Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN firewall recommedations

Status
Not open for further replies.
SQLScholar

SQLScholar

Programmer
Aug 21, 2002
2,127
GB
Hey all,

I am looking for a hardware firewall with VPN technologies.

Any good reviews/companies to look at/models to consider???

Must not cost the earth!

Many thanks

Dan

----------------------------------------
There are 2 types of computer, the prototype and the obsolete!!
----------------------------------------
No D, just plank - and its not my fault
 
Sort by date Sort by votes
Take a look at the Cisco 1800 or 2800 series ISR (Integrated Service Routers). These are a little pricy but are great routers with VPN capabilities.
 
Upvote 0 Downvote
For most people, unless there is a specific requirement that is proprietary to their office, I would suggest a Cisco PIX firewall. Very stable, secure, and easy to work with. If you have a average size small business then a PIX is perfect. The advantage of the PIX in comparison to Watchguards is the PIX models like the 506 and 515 you do not have to mess with user license counts and VPN licenses. It is all built in. The PIX506E runs about $1000 where as the 515E Restricted model is about $2200. Also, take a look at the PIX 520 models. They have been retired but they are still very good devices. A PIX 520 should run about $1000 for an unrestricted model. The CPU is a Intel 350Mhz, and the devices allows 6 interfaces.

I know a lot of people who have purchased devices such as the Watchguard Sohos and such thinking they were saving a lot compared to other firewalls. In fact, as their requirements grew for more users and VPN they found that they ended up paying a lot more. I have one client that has now spend as much on his Watchguard SOHO that he could have purchased a PIX 515R, and would have had a much better device. Not to mention the fact this Soho requires a propriatary software for the VPN.

Take that in to consideration as well as each MFR may claim that 'their' software is much better than basic Ipsec, PPTP, or L2TP. In fact I have found a lot of this software to be less than desirable. Most common problem is it either does not install, crashes the system completely, or it conflicts with other software.

One client tried out Securepoints firewall solution only to find that when he installed the VPN client software on several laptops the systems crashed completely.
 
Upvote 0 Downvote
I disagree... The reason Cisco PIX is so simple to setup is because it isn't very secure at all.
I just had to rip out Cisco PIX and Cisco VPN concentrators from a subsidiary because of this problem. They had trojans on their machines connecting through VPN and out through the PIX.
Cisco has useless logging and everyone seems to setup VPN as an open tunnel, as well as default for PIX is allow everything out nothing in, great for a home internet router but this is supposed to be a real firewall (pix is not).
It is better to learn than to pick the "simple" device.
VPN clients need firewalls..
VPN tunnels should only allow traffic you define.
Firewalls should do more than simple allow or deny.. find something that looks into what it allows.

Checkpoint comes to mind.

John

Also don't trust any device.. always use an IDS if you want to know what is happening. As a second layer at least.
 
Upvote 0 Downvote
It sounds like they did not configure the firewall properly. You can define traffic out of the firewall through the acl. Trojans connecting through the VPN sounds to me as if they did not 'secure' the firewall at all. That should never happen to any firewall. As I said the PIX is simple to setup, but that does not mean you can 'skip' securing the firewall. What I meant was that a beginner can using the PDM get the firewall up and going easily without having to know how to 'program' through the CLI.

Also, I have found the PIX syslog server to be just as detailed as any other firewall solution. Instead what we use is Adventnet's Firewall Analyzer ( to give us a graphical display of the syslog.

Also, if everyone is configuring for an open tunnel, that is not the fault of the firewall, that is the fault of lazy admins configuration.

Another option is to look at Linux solutions. Take a look at IPCop or Endian ( It has as John suggests an IDS, QOS/Traffic shaping, IPSEC VPN, and a host of other features. Plus, it is free. Just take an old PC, slap in 2 NIC cards and you are good to go.

We have several Endian and m0n0walls connecting to our office and have never had a problem. The plus side to the Endian is the web caching which allowed us to throw out are old cache engines. I started using Endian at home and am very pleased, in fact it replaced a Cisco PIX.
 
Upvote 0 Downvote
Yes, but my point was that out of the box the cisco is configured like a home firewall = all out allowed.. all in denied. That is just bad, they should configure all denied and at least force the person to know about alowing things specificly.

That PIX and VPN concentrator was configured by suposedly good consulting firm.... and that network person (who hired them)doesn't work for that sub anymore.

Again... Cisco logging stinks... hence why you have to use another product to allow you to view it in a usefull manner.

If you have never seen the Checkpoint side you should at least look.. very complete. Also, in the higher end stuff very pricy. You do get what you pay for. Syslog just doesn't compare.

Linix is a great tool... but learn how to do it right or your just placing another box you will find someone has taken over and you won't know it until too late.

Never place anything on each side of the firewall... (meaning the IDS.. use a seperate one inside and aoutside. I have seen too many Linux boxes that are compromised.



 
Upvote 0 Downvote
You can also consider the Netscreen firewalls. They are very robust and have excellent debugging tools. VPNs are stable and they have good performance. The model depends on your budget and your networking needs. The Netscreen NS-5GT is a good choice for your branch offices. The NS-50 or NS-204 is good for your central office again depending on your needs and budget. If your budget allows you can even move up to the ISG series. They have excellent performance and are very scalable. Plus they will soon have IDP blades for built-in intrusion detection.

Just throwing other options on the table.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

teknance
  • Locked
  • Question
Discovering Portugal: Uncover Hidden Destinations and VPN Solutions
Replies
5
Views
680
GlobeTrekkerGal
GlobeTrekkerGal
sarahz2
  • Locked
  • Question
Best vpn safe and fast
Replies
4
Views
510
GlobeTrekkerGal
GlobeTrekkerGal
MP2023
  • Locked
  • Question
How to Create an site to site VPN
Replies
1
Views
467
sircles
sircles
ramblingrebel
  • Locked
  • Question
Built-in Windows 10 VPN
Replies
1
Views
418
Joon Smith
Joon Smith
LearningNetworking
  • Locked
  • Question
Linking Hosts on the same subnet via VPN
Replies
0
Views
470
LearningNetworking
LearningNetworking

Part and Inventory Search

Sponsor

Back
Top