The Netscreen 5GT-ADSL can do this.
-alan
An even cheaper solution and better then crappy symantec is sonicwall
One of the cheaper solutions would be a Symantec Gateway Security 320 box. It's $475 from Symantec including a Symantec Antivirus 5-pack (which costs $213 alone), but you can find it a lot cheaper without the AV pack by shopping around. It's basically the old Nexland ISB Pro 400 box with a faster CPU and more RAM, intrusion detection and better VPN capabilities.
Regards,
You may wish to investigate the Cisco Product Advisor.
Brad Reese BradReese.Com Cisco Repair Worldwide United Kingdom: 44-20-70784294 U.S. Toll Free: 877-549-2680 International: 828-277-7272 Fax: 775-254-3558 Website:
Can you please make a hardware recommendation. I'm going to upgrade a network at a small office. The LAN is in place with DSL access.
Current LAN includes the following:
12 desktops and one server. 1 DSL bridge 1 consumer type Linksys router. 16 port 10Mbps hubThe following is the desired LAN:
-Upgrade the LAN from 10 Mbps Ethernet to 100Mpbs Ethernet.
-Provide VPN access. In other words, allow someone from home to connect to this LAN.
-Replace their consumer type Linksys router with a router with VPN included.
-New router to include intrusion detection
Your suggestion will be most appreciated. Thanks, George
While Symantec do have some crappy products, on what, exactly, do you base this statement when talking about the SGS series? Just because the devices got painted yellow when Symantec bought Nexland doesn't instantly make them bad -- especially not since what Symantec has done since then is beefing the boxes up with better CPU's, more RAM, better VPN facilities and IDS.
[chop]A hell of a lot less money? I find the SGS 320 for $304, or $15 more than what you paid for your device.
As for features, it goes both ways. Nexland patented a system for unlimited IPsec pass-through, which you can't find on other devices than Nexland/Symantec. Then there's a backup line that connects automatically over modem or ISDN if your ISP's line goes down. Quite useful. Or the ability to plug in a PC card and get instant secure wireless. Or the ability to enforce VPN on a port by port basis. Most if not all of the other features listed are also provided by the SGS device. I'm sure there's things the Sonicwall does better -- URL filtering, for example, is very rudimentary on the SGS. Other things, I'm sure it doesn't do better.
No, it's far from perfect, but for the money, I'd go with a SGS320 (or better yet, an SGS360, and get load balancing/failover between two WAN lines).
The D-Link DI804HV unit can act as a PPTP endpoint, but you might want to consider using the SERVER as the PPTP End-Point and just passing the PPTP/GRE through to it. If you use the server as the RAS device then your Linksys unit will still work, but it's not a firewall.
The rest is all generic.
Thanks for your feedback. We are currently using our Windows 2000 Server as the PPTP endpoint. Consequently, I opened the port on our existing router to make that possible. But, I believe that making the router the PPTP endpoint is a more secure way of implementing VPN.
What do you think?
I would rather see you get a Firewall as the end-point, then create users for the firewall (PPTP accounts) and then set rules based on the PPTP users that you create groups for in the firewall.
If you are going to allow PPTP to the router, you need to make sure that it permits as many end-point sessions as you think you'll have at any one time. I'm not sure if there is a limit on them on the cheap routers or not.
If you PPTP into the router with a user name and password that doesn't match a user name and password in the domain, then you've got two layers for them to get through, but you have to have users willing to do both.
CISCO 501 Series will provide VPN connectivity as well as firewall protection. Do NOT use PDM to configure... Command line only to truly understand it and config it properly. Sonicwall and others easier to config, but once the Cisco is up and running it is tight.
Are you sure that the 501 is not going to do routing? I think it does.
I've read a lot of GREAT things about the Cisco501. I assume that the 501 is strictly a firewall and VPN appliance and is not a router. Therefore, I would need to install the 501 between my router that is connected to the Internet and the LAN. Is this correct?
I only wish that I was fluent in the command line system of the 501. But I am not and I'm leaning towards a device like the Symantec 300 series appliance. The Symantec appplicance has a GUI interface for administration and it includes an integrated router.
George
My understanding is that the 501 also routes. I just purchased a 501 so I will find out for sure. :)
Umm well unlimited IPSEC passthru is pretty common, as is ISP failover, port VPN enforcement, they're all boring firewall features. IDS? Betcha its some crap DoS stuff - not real IDP.
PC-Card bit is nice.
No, actually, it's not. IPsec is kind of difficult for a NAT router to handle, as it won't know which internal client to send the traffic to. Try connecting two clients on the inside to a single remote VPN server, and most devices can't handle it.
Actually, that's the feature I find the most wasted. In true corporate fashion, Symantec hasn't documented the exact specs for which cards you can use, and insist on selling you their rebranded cards at four times the street price...
Regards,
If you said IDS cus I said it it is IPS. The first time I read or ever heard of intrusion protection service it was named online, IDS. Intrusion Detection service, it was misnamed probably or at least whoever wrote the thing called it that for some reason. But yeah it's IPS and is awesome i think. If you were not talking about anything I said then cool.
For the Symantec devices, they label it IDS/IPS, where pure IDS is protection against attacks like Bonk, Ping of Death, Syndrop and Winnuke (there's a long list), while IPS is IDS plus IP spoof protection and TCP flag validation.
It's actually pretty decent, and allows you to block on both the WAN and WLAN/LAN side if you desire. The only two things I don't like are:
- For the IDS trojan port detection (like Back Orifice and SubSeven) it doesn't tell you the port numbers it blocks -- you have to look that up through other means.
- There's no way to turn off logging of port probes -- they get logged as "Port Scan Attack". This makes the facility to send an email when a detected attack occurs rather pointless, as a typical dual broadband connection would get hundreds of these every day.
But yeah, it's quite nice. Disregarding the thousands of "Port Scan Attacks", here's a few examples of typical logging:
Feb 10 04:30:40 gateway Packet dropped because TCP flag combination 0x21 is invalid Feb 10 08:41:21 gateway Packet dropped because TCP flag combination 0x0 is invalid Feb 10 21:32:59 gateway Client 10.12.14.27 does not comply to antivirus policy Feb 10 22:54:31 gateway AV - Client 10.12.14.27 down: Warn/Deny traffic Feb 12 23:52:51 gateway Blocked - *SubSeven Attack - src_ip=220.75.23.115:2332 - dst_ip=65.75.16.254:27374 - TCP Feb 13 16:44:15 gateway Blocked - Winnuke Attack - src_ip=198.104.144.243:3194 - dst_ip=65.75.16.254:139 - TCP Feb 13 17:56:35 gateway ICMP redirect from 83.35.173.239 to 65.75.16.254 discarded
Regards,
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.