soon. The ASA5505 isn't too bad in price (usually under $1K). The ASA would require all sites to have a static public IP if you plan to have a full mesh of vpn connectivity, but only one site needs a public IP if you'll be going hub-and-spoke (using EzVPN). You could also look in to going with a DMVPN solution which would require routers. The routers can be configured as a firewall at the same time although they are not nearly as robust as an ASA. Using DMVPN would only require one site to be a static public IP, and the rest can be dynamic. Adding sites is a breeze with DMVPN and it scales very well as long as you do your homework and choose router models appropriately as it all comes down to throughput.

http://www.experts-exchange.com/blogs/rauenpc/B_7204-DMVPN-configuration-example.html
0
 

Author Comment

by:Eddie_1
ID: 38812029
I currently have 3 broadband connetions providing 20 - 25 megs. I do have static addressing from these providers. I would eventually to have a messh but that's another project 6 - 12 months from now. My priority is to stabilize the existing infrastructure eliminating sloooow connections.

What does backhaul mean?

Are you saying that an ASA can comfortably handle routing and being a firewall? I've read some suggest having a router connected to the internet and a firewall behind that, as well as vice versa. I want to make the best choice for my company pulling the bigest bang for the buck. I do have some latitude to work with on my budget.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38813029
Back hauling is when you force Internet bound traffic through a VPN tunnel to a central site before letting it exit the network to the Internet. This is commonly done to force traffic through a central firewall, Mac, web filter, etc.

An Asa can handle routing, but I wouldn't suggest configuring tons of vlans on an Asa. Stick to an inside, outside, and dmz/guest interface. The Asa can have hundreds of routes, but try not to go beyond a few interfaces. If you need a bunch of vlans a any site, use a layer 3 switch as well as a router or firewall.

It's hard to say which will be better for you in the end. Both a router or a firewall will get the job done. The firewall will require more configuration for the full mesh and/or dual connectivity you mentioned when compared to using a router. On the flip side, the Asa can handle more encrypted throughput which could become very important.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38813528
My vote would go to ASAs as well. When setting up fully meshed site2site VPNs it isn't really routing in the classical meaning that the ASAs do. And, as said, the ASAs are more robust and designed for that usage.
With regards to the second connection at each site: keep in mind that the ASAs only can do failover and no load balancing so if you want the latter you might need to go with a router or other firewall that supports that option.
0
 

Author Comment

by:Eddie_1
ID: 38814174
What do you think about using a Netgear ProSecure UTM50 in my headquarters office and a Netgear ProSecure UTM25 in the other 2 sites? I just received this as a suggestion.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38814208
Looks nice :)
Though I don't have any experience with those, it looks like a neat solution. And if your tied to a budget I think these come cheaper as a similar ASA.
0
 

Author Comment

by:Eddie_1
ID: 38814235
My budget allows for more and  I want to make certain we spend money wisely for the right solution. It looks like the Netgear ProSecure UTM50  runs about $1500 versus a 5500 series ASA at $3-4k.

My network engineer has made this suggestion and is money conscience despite telling him to let me worry about the money.

I'm looking over the specs now and it does like a good device. I have a couple of gig Netgear swithces and a couple more to deploy but have never used Netgear stuff for a router/firewall.

Thanks Erniebeek. I'd like to see if Rauenpc has any insight.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38814369
Let's wait for him then :)

If budget is not an issue I'd personally go with Cisco. Of course also because of the fact that I'm more familiar with it ;) I still tend to think that netgear is more of a consumers brand/very small business brand. But that is just a gut feeling.

Also the question: how is the business support from netgear? With Cisco I'm confident about that (when having a smartnet). With netgear: no personal experience so I can't say.
0
 

Author Comment

by:Eddie_1
ID: 38814490
I don't know about business support from Netgear. I haven't had a problem with any of their switches. But, I do agree with you that their products to carry more of a small business/home office type of feel.

After reviewing the specs for Netgear and cost, I'm not certain that'll be the best solution. I certainly don't want to deal with this being a cheesy solution and end up spending more money later for replacements or upgrade to another product.

Does Adtran, Juniper, or Barricuda have any comparable solutions? Can you give me any idea about yearly license cost and support for 3 ASA's?
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 20

Expert Comment

by:rauenpc
ID: 38815015
My company recently sold as ASA 5505 to a customer wth an unlimited user license with security plus (to allow for dual internet connections). It was marked with a list price of 1695.00, and since we're a Cisco partner we were able to provide a discount to bring the price down to 1100.00. Smartnet was about 167/year as an add-on.

The 5505 can handle up to 100M worth of encrypted throughput so you won't have any issues there and can have up to 25 IPSEC vpn connections running simultaneously so you won't have any issues until you get beyond 7 sites running full mesh.
Specs:
http://www.cisco.com/en/US/products/ps6120/prod_models_home.html

If you work with a Cisco partnet to purchase these, you can probably get a similar price (note that all partners have different pricing which is subject to change without notice blah blah blah)
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38815026
LOL@ blah :)

And btw, the license will only cost you once. The smartnet is on a yearly (or 3-yearly (?)) base.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38815157
Yes, Ernie is right. The license is a one-time thing to unlock the features, and the smartnet is an optional extended support contract offered through Cisco that varies in length and response time.

If you'd like my company to create a quote for you for 3 5505's with the licensing and optional smartnet, let me know. At the least, it will give you a solid reference for the price and the type of discount you could get from a Cisco partner.
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38815295
@ rauenpc: be careful with that, not sure if you're allowed to make such offers here.
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38815305
I actually checked with the EE admins before making the comment. Since it's a valid solution and it wasn't my first response, they felt it was OK.
0
 

Author Comment

by:Eddie_1
ID: 38815310
Rauenpc, can you drop me an email at e.norman@allianceengineering.com?
0
 

Author Comment

by:Eddie_1
ID: 38815314
Ok. Would you do so for 2 - 5510's and 1 - 5505?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 38815341
Ok, said nothing then :)
0
 

Author Comment

by:Eddie_1
ID: 38820155
Hey guys.

What does it mean to have a "managed router"?
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38820377
In which sense? If you're asking about when an ISP says managed router, it is usually one of two things:
It is a router that will exist on your premises but is under complete control and policy of the ISP. This usually serves as a media termination point so that the line (t1('s), fiber, coax, wireless) goes to their router and gets handed off to you as Ethernet.
It is the same as above, but also comes with a set of services provided to you such as DHCP, vlans, ACL's, firewalling, and phone services. Each option is based on the ISP's offering

The first option is nice because you don't need to worry about having all your own T1 cards/controllers, and it is up to the ISP entirely to handle troubleshooting the lines if needed. Having an Ethernet hand-off is very convenient as well.

The second option, I do not care for. I don't like giving the ISP configuration control over my network and further than required. This is a nice option for small companies (<15 users) that have a single site and just need internet access.
0
 

Author Closing Comment

by:Eddie_1
ID: 38841804
Thanks rauenpc and erniebeeks.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

I have seen some questions on problems with SSH/telnet access to Cisco routers that may occur despite the fact that from a PC connected to your LAN, Internet connectivity is in place and users can access Internet sites without any issues.  There are…
There are two basic ways to configure a static route for Cisco IOS devices. I've written this article to highlight a case study comparing the configuration of a static route using the next-hop IP and the configuration of a static route using an outg…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now