|
|
Question : Problem: Security Appliance (Firewall/VPN) Recommendations for a SMB
|
|
Hi All -
I run the IT shop (of one) for a small company - 40 employees. Currently, I have two (2) SonicWall TZ170's deployed. One at my corporate office in Southern CA and the other at a regional office in Norther CA. First, I'm not that pleased with their performance; second I'm deploying share point services to host a collaboration suite and I don't think the TZ170's will be able to handle the increased traffic. So far I've started to evaluate NetScreen products from Juniper Networks and SonicWall's Pro line. My problem has been finding a comprehensive product comparison across vendors. I'm looking for recommendations on alternate devices and hopefully a comparison that has been done by and independent party (vendor comparisons tend to favor their products :-)).
Thanks in advance for your input! Glen
Evaluation Criteria (not in any order): * Hardware Platform (Dedicated crypto processor, memory, etc.) * Firewall and VPN performance. Mbps and how it is measured * Configurability - Object and policy based configuration. FQDN and IP address rules. I won't rule out something that has a less intuitive UI if it has more functionality. * Functionality - What's included standard vs. add-on and what are the performance hits * Cost - Purchase and annual maintenance * Support for non-proprietary VPN client or a thin web VPN client
I Would Like: - Better performance on the Site-to-Site VPN. Currently, I have lousy performance with AD & FRS replication between the sites. Not to mention the users complaints on slow retrieval of data from Exchange. - Better performance for VPN Client connections. Right now, I have a back door into the network for remote admin tasks because using a VPN connection is painfully slow.
Here are some details about my network/systems configuration and connectivity.
Corporate Office: - Windows Server 2003 Standard (4) - These servers run: - MS Exchange 2003 Enterprise with OWA and OMA - MS SQL Server 2000 - MBS Solomon 5.5 - AD (Single domain forest), DC, DHCP, DNS, WINS, DFS, FRS, and File and Print Services - CA e-Trust Enterprise AV - CA ArcServe Backup - WSUS - IIS 6 and SharePoint Services - Windows XP SP2 Clients - 30 - T-1 @ 1.5 Mbps
Regional Office: - Windows Server 2003 Standard (1) - This server runs: - AD (Single domain forest), DC, DHCP, DNS, WINS, DFS, FRS, and File and Print Services - WSUS - Files are replicated to corporate using FRS and backed up from there - Windows XP SP2 Clients - 10 - Business Class Cable Broadband (3.5 Mbps down & 756 Kbps up - I'm trying to put a T-1 in)
VPN Connectivity: - Site-to-Site VPN Tunnel between the two offices, standard encryption scenario using PKI - 25 VPN Client Licenses using SonicWall's Global VPN Client
|
Answer : Problem: Security Appliance (Firewall/VPN) Recommendations for a SMB
|
|
I would highly suggest that you take a look at Cisco's brand new ASA5500. It is the next generation PIX FW + Enhanced VPN support +Intrusion Detection. For your remote office, depending on the size of the office, a PIX 506e or 515e would make an ideal VPN companion, with most of the same functionality.
ASA5500: http://www.cisco.com/en/US/products/ps6120/index.html List pricing: ASA5510-SEC-BUN-K9 ASA 5510 Sec Plus Appl w/ SW, 150 VPN Peers, 5 FE, 3DES/AES B USD 4,495.00
Alternative - PIX 515e + Annual basic smartnet maintenance.. http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html PIX515E-DMZ-CSA-K9 Cisco Security Starter Bundle PIX 515E-R-DMZ, CSA, VMS Basic C USD 5,495.00 CON-SNT-PIX515E 8x5xNBD Svc, PIX 515E Chassis only N/A USD 630.00
PIX506e for remote site PIX-506E-BUN-K9 PIX 506E 3DES/AES Bundle (Chassis, SW, 2 FE Ports, 3DES/AES) C USD 1,395.00 CON-SNT-PIX506E 8x5xNBD Svc, PIX 506E (Chassis, software, two 10BaseT N/A USD 112.00
Your requirements: * Hardware Platform (Dedicated crypto processor, memory, etc.) The Cisco PIX is a dedicated hardware appliance with PIX OS. The "e" in the name represents Enhanced VPN support and includes a VPN accelerator daughter card inside.
* Firewall and VPN performance. Mbps and how it is measured Depends on the models, but Cisco products go through extensive testing. Some product vendors like to compare their own analysis with their own analyis of competing products and post up a chart of feature/performance comparisons, but Cisco does not. It's the best out there and no sense comparing it to anyone.
* Configurability - Object and policy based configuration. FQDN and IP address rules. I won't rule out something that has a less intuitive UI if it has more functionality. Does not do FQDN, but does IP address/subnet. The ASDM GUI is quite nice. Not 100% intuitive, but the old command line is still there anytime you need it.
* Functionality - What's included standard vs. add-on and what are the performance hits No add-ons. Everything you need is included. 3DES feature used to be additional, but not any more. VPN Client is free.
* Cost - Purchase and annual maintenance Provided above - List pricing only, but you should be able to find street prices ~25-30% less
* Support for non-proprietary VPN client or a thin web VPN client Supports MS PPTP VPN, Cisco VPN client, or any other standards-based VPN client. I have a site-site vpn between a PIX506e and a LinksysWRV54G and the performance is outstanding, and the availability is rock solid.
|
|
|
|