[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 128
  • Last Modified:

VPN protocal

I am looking at setting up a VPN, speed it a big factor. I am looking at SSL VPN or Open VPN (not supported by many routers). Putting security aside which do you recommend? For instance, the Barracuda X200 has SSL VPN only most of the Cisco routers do not support OpenVPN also.
I'm open to other protocols also please let me know what you think is the best VPN for EU to US connections.
0
ido90
Asked:
ido90
  • 10
  • 4
  • 3
  • +1
1 Solution
 
Erik BjersPrincipal Systems AdministratorCommented:
is this for site to site VPN, client access VPN, or both?

If site to site VPN you need an appliance that can handle the amount of traffic that will pass between sites
If client access you need one that will handle the most concurrent user sessions you can imagine

You can install OpenWRT on a variety of SOHO routers but if you are doing site to site and have more than 10 people per location I would avoid this

For larger implementations you should look at the firewalls offered by; Meraki, SonicWALL, FortiNet, Cisco, NetGear, etc

My choice would be Meraki but you want to have the same device type at each end.

Remember though no matter what brand you go with you will likely need to license multiple remote access clients to get everything working.

If you give me an idea of size, traffic expectations, and connection types I can advise specific models.
0
 
J SpoorTMECommented:
meraki doesn't offer any really security... so if you are looking for a firewall with VPN capability, with the ever emerging threats and malware out there, look into a UTM or NGFW that can do all.

For client access, I suggest SSL-VPN, with IPsec you sometimes run into the limitations that for example in hotels they won't support IPsec. SSL-VPN has however a larger overhead.

For site-to-site indeed look into a IPsec VPN capable unit.

Specially in a link with high latency, US-EMEA you should also look in WAN acceleration, as laency is a big impact in throughput speeds.

the SonicWALL offers all of the above



View example configurations and the SonicWALL webui and features on http://livedemo.sonicwall.com or http://ngfw-demo.com

Multiply the effectiveness of your APT Sandbox, stop unknown and zero-day attacks at the gateway. See a demo on http://apt-demo.com or http://atp.demo.com

You can also view the Next-Generation Firewalls via
http://next-generation-firewall.com or http://next-generation-firewall-demo.com
0
 
ido90Author Commented:
I am trying to setup a Client->site VPN. Most of the time there will be four users at most, and those need to have low latency speeds.

Also with OpenVPN, there is usually the option of split VPN so you don't loose the local connectivity. Is that available in any other protocol that is good?

I tried with an old Cisco Router (RV220W) PPTP connection. Europe to US client (100/2) site (10/10) what I get is (1/1) ping 230ms.

Do you think there is a router or another protocol that would improve that?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
J SpoorTMECommented:
It's the latency that kills you.
Both with IPsec Client to Site and SSL-VPN you can do split tunneling.

if speed is the main concern, you need WAN optimization.
0
 
ido90Author Commented:
who in your opinion has a good WAN optimization feature? for client-site
0
 
SIM50Commented:
I would look into Cisco ASA. If it is only for 4 users, 5506-X should be enough. The main reason for suggesting is DTLS. DTLS is a variant of SSL which uses UDP and was designed for time sensitive apps. Anyconnect uses DTLS as primary protocol with fall back to TLS.
0
 
J SpoorTMECommented:
SonicWALL, firewall as SSL-VPN and a WXA on top (managed from the firewall)
0
 
Erik BjersPrincipal Systems AdministratorCommented:
JSpoor,

I would like to know why you think Meraki does not provide any real security.
0
 
J SpoorTMECommented:
Coz I just did a full analysis of it.

It has huge limitations on the AV engine and only inspects HTTP, can't do SSL inspection, nor does it inspect anything else then HTTP traffic.

IPS seems ok as it's snort based.

App control is very limited.

It's practically a home router functionality wise with 0 enterprise features, even missing proper networking features.
0
 
Erik BjersPrincipal Systems AdministratorCommented:
Thanks JSpoor,

My team recently decided to switch to Meraki for our field sites but I was not involved in the selection so did not really look much into them.

Have you looked at them since Cisco bought the company?  I know they have made some improvements.
0
 
J SpoorTMECommented:
This review was done just a few weeks ago.

The only recent addition is AMP sandboxing, but again only for HTTP downloads.

For any other competitive data feel free to PM me.
Reviewed PAN, Fortinet, Check Point, Meraki, WatchGuard and Sophos (Sophos and Cyberoam)
0
 
J SpoorTMECommented:
In the mean feel free to view the SonicWALL features and UI here

http://livedemo.sonicwall.com or http://ngfw-demo.com

Multiply the effectiveness of your APT Sandbox, stop unknown and zero-day attacks at the gateway. See a demo on http://apt-demo.com or http://atp.demo.com

You can also view the Next-Generation Firewalls via
http://next-generation-firewall.com or http://next-generation-firewall-demo.com
0
 
ido90Author Commented:
I'm still with a big ??? on the VPN situation. For now, I installed a CISCO RV325. I tried various protocols, seems PPTP is the only one that actually gives be some speed on this router. The Linksys LRT224 I has before actually did give good speed with OpenVPN UDP but it was no reliable. I read on WAN acceleration and from what I can see it will not help me. I need real-time speed, it's not about the files, I need to read and write directly to PLC units onsite.  It seems what I need is UDP type of protocol, One option, is the CISCO ASA5506-K9 with DTLS as suggested and the other option seems to be setting up an OpenVPN server on one PC machine on site. I could not find any good OpenVPN routers for commercial use, Any suggestions on which direction I should go?
0
 
J SpoorTMECommented:
don't think the CISCO RV325 has hardware crypto for IPsec, hence the low perfromance

I personally have a Site-to-site IPSec from Netherlands to California using SonicWALLs on both ends, and have good transfer. Even without WAN acceleration.

If it's speed and security you need, don't look at rotuers that are not designed for IPsec :)
0
 
ido90Author Commented:
I just talked to SonicWall they suggested the TZ400 but they said they are "only the manufacturer" and they don't know about IPsec and all that... they also do not have technical people... does the TZ400 have the capabilities you are talking about?
0
 
J SpoorTMECommented:
TZ400 is a full IPsec Concentrator :) I use a TZ600 myself at home
0
 
J SpoorTMECommented:
c'rection, TZ500, still have to unbox the TZ600 :)
0
 
J SpoorTMECommented:
all the TZs and NSAs are available to review on http://livedemo.sonicwall.com
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 10
  • 4
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now