Small business firewall/VPN device [closed]

firewall router vpn small-business

What's a good small business (<50 users at a location) firewall and VPN device? Wireless would be a nice addition, and I'm thinking of something in the $1,000 range. This would be for businesses with 0-2 IT employees. Quality support and the usability of the device count. SSL VPN would be nice, and if it's client-based, a VPN client that works on 64-bit Windows is important.


At work I recently installed a Cisco ASA 5505, in a role of small office firewall, site2site VPN endpoint and roadwarrior VPN endpoint. It is solid and dependable. Ciscos web GUI is limited, knowing your way around the Cisco command line is practically required.

Cisco is splitting up their VPN client software, the old IPSec based client is slowly being faded out, and the new SSL based is gaining momentum. One example of this is that no 64 bit version is planned for the old IPSec client. Bad news for you, SSL is licensed separately, and much more expensive.

Should I set up 'roadwarrior' VPN again, I would insist on Active Directory integration. Our users are constantly forgetting the VPN passwords, since it's separate from AD which they use daily in the office. Changing the passwords is not much of a hassle, but a good deal of productivity is lost. Our users often try their VPN from home the night before a deadline...

uPnP would be surprisingly nice. Many of our users make use of Skype or something else that needs traffic passed through the firewall to work optimally. Yes, there is a strong security argument to be made against uPnP; the choice is yours to make.

And last - statistics. The Cisco ASA has a good stats section, and it can actually help you troubleshoot certain types of network issues. I would not want a firewall (or much IT gear in general) that cannot provide me with a view into what's happening, for those rare days when there is an elusive problem on the network.

Kerio Winroute Firewall has AD integration, uPnP if you want it, and a very solid looking statistics section. Kerio has a good track record in firewalls, their workstation firewall was a market leader for years until they sold it off. I have not worked with Kerio Winroute, but should I set up a small-biz firewall again, I would pick Kerio Winroute or Windows 2008 R2.

2008 R2 has a really solid looking VPN implementation, and it seamlessly integrates with Windows 7. The very noticable downside is that Windows 7 is required on the client PCs. We could accept this, I doubt many others can right now.

I know of pfSense and many other open-source firewall distros. They are very, very nice. For my small-office needs the additional performance of pfSense on PC class hardware doesn't matter, since we are on a 10/10 mbit line. And the price of a small ASA or Juniper SSG is not prohibitive. So a pfSense ends up mostly competing against ASA or Juniper SSG, and I just prefer the simplicity and short time to implementation of the ready-made version. But pfSense is very nice, for other needs it can be great.

So for me it would be either:

  • A two-firewall "DMZ" config, with a fairly simple firewall appliance out front, and a PC based software firewall (Kerio, Windows 2008 R2) behind it for roadwarrior VPNs with AD integration.
  • A one-firewall setup, with a PC based (Kerio, Win 2008 R2) firewall with 2 NICs (arguably slightly less secure, but I doubt it is much of a problem nowadays).

Right now, I would buy Kerio Winroute (again, only looking at their website, I have not personally worked with Kerio Winroute yet). A year from now I would go for Windows 2008 R2, if you're a Windows only shop.


May I recommend you take a look at pfSense. I find it to be capable on a 40 user network and easy to manage. The web interface makes management of OpenVPN an easy task.

You wont lose anything by trying it.


I've had nice luck with the Cisco ASA-5505. It's a bit pricey, but it's nice gear to configure and has been reliable. You can terminate a variety of VPN protocols on it, including PPTP, IPSEC, and L2TP. There is SSL VPN functionality, but I believe it's licensed separately from the unit.


We've had great luck with the Fortigate appliances. For the money they have more features than the Cisco ASA's and are easier to configure.


For around $1000 I would use a Draytek 2950 or 3300. Actually both of these should give you plenty of change. I've used many of these routers and they're very good, easy to configure and offer advanced features like load balancing. They both do LAN to LAN IPSEC VPNs and they support PPTP dialin VPNs for individual users. The PPTP dialin uses the VPN support built into Windows and needs no extra software. In your place I would select the 2950 as the 3300 probably offers stuff you won't need (like load balancing over up to 4 WAN ports!).

The Draytek 2910 is a lot less than $1,000 but doesn't have the horsepower to support more than two or three simultaneous VPN sessions.

JR

Related

Convert a CSV file to a XLS file on the linux command line? [closed]
Which is more standard in large enterprises: RAID5 or RAID10?
Effect of distance from server on page load speed
With an expert Sys admin, are windows and linux equal for security
Is it possible to have a machine behind a firewall AND have a public IP address?
How can I determine which ftp server is running on my ubuntu box
How do I get around restrictive email policies by ISP?
my server was rooted via h00lyshit exploit, any good advice?
Bash script is not working as cron job
Should system administrators perform desktop support? [closed]
What should I be doing while I wait for a progress bar? [closed]
What is better MS HyperV or VMWare ESX?