VPN Choices

Yeah, I have since found out that, not only do you have to pay for the VPN server software, you also have to pay for each license, apparently in groups of five for small units. Not cheap. It appears that the Linksys does not limit the number of connections, and the client software comes with. (This from the web, I wonder if that is correct?)

It sort of begs the question, if Sonicwall is so muc more expensive, what have they got that LinkSys doesn't? Anyone with experience with these units have an idea?

I could be wrong, but it sounds like you want to get out from under the sonicwall "thumb"... so to speak. If so, dump them and upgrade to the Linksys solution... that offers more bang for the buck anyways....

Linksys boxes are improving but they're still toys compared to Sonicwalls or Fortigates. My ISP has tried again and again with all the Linksys and Dlink boxes to get one that would be consistantly reliable as a vpn server and only just recently has blessed one model of LinkSys (I'll have to check with him which) that is stable all the time when doing vpn work. It's in the $300 range IIRC.

Those type of boxes are down on features, performance, and flexibility, but they are ok for small, limited scope deployments in many situations

-Russ.

Is that because the hardware is different? Or is it their OS? Or something else?

My ISP has tried again and again with all the Linksys and Dlink

I'd be interested in knowing which one, thanks.

something in that direction, yes. depends on the number of vpn-licenses you'd like to obtain.

maybe you'll give a try on the fortigate 50a (with dmz fortigate 60). no user-limit's at all, vpn included. you have to pay for content-filtering, and for the vpn-client. but with 20$ per license (20+ gets cheaper) forticlient it not too expensive. once you've configured one client you may export the policy and import it on every other installation.

sonicwall is rather intuitive, direct export of vpn-policies for the global vpn-client is a neat feature, but the licensing really sucks. so far we didn't get any problems with the fortinet-appliances.

regards

\\cd

I'll ask him -- drop me an email....

-Russ.

He said it was the rv042.

They seem to be reasonably well featured from the few times I went in the interface.

-Russ.

Ok, Great. Thanks a lot.

JH

No problem, good luck with your implementation. Let me know what kind of street price you end up getting them for wherever you are. Drop me a line if you ever decide you need some Fortigates instead. :-)

-Russ.

Actually, it is a firewall, it can be set to block incoming and /or outgoing ports / protocols in either direction.

-Russ.

If using the RV042, it's just a NAT Router with SPI and QOS, it's not a firewall.

Not, it's not a firewall, it can't tell the difference between HTTP and anything else on port 80, and there are many other things it's not capable of doing that every firewall appliance on the market can.

Don't get me wrong, I'm installing a RV042 in a sorority on Monday, but I would never confuse it with a firewall.

First, your definition of a Firewall is off a bit. Basic firewalls only look at IP address/port combinations. Content firewalls can also look at what is in the traffic, although sometimes it can't (port 443 which is https and is encrypted, the content cannot be scanned also ssh on port 22, etc...). So while it may not do content filtering, it IS a basic firewall.

Personally I use Cisco PIX, however that's a bit pricey for some. I believe routers and firewalls are someplace NOT to be cheap. How much money do you lose with someone hacks into your file servers? Even a few thousand dollars is cheap if it would prevent it. At HOME I have a T1 with a Cisco 4700-M router with the FW feature set doing basic filtering. Then I have a PIX 515-UR firewall and on the other side of that I have a Cisco 2621 doing VLANS to my Cisco 2924EN-XL switch. Here at work I run multiple PIX 520s with multiple router layers each running the FW feature set and even departments are isolated via ACLs. Our DMZ is probably more protected than most corporate internal networks. Network security is nothing to go short on. I have seen people say that they're only a small company and wouldn't be a target... until someone broke in and crashed their server with the accounting information on it. It cost them many thousands of dollars to get back where they were before the break in.

Just something to think about.

Dennis

at IP address/port combinations. Content firewalls can

which is https and is encrypted, the content cannot be

filtering, it IS a basic firewall.

Sure, and just like using a Usenet client that doesn't understand line wrapping at 72 characters is still considered a proper Usenet client.

Most of the cheap NAT/SOHO solutions are just that, cheap solutions, but, just because they have firewall "like" features does not mean they are all firewalls. Port forwarding does not make something a firewall.

A firewall should know the difference between HTTP on port 80 and SMTP on port 80 and not pass the SMTP.

routers and firewalls are someplace NOT to be cheap. How

thousand dollars is cheap if it would prevent it. At

basic filtering. Then I have a PIX 515-UR firewall and on

switch. Here at work I run multiple PIX 520s with

are isolated via ACLs. Our DMZ is probably more

crashed their server with the accounting information on

the break in.

I think were on the same page here, I always recommend a WatchGuard Firebox X series (700 or better) for anyone doing work that has private or business information that needs protected, and even internal firewalls to separate defined areas from the rest of the company (like a software development group, accounting, research, etc...).

Oh, I removed the RV042 about 2 hours after installing it - it was completely incapable of doing the job and requires a BS method to set it up as a NAT router with a single fixed IP device inside the LAN. I will be returning the unit.

May I jump in here? I am a home user who is investigating firewalls, having become deathly afraid of identity theft (a little paranoia is a good thing, I hope). Presently I have just a router (Netgear RT314) with ZoneAlarm Pro on each of 4 machines. My IT chief at work suggested a Cisco Pix 501. I have not problem with the cost, but I am concernd about having to learn how to install and maintain it, as I get lost reading a lot of the threads just on this newsgroup!

My goals would be: 1, excellent protection of my LAN, and 2, reliable VPN access to my information as I will soon begin a job that may require me to be away from home for long periods of time.

Is there other equipment to consider? One person thinks that the Pix would be like driving a Porsche to work. If there is something reliable and easier to setup and maintain, that would be fine. If a Pix is the way to go, I could conceivably purchase one on eBay; if so, are there "extras" that must be purchased, like a license, software, anything else?

Thanks Ken K

CISCO makes some really nice hardware, but a lot of their products are not easily configured for home/non-technical users, heck, even some non- CISCO people that are very technical have issues with the CISCO hardware.

I personally don't spec PIX unless the customer requests it.

On any SOHO unit, the protection of the lan is more than just a good firewall, it's about how you use the lan and how you interact with the Internet.

A SOHO firewall will not FILTER attachments out of email, so you've got that threat still. Some SOHO firewalls will permit a Web Blocker service (some based on a subscription service) where you can restrict access to websites based on content rules...

I like the WatchGuard line of firewalls, I'm quite biased towards them as I've been using them for more than 6 years, only had one fail in all that time, find them easy to setup and work well with every firewall on the market, and I can explain enough to the end-users that they can at least think they understand it :)

You might want to take a look at the WatchGuard Firebox X5 unit (they have a X5w for wireless needs).

With this type of unit, you would install a VPN Client software application on your laptop and then connect to the Firewall from your remote location - this means you would not have to expose the computer inside your network at home to the Internet in order to VPN into it.