Need to pick a VPN/Firewall appliance for a small business

B

Blue Knight

Gawd
Joined
Dec 2, 2000
Messages
699
I just wanted to know what you guys think of the VPN/Firewall appliances out there, and if you have any recommendations or suggestions.

I'm trying to setup a network for a small company (5 users) - would a linksys or netgear router/vpn box work well? One of our competitors picked the sonicwall TZ170 for $500...but I'm not sure if that's overkill or overpriced. The office is not very tech savvy, so easier is better, as long as it works. Or would even using the VPN and firewall built into Server 2003 work?

Any comments or questions are welcome.
 
Blue Knight said:
Any comments or questions are welcome.
Click to expand...

That depends on what you are trying to protect and what you are trying to protect against. Firewalls are only one of many layers of security a business may need. But again it depends on the business security needs.

Give us some more info on the type of business, perceived "threats", and possible budget so that we can help you make an intelligent decision. ;)
 
This is a small family office so it needs to be fairly secure - A family office is an office dedicated to managing the finances and assets of a weathly individual/individuals (Example: The Disney Family).

Regular internet/email access going out, and only terminal services coming in for remote access to an accounting program. VPN on occasion for access to the network.

No real threats....except the occasional hacker, script kiddie, trojan/worm.

I'd say under $1k for budget, but saving money for the same performance is always good. I just want to know if spending $500 is overkill when I can do it for under $100.
 
Blue Knight said:
This is a small family office so it needs to be fairly secure - A family office is an office dedicated to managing the finances and assets of a weathly individual/individuals (Example: The Disney Family).

Regular internet/email access going out, and only terminal services coming in for remote access to an accounting program. VPN on occasion for access to the network.

No real threats....except the occasional hacker, script kiddie, trojan/worm.

I'd say under $1k for budget, but saving money for the same performance is always good. I just want to know if spending $500 is overkill when I can do it for under $100.
Click to expand...

If your budget is $1K and under, I'd be researching additional appliances that combine the firewall functionality along with AV scanning and perhaps content filtering. I'd also look at a hardware level device instead of using 2K3 with NAT as there is a less likely chance of the security "perimeter" being infiltrated.

You may want to also ask opinoins on this board about the different devices since many IT professionals here have vast and wide experiences with the various vendors equipment and can tell you more about the pros and cons of the devices.

Security is not an area where you want to compare a Sonicwall to a Linksys nor do you want to "skimp" because of price. The benefits will far outweigh the "costs" if the network was ever breached.
 
Agreed.

I am in the process of finding a repacement for our ISA server. (Microsoft products should not be guarding your network against hackers). Our office is also small ~15 people, I'll report back with my research.
 
booyaa said:
I am in the process of finding a repacement for our ISA server. (Microsoft products should not be guarding your network against hackers). Our office is also small ~15 people, I'll report back with my research.
Click to expand...

Well, ISA is one area that I would disagree since it's the mainstay of what most of my business clients use (medical, manufacturing, and financial) with no problems (knock on wood). But since it is outside the budget of the OP, we'll debate this in a different thread ;-).
 
ISA is a great product, IF you have trained people to manage and configure it. It is certainly not suitable for the casual in-house admin, IMO. I think small offices are better suited for dedicated appliances, such as SonicWALLs. I've deployed a lot of them, and use them exclusively when I need to maintain a VPN tunnel for administrative access.

All SonicWalls offer subscription based content filtering and anti-virus as options, and I guess I would consider their pricing as average for these services, but I don't think you need to control content in a small office, and I personally prefer to have a more configurable anti-virus solution.

But, they are a superb firewall with an easy to use interface. Their VPNs are great, and the software client is easy to set up and use. They don't utilize the same VPN licensing method that they used to- now, ALL SW's are VPN enabled, up to the limitations of the device (listed in the specs). You download the client (free) and install on as many pcs as you wish, but purchase Client Access licenses for concurrent connections (about $45ea.). So if you purchase a couple of them, you can have the client installed on 30 pcs if you wish, but only 2 at a time can connect, since you've only licensed 2. This differs from the old way where you had to buy total VPN client access in advance, or pay through the nose to add it later.

Also, the client and resulting licensing does not pertain to device-to-device tunnels. For instance, if you have a TZ-170/25, it supports 10 tunnels, in addition to whatever (if any) vpn clients you've licensed. So if you want to link 2 sites together, and don't need remote road warrior access, you don't need to buy any VPN client licences at all.

That's my take- been using them for a long time.
 
Without reading the rest of the thread, I'd suggest a PIX 501.

For a 5 user network that wants something that "just works", the PIX is your man. Once its configured, you can damn near file it away forever (until vulnerabilities need fixing).
 
BobSutan said:
Without reading the rest of the thread, I'd suggest a PIX 501.

For a 5 user network that wants something that "just works", the PIX is your man. Once its configured, you can damn near file it away forever (until vulnerabilities need fixing).
Click to expand...

Ditto.
 
Another vote for the Pix 501. I've used them in 5 locations and they are rock solid :D
 
Thanks for the posts guys. I'll still have to do more research, but the sonicwall and pix501 seem like good solutions at the moment. I think either one would work for them, though I don't think the content subscriptions for the sonicwalls are exactly what they need, but it's a good option to have if they choose to go that route.

As a sidenote, how do these dedicated boxes compare to a linux machine? I've setup a IPCOP box in front of our network (recycled a machine) but now I'm wondering that was a good call.
 
Too many vairable to say what's good and what's not. Things like support contracts and whatnot make a big difference. For example, look at how much a smartnet contract from Cisco costs. Is that something you think they'll want or need, or will you be happy to support them if their Linux/BSD box dies at 2AM? Those are some of the things you need to consider.
 
Cisco PIX 501 with a smartnet contract is what I would go with... If that is the way you decide to go let me know and I will see what kind of pricing I can get for you...
 
That's an old pix which probably wouldn't allow you to get any manufacturer support. It's possible that it might run pretty steep as well.

If you're looking at the sonicwall type solution, I'd also recommend Fortinet or Watchguard. They both make good firewalls with VPN/AV and other modules built-in.

Like someone said before, these can't really be compared to other SOHO (D-Link/Netgear/Linksys) firewalls.. Because most of those only do a SPI fw and NAT. They usually don't provide anything else, like VPN.
 
PS! said:
That's an old pix which probably wouldn't allow you to get any manufacturer support. It's possible that it might run pretty steep as well.

If you're looking at the sonicwall type solution, I'd also recommend Fortinet or Watchguard. They both make good firewalls with VPN/AV and other modules built-in.

Like someone said before, these can't really be compared to other SOHO (D-Link/Netgear/Linksys) firewalls.. Because most of those only do a SPI fw and NAT. They usually don't provide anything else, like VPN.
Click to expand...

The PIX 501 is a current model which has not reached EOS/EOL therefore support would not be a problem...
 
I have about 8 Sonicwall TZ-170s out at remote sites that VPN back to my corporate office. Typically after I install them I have no issues. The issues I have experienced usually relate to the DSL circuit going down and a user trying to troubleshoot on their own and messing with the cables on my Sonicwall.

The Pix 501 is a good product as well. I haven't programmed one in several years but I wouldn't recommend it to someone without Cisco experience (unless they have a GUI interface now).

Both of these products should be able to grow with you as the business changes.
 
Figuring out the Pix firewall rules isn't too hard - there's plenty of documentation for it - or he can always just ask here ;)

I've used Pix firewalls extensively and highly recommend them - they should do the job quite adequately for you.
 
UMCPWintermute said:
Figuring out the Pix firewall rules isn't too hard - there's plenty of documentation for it - or he can always just ask here ;)

I've used Pix firewalls extensively and highly recommend them - they should do the job quite adequately for you.
Click to expand...

Quite true. As long as you understand basic network principles, you will be able to understand the documentation. And all you would have to do is give us a little information and there would be plenty of us that could paste an entire working configuration for you :D

As for the person who questioned the existance of the PIX GUI, they've been around since about the introduction of the PIX. They haven't always been exactly perfect, but became more than adequate for joe user about four years ago (since they went to PDM)... Personally I hate it, but then again, managing networks is my job.
 
RokleM said:
Quite true. As long as you understand basic network principles, you will be able to understand the documentation. And all you would have to do is give us a little information and there would be plenty of us that could paste an entire working configuration for you :D

As for the person who questioned the existance of the PIX GUI, they've been around since about the introduction of the PIX. They haven't always been exactly perfect, but became more than adequate for joe user about four years ago (since they went to PDM)... Personally I hate it, but then again, managing networks is my job.
Click to expand...

Ditto on all accounts.
 
RokleM said:
Personally I hate it, but then again, managing networks is my job.
Click to expand...

I'm not a big fan of that GUI either, I have been using the CLI for so long I get lost when I try to update a configuration through the GUI... :)
 
You must log in or register to reply here.
Back
Top