G L
asked on
Best firewall for multi-site connectivity?
I need a firewall for branch office with 8 users and may go up to 12 in the next year or two. Most of the resources are in Head Office (HO) and has Sophos XG firewall. Remote users use Sophos SSL VPN client individually on their computer and RDP access to connect to HO. Now the requirement is to replace SSL VPN client and establish a site-to-site VPN and join all the remote computers to the DC in HO. I was looking at Sophos XG 115 for the branch office.
Would like to get some expert advise on Sophos XG 115 device for branch office or if there are any other better alternative available for site-to-site VPN? Also trying to keep the cost to minimum.
Would like to get some expert advise on Sophos XG 115 device for branch office or if there are any other better alternative available for site-to-site VPN? Also trying to keep the cost to minimum.
For my customers, I just buy a cheap Cisco off ebay and use it to do a site-site IPSec to the Sophos at the HO.
I use watchguards at customer sites, for for satellite offices, I just put in a cisco.
Which one depends upon your connectivity.
For Leased line, you want an ethernet router
C1841 has 2 ethernet ports and are £30-40 on ebay. At this price you can afford to have a spare.
For DSL, you can sometimes put an 1841 beihnd your current router, or replace it.
C867VAE does ADSL and VDSL and they are about £100 on ebay.
If it is only ADSl (instead of VDSL - fttc), you can get away with an 877 or 867 for a similar price to the 1841 above.
This works well for me and I can monitor them dead easily with PRTG
Because I do this a lot, I have a few spares sat on the shelf.
Customers are sometime wary "what if it breaks because isn't refurb less reliable?" The answer is no, and I have spares just in case so I can turn up with a pre-configured device.
I use watchguards at customer sites, for for satellite offices, I just put in a cisco.
Which one depends upon your connectivity.
For Leased line, you want an ethernet router
C1841 has 2 ethernet ports and are £30-40 on ebay. At this price you can afford to have a spare.
For DSL, you can sometimes put an 1841 beihnd your current router, or replace it.
C867VAE does ADSL and VDSL and they are about £100 on ebay.
If it is only ADSl (instead of VDSL - fttc), you can get away with an 877 or 867 for a similar price to the 1841 above.
This works well for me and I can monitor them dead easily with PRTG
Because I do this a lot, I have a few spares sat on the shelf.
Customers are sometime wary "what if it breaks because isn't refurb less reliable?" The answer is no, and I have spares just in case so I can turn up with a pre-configured device.
In my experience Cisco, while having great equipment has always been overpriced and IMHO a pain in the butt. This is from someone trained in Cisco. I don't know if it has changed, but years ago, if you did not purchase your Cisco device from an authorized reseller, you got no warranty or support. That was their policy.
When I went to setup client sites at one customer, the Cisco Licensing was a pain and nothing as simple as a Sophos, SonicWALL or WatchGuard and in some cases, it was limiting. If you do want to keep your Cisco device up to data and get support, you have to keep your maintenance current. Now, others also do this with some of their equipment, but when I just changed out $100,000 of networking equipment at another customer, the Cisco TCO would be astronomical when you added in the support costs. In that instance, we went with HP with lifetime warranties out of the box.
You already have Sophos, so stick with that, just make sure it can handle your existing and expected load for up to say, 5 years.
When I went to setup client sites at one customer, the Cisco Licensing was a pain and nothing as simple as a Sophos, SonicWALL or WatchGuard and in some cases, it was limiting. If you do want to keep your Cisco device up to data and get support, you have to keep your maintenance current. Now, others also do this with some of their equipment, but when I just changed out $100,000 of networking equipment at another customer, the Cisco TCO would be astronomical when you added in the support costs. In that instance, we went with HP with lifetime warranties out of the box.
You already have Sophos, so stick with that, just make sure it can handle your existing and expected load for up to say, 5 years.
I think that in this case Cisco is a valid suggestion.
It is easy to buy IT for the sake of buying IT.
There is no cisco licensing in this scenario and you don't have any recurring costs once installed (you would with a second Sophos device)
As explained refurb router can be cheap as chips.
Set the VPN up (copy a config off the net) and it will keep running. No support needed, no licensing. Monitor it with PRG (free for 100 sensors)
The Cisco does no application level firewalling as it is simply for VPN connectivity (maybe with a few ACLs to prevent unwanted traffic types)and your main Sophos will firewall everything.
If you had bought a second Sophos dev ice, I would suggest staying with it, but in this case the TCO of a Cisco VPN is tiny and It will last for years.
No need for a warranty as you could buy two and have a spare and still save a ton of money.
It comes down to what your priorities are. You can have a great solution using cheap Cisco gear, you could have a great solution spending extra for support, maintenance etc with Sophos or you could buy something else.
If you are expecting to deploy a lot more stuff at your branch office in the near future, perhaps the extra features a Sophos device would provide will be attractive. If not, then you could go for the less costly option which will have rock solid reliability with no running costs and maybe 'upgrade' to another Sophos device in a couple of years when if and when it is needed.
In the old days you never got fired for buying IBM. Many people turn their nose up at cheaper solutions and want to use what they have always used. There is some merit in this approach, but sometimes benefits can be had by remaining neutral and judging a solution based upon its merits
It is easy to buy IT for the sake of buying IT.
There is no cisco licensing in this scenario and you don't have any recurring costs once installed (you would with a second Sophos device)
As explained refurb router can be cheap as chips.
Set the VPN up (copy a config off the net) and it will keep running. No support needed, no licensing. Monitor it with PRG (free for 100 sensors)
The Cisco does no application level firewalling as it is simply for VPN connectivity (maybe with a few ACLs to prevent unwanted traffic types)and your main Sophos will firewall everything.
If you had bought a second Sophos dev ice, I would suggest staying with it, but in this case the TCO of a Cisco VPN is tiny and It will last for years.
No need for a warranty as you could buy two and have a spare and still save a ton of money.
It comes down to what your priorities are. You can have a great solution using cheap Cisco gear, you could have a great solution spending extra for support, maintenance etc with Sophos or you could buy something else.
If you are expecting to deploy a lot more stuff at your branch office in the near future, perhaps the extra features a Sophos device would provide will be attractive. If not, then you could go for the less costly option which will have rock solid reliability with no running costs and maybe 'upgrade' to another Sophos device in a couple of years when if and when it is needed.
In the old days you never got fired for buying IBM. Many people turn their nose up at cheaper solutions and want to use what they have always used. There is some merit in this approach, but sometimes benefits can be had by remaining neutral and judging a solution based upon its merits
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I use only Cisco for routers and WAPs
Steve, I have only ever had a single DSL router fail.
I use WatchGuard for firewalls. not every situation needs a firewall. These guys do (evidenced b the fact that they have one). They don't necessarily need another based upon the requirements set out.
The lack of warranty and support is irrelevant in this case. I provide support to my customers and if one were to fail, it would be a quick swap out. However, almost every support call is a change request or a query over bandwidth or actual connectivity, not a fault with the platform.
Malware wouldn't get through any easier in the solution I suggested which was to use Cisco to VPN to the current Sophos Firewall to allow computers to log on via RDP. All other external traffic comes through the current Sophos firewall, so no increased exposure there. No second firewall required. Ransomeware won't get through a NAT with a few ACLs, it comes through web downloads or email attachments.
Once a VPN is working, it doesn't need changing, pre-paid support is irrelevant.
If the OP has to call someone like me or you to help with an issue at some point in the future, it would still cost way less than a new Sophos with support and maintenance.
So I would stick to my recommendation based upon the criteria laid out in the original question.
Don't get me wrong, I do supply new stuff to people and sometimes buy support/maintenance as a bit of a safety net 'just in case', but in this scenario, it's simply not worth spending the money if the OP is comfortable installing it to start with - and the tone of the question implies to me that he is capable.
Steve, I have only ever had a single DSL router fail.
I use WatchGuard for firewalls. not every situation needs a firewall. These guys do (evidenced b the fact that they have one). They don't necessarily need another based upon the requirements set out.
The lack of warranty and support is irrelevant in this case. I provide support to my customers and if one were to fail, it would be a quick swap out. However, almost every support call is a change request or a query over bandwidth or actual connectivity, not a fault with the platform.
Malware wouldn't get through any easier in the solution I suggested which was to use Cisco to VPN to the current Sophos Firewall to allow computers to log on via RDP. All other external traffic comes through the current Sophos firewall, so no increased exposure there. No second firewall required. Ransomeware won't get through a NAT with a few ACLs, it comes through web downloads or email attachments.
Once a VPN is working, it doesn't need changing, pre-paid support is irrelevant.
If the OP has to call someone like me or you to help with an issue at some point in the future, it would still cost way less than a new Sophos with support and maintenance.
So I would stick to my recommendation based upon the criteria laid out in the original question.
Don't get me wrong, I do supply new stuff to people and sometimes buy support/maintenance as a bit of a safety net 'just in case', but in this scenario, it's simply not worth spending the money if the OP is comfortable installing it to start with - and the tone of the question implies to me that he is capable.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks guys. I got the information what I was looking for. I am a big fan of Cisco devices personally but did not get a chance to use it at work. Have used Cisco RV215w for one of the remote office which required basic setup and is working well.
I would go for a 5506-X with firepower for a small offices. the new 5508-X for the some bigger ones
I think we covered the main points
Finally, look at your Throughput on the firewall. They show the Throughput optimally, but do not always tell you how much of a slow down you get as you add functionality. For example, when you add Deep Packet inspection, Antivirus, Anti Spam, etc., you can lose your maximum throughput. For example on the XG 115 your VPN throughput is 350mb. Start adding extras and you could find yourself with a bottleneck.
Just something to look at.
This is a really nice box and if you already have experience with them, then go with what you are comfortable with.