Eddie_1
asked on
Router and a firewall in 1 device or 2 seperate devices?
Hi all.
I've read quite a lot from Experts and the net but am still falling short on a little more direction.
Here's the scenario that I've inherited:
There are 3 sites connected with a couple of different broadband providers. There's an installation of ZeroShell software firewall at each location and a couple of Linksys RV082 routers making site-to-site connections.
I want to replace ZeroShell with a hardware firewall solution and replace the Linksys routers. I would like the ability to add 2 connections at each site for redundancy down the road. I need site-to-site vpn and would like to offer my users software vpn connectivity.
Site 1 has about 10 users and I want to plan for that number to double within 2 years.
Site 2 has about 50 users
Site 3 has about 50 users and want to plan for that number to grow by 10 - 20 in the next year or 2
There could be a Site 4 added this year and possibly a site 5.
I've had the thought to throw the Linksys routers in the trash, delete the ZeroSheel firewall, and add a hardware router/firewall at each location. Specifically, I was thinking about 1 hardware device that performs both routing and a firewall, such as an ASA.
What do you think about having 1 device opposed to having a router and firewall seperately?
Eddie
I've read quite a lot from Experts and the net but am still falling short on a little more direction.
Here's the scenario that I've inherited:
There are 3 sites connected with a couple of different broadband providers. There's an installation of ZeroShell software firewall at each location and a couple of Linksys RV082 routers making site-to-site connections.
I want to replace ZeroShell with a hardware firewall solution and replace the Linksys routers. I would like the ability to add 2 connections at each site for redundancy down the road. I need site-to-site vpn and would like to offer my users software vpn connectivity.
Site 1 has about 10 users and I want to plan for that number to double within 2 years.
Site 2 has about 50 users
Site 3 has about 50 users and want to plan for that number to grow by 10 - 20 in the next year or 2
There could be a Site 4 added this year and possibly a site 5.
I've had the thought to throw the Linksys routers in the trash, delete the ZeroSheel firewall, and add a hardware router/firewall at each location. Specifically, I was thinking about 1 hardware device that performs both routing and a firewall, such as an ASA.
What do you think about having 1 device opposed to having a router and firewall seperately?
Eddie
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I currently have 3 broadband connetions providing 20 - 25 megs. I do have static addressing from these providers. I would eventually to have a messh but that's another project 6 - 12 months from now. My priority is to stabilize the existing infrastructure eliminating sloooow connections.
What does backhaul mean?
Are you saying that an ASA can comfortably handle routing and being a firewall? I've read some suggest having a router connected to the internet and a firewall behind that, as well as vice versa. I want to make the best choice for my company pulling the bigest bang for the buck. I do have some latitude to work with on my budget.
What does backhaul mean?
Are you saying that an ASA can comfortably handle routing and being a firewall? I've read some suggest having a router connected to the internet and a firewall behind that, as well as vice versa. I want to make the best choice for my company pulling the bigest bang for the buck. I do have some latitude to work with on my budget.
Back hauling is when you force Internet bound traffic through a VPN tunnel to a central site before letting it exit the network to the Internet. This is commonly done to force traffic through a central firewall, Mac, web filter, etc.
An Asa can handle routing, but I wouldn't suggest configuring tons of vlans on an Asa. Stick to an inside, outside, and dmz/guest interface. The Asa can have hundreds of routes, but try not to go beyond a few interfaces. If you need a bunch of vlans a any site, use a layer 3 switch as well as a router or firewall.
It's hard to say which will be better for you in the end. Both a router or a firewall will get the job done. The firewall will require more configuration for the full mesh and/or dual connectivity you mentioned when compared to using a router. On the flip side, the Asa can handle more encrypted throughput which could become very important.
An Asa can handle routing, but I wouldn't suggest configuring tons of vlans on an Asa. Stick to an inside, outside, and dmz/guest interface. The Asa can have hundreds of routes, but try not to go beyond a few interfaces. If you need a bunch of vlans a any site, use a layer 3 switch as well as a router or firewall.
It's hard to say which will be better for you in the end. Both a router or a firewall will get the job done. The firewall will require more configuration for the full mesh and/or dual connectivity you mentioned when compared to using a router. On the flip side, the Asa can handle more encrypted throughput which could become very important.
My vote would go to ASAs as well. When setting up fully meshed site2site VPNs it isn't really routing in the classical meaning that the ASAs do. And, as said, the ASAs are more robust and designed for that usage.
With regards to the second connection at each site: keep in mind that the ASAs only can do failover and no load balancing so if you want the latter you might need to go with a router or other firewall that supports that option.
With regards to the second connection at each site: keep in mind that the ASAs only can do failover and no load balancing so if you want the latter you might need to go with a router or other firewall that supports that option.
ASKER
What do you think about using a Netgear ProSecure UTM50 in my headquarters office and a Netgear ProSecure UTM25 in the other 2 sites? I just received this as a suggestion.
Looks nice :)
Though I don't have any experience with those, it looks like a neat solution. And if your tied to a budget I think these come cheaper as a similar ASA.
Though I don't have any experience with those, it looks like a neat solution. And if your tied to a budget I think these come cheaper as a similar ASA.
ASKER
My budget allows for more and I want to make certain we spend money wisely for the right solution. It looks like the Netgear ProSecure UTM50 runs about $1500 versus a 5500 series ASA at $3-4k.
My network engineer has made this suggestion and is money conscience despite telling him to let me worry about the money.
I'm looking over the specs now and it does like a good device. I have a couple of gig Netgear swithces and a couple more to deploy but have never used Netgear stuff for a router/firewall.
Thanks Erniebeek. I'd like to see if Rauenpc has any insight.
My network engineer has made this suggestion and is money conscience despite telling him to let me worry about the money.
I'm looking over the specs now and it does like a good device. I have a couple of gig Netgear swithces and a couple more to deploy but have never used Netgear stuff for a router/firewall.
Thanks Erniebeek. I'd like to see if Rauenpc has any insight.
Let's wait for him then :)
If budget is not an issue I'd personally go with Cisco. Of course also because of the fact that I'm more familiar with it ;) I still tend to think that netgear is more of a consumers brand/very small business brand. But that is just a gut feeling.
Also the question: how is the business support from netgear? With Cisco I'm confident about that (when having a smartnet). With netgear: no personal experience so I can't say.
If budget is not an issue I'd personally go with Cisco. Of course also because of the fact that I'm more familiar with it ;) I still tend to think that netgear is more of a consumers brand/very small business brand. But that is just a gut feeling.
Also the question: how is the business support from netgear? With Cisco I'm confident about that (when having a smartnet). With netgear: no personal experience so I can't say.
ASKER
I don't know about business support from Netgear. I haven't had a problem with any of their switches. But, I do agree with you that their products to carry more of a small business/home office type of feel.
After reviewing the specs for Netgear and cost, I'm not certain that'll be the best solution. I certainly don't want to deal with this being a cheesy solution and end up spending more money later for replacements or upgrade to another product.
Does Adtran, Juniper, or Barricuda have any comparable solutions? Can you give me any idea about yearly license cost and support for 3 ASA's?
After reviewing the specs for Netgear and cost, I'm not certain that'll be the best solution. I certainly don't want to deal with this being a cheesy solution and end up spending more money later for replacements or upgrade to another product.
Does Adtran, Juniper, or Barricuda have any comparable solutions? Can you give me any idea about yearly license cost and support for 3 ASA's?
My company recently sold as ASA 5505 to a customer wth an unlimited user license with security plus (to allow for dual internet connections). It was marked with a list price of 1695.00, and since we're a Cisco partner we were able to provide a discount to bring the price down to 1100.00. Smartnet was about 167/year as an add-on.
The 5505 can handle up to 100M worth of encrypted throughput so you won't have any issues there and can have up to 25 IPSEC vpn connections running simultaneously so you won't have any issues until you get beyond 7 sites running full mesh.
Specs:
http://www.cisco.com/en/US/products/ps6120/prod_models_home.html
If you work with a Cisco partnet to purchase these, you can probably get a similar price (note that all partners have different pricing which is subject to change without notice blah blah blah)
The 5505 can handle up to 100M worth of encrypted throughput so you won't have any issues there and can have up to 25 IPSEC vpn connections running simultaneously so you won't have any issues until you get beyond 7 sites running full mesh.
Specs:
http://www.cisco.com/en/US/products/ps6120/prod_models_home.html
If you work with a Cisco partnet to purchase these, you can probably get a similar price (note that all partners have different pricing which is subject to change without notice blah blah blah)
LOL@ blah :)
And btw, the license will only cost you once. The smartnet is on a yearly (or 3-yearly (?)) base.
And btw, the license will only cost you once. The smartnet is on a yearly (or 3-yearly (?)) base.
Yes, Ernie is right. The license is a one-time thing to unlock the features, and the smartnet is an optional extended support contract offered through Cisco that varies in length and response time.
If you'd like my company to create a quote for you for 3 5505's with the licensing and optional smartnet, let me know. At the least, it will give you a solid reference for the price and the type of discount you could get from a Cisco partner.
If you'd like my company to create a quote for you for 3 5505's with the licensing and optional smartnet, let me know. At the least, it will give you a solid reference for the price and the type of discount you could get from a Cisco partner.
@ rauenpc: be careful with that, not sure if you're allowed to make such offers here.
I actually checked with the EE admins before making the comment. Since it's a valid solution and it wasn't my first response, they felt it was OK.
ASKER
Rauenpc, can you drop me an email at e.norman@allianceengineeri
ASKER
Ok. Would you do so for 2 - 5510's and 1 - 5505?
Ok, said nothing then :)
ASKER
Hey guys.
What does it mean to have a "managed router"?
What does it mean to have a "managed router"?
In which sense? If you're asking about when an ISP says managed router, it is usually one of two things:
The first option is nice because you don't need to worry about having all your own T1 cards/controllers, and it is up to the ISP entirely to handle troubleshooting the lines if needed. Having an Ethernet hand-off is very convenient as well.
The second option, I do not care for. I don't like giving the ISP configuration control over my network and further than required. This is a nice option for small companies (<15 users) that have a single site and just need internet access.
It is a router that will exist on your premises but is under complete control and policy of the ISP. This usually serves as a media termination point so that the line (t1('s), fiber, coax, wireless) goes to their router and gets handed off to you as Ethernet.
It is the same as above, but also comes with a set of services provided to you such as DHCP, vlans, ACL's, firewalling, and phone services. Each option is based on the ISP's offering
The first option is nice because you don't need to worry about having all your own T1 cards/controllers, and it is up to the ISP entirely to handle troubleshooting the lines if needed. Having an Ethernet hand-off is very convenient as well.
The second option, I do not care for. I don't like giving the ISP configuration control over my network and further than required. This is a nice option for small companies (<15 users) that have a single site and just need internet access.
ASKER
Thanks rauenpc and erniebeeks.
Ryan Weber
Desktop Support Technician
PC Solutions of Michigan, LLC
1200 S. West Ave.
Jackson, MI 49203
Ph: 517.787.9934
Fax: 517.787.9968
rweber@pcsolutionsnow.com
www.PCSolutionsNow.com