My company is getting ready to move to a new office where they will have a dedicated T1 for internet access. The company has 20 employess at the moment and might grow larger with in the next 2 years. They will need the ability to have a site-to-site and mobile VPN access. My question is in regards to the router and firewall hardware. Should we have a all in one appliance to serve as the Router/Firewall/VPN or should we have them seperated. For example, a router to handle the T1 connection and a Firewall/VPN appliance. What would be best for performance and security.
Any suggestions, pros & cons, and specific brands/models would be appriciated.
Doesn't matter. Just buy whatever offers the features you require. There is no inherent better or worse for modular verses combined devices. Just depends on the feature set.
Our company is looking to get a Watchguard x700 (because it will used for the Site-to-Site VPN), any recommendations on a router that will connect the T1. I guess what I am saying is that I have seen all kinds of routers that offer connections plus a bunch of other things like Voice/VPN/Firewall.. and so on. Any suggestions on a simple T1 capable router?
You should ask your T1 provider about this. You'll need a CSU/DSU unit to interface the T1 signal with your router. Sometimes CSU/DSU devices are separate (depending on your existing network infrastructure). Sometimes a CSU/DSU is an optional module for a router. Sometimes the provider will supply you with a T1 capable router (CSU/DSU built-in) as part of the T1 package. You need to ask your provider.
In article , Frankster top-posted [now corrected]:
I would have to disagree and say that there are meaningful differences, at least for some vendors. In particular, with respect to the Cisco product lines:
- The lowest-end model that Cisco still sells with T1 capability and Fast Ethernet is the 1721, which sells for ~$US830, to which you would have to add a firewall and the T1 card. The next range up with T1 capability is the faster 1841, which sells for ~$US965, to which you would have to add the {same} T1 card, but which includes firewall features. Thus combining the two might be less expensive in capital outlay (and lower number of devices to manage and lower number of configurations to learn.)
- However, if you want the firewall to do more than low bandwidth LANDMZ filtering, you will find that you have to go to at least the upper end of the 3600 series or 3800 series in order to just get the firewall performance of the slowest Cisco PIX firewall sold, the 501 [but with 20 users, you'd be better going with a 506E]. Thus for intranet perforance, you would want seperate units. {Until, that is, you get into the multi- gigabit-per-second range, in which case you need to jump into the Cisco 6500/7200 with some very expensive cards.}
- The Cisco routers are designed to route -- that is, to get packets from one place to another, changing media and packet formats if need be. Packets get headers rewritten [if need be] and the packets get sent on their way. The Cisco PIX firewalls are designed to secure: packets are received, analyzed, and if they meet the policies then -new- packets are constructed and sent onwards. One must thus decide whether one prefers to "fail open" (like emergency fire doors) or "fail closed" (like railroad lights turning red unless they are positively told there is no incoming traffic on the line.)
- In the security community, one mantra is to leave the routing to the routers, and the security to the firewalls (and to use different passwords on the two!) That way, bugs or misconfigurations of one function do not affect the other.
- Another mantra of the security community is "security in depth" -- use multiple levels with different -kinds- of security where-ever practical.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.