Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.
Check our new Geekzone Price Comparison web site for electronics prices in New Zealand.


ForumsIT ProFirewall & VPN recommendations for an organisation of about 60 people


3447 posts

Uber Geek

Trusted
Topic # 110881 17-Oct-2012 21:26 Send private message

Somebody asked me this and I didn't really know how to respond so I thought I would ask the forum.

They are looking to secure an Internet connectiion to their organisation that will support about 60 users. The connection is to be used for e-mail and Internet. It's a dedicated circuit offering fixed national traffic speed of about 20Mbs and international up to 2Mbs but burstable up to 5Mbs.

A vendor who would also provide some services were recommending a Fortigate solution that would provide firewall and IDS. They said a Fortigate 100D would be their recommended model (at about $5K) so provide the resiliency and speed required. The connection would also have to support up to say 10 VPN connections (IPSEC).

That seemed pretty expensive so I just did a quite look at the Fortigate web site and noticed their 40C model is rated up to 200Mbs and seemed like it would do the job.

Just wondering what forum members think of this and perhaps have any personal recommendations.

Thanks




System One: Popcorn Hour A200,  PS3 (US 60G) dead and now replaced with a PS3 SuperSlim, NPVR running on Sempron 3000 (XP), Sony BDP-S390 BD player, Logitech Revue, Pioneer AVR, JVC 56" D-ILA 720P RP TV

System Two: Popcorn Hour A110 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Toshiba HD-A2 HD-DVD player, Roku XS media player

Check out my blog at lchiu.blogspot.com

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3Next
1000 posts

Ultimate Geek
  Reply # 702711 17-Oct-2012 23:00 Send private message

Wow, $5k...

I would build a small pfSense solution for a couple of hundred or less and use that. At 25Mbit/s and sixty users you will not come close to stressing this equipment and it has built in options for VPN solutions and even a captive portal if you'd like to provide Wi-Fi for customers or business guests.

http://www.pfsense.org/




Workstation: Intel DH67CL ~ i5-2500 ~ 4GB Corsair RAM (x2) ~ Intel X25-M 80GB SSD

Laptop: Dell Inspiron 1564 ~ i5-520M ~ 4.00GB RAM ~ 500GB SATA HDD ~ Win7 Home Premium x64

Common misconceptions.

1000 posts

Ultimate Geek
  Reply # 702712 17-Oct-2012 23:01 Send private message

Additionally, commercial support options are available from the pfSense guys in case that is a business requirement.




Workstation: Intel DH67CL ~ i5-2500 ~ 4GB Corsair RAM (x2) ~ Intel X25-M 80GB SSD

Laptop: Dell Inspiron 1564 ~ i5-520M ~ 4.00GB RAM ~ 500GB SATA HDD ~ Win7 Home Premium x64

Common misconceptions.

2383 posts

Uber Geek

Trusted
Subscriber
  Reply # 702722 17-Oct-2012 23:21 Send private message

Using PFsense here for 200+ users and up to 150mbps of IPSEC traffic at any time (which is a LOT of encryption). The major advantages of PFsense is its only limited by the speed of your hardware and running on standard x86/x64 you can get pretty damn fast at pretty cheap prices.

Their commercial support is also pretty good. Used about 3 hours over the last few years and more to do with network issues than PFsense issues.

I've tested it up to around 750mbps of actual internet throughput on a 1gbps connection. Only problem is that its IPv6 version is very slow in development :(

No need for all that expensive hardware TBH unless you want the "amazing" feature set.





60 posts

Master Geek

Trusted
Subscriber
  Reply # 702724 17-Oct-2012 23:33 Send private message

The 100D is a fairly standard box for an office of this size - RRP is about $4,440 with first year of support. If budget and overall goal weren't really specified then they've probably assumed usual medium business LAN layout (WAN, LAN, Wireless, DMZ and Guest network - with gigabit firewall between them) and also been quoted the standard UTM bundle, which gives you a whole bunch of added features like Web Caching, Web Content Filtering, Application Control, Traffic Shaping, AntiVirus and options for managed wireless and reporting.

If cost is a primary concern and you really don't see any benefit in those added features, they should relay this back to their service provider. They've got plenty of options to quote smaller units (For 60 staff without any UTM I might look at a 80C although you loose the gigabit ports). Just be wary that the smaller you get the less functionality and resource that's available. Web Caching as an example is only really useful from the 100D up.

Alternatively something like a Juniper SRX210 would be lower cost and can quite happily be licensed for this many "Pulse" IPSec VPN users. It's a little tougher to manage day to day and you loose a bit of the fancy per-user firewall and SSLVPN type of functionality of the FortiGate, but it'd be less expensive than the FortiGate and far less power-hungry than an old beige-box pfsense appliance.




I work for a Hosting Provider - But my opinions are my own.

1309 posts

Uber Geek

Trusted
  Reply # 702729 18-Oct-2012 00:24 Send private message

+1 IMHO to pfSense, if you're running vmware ESXi you can just run your pfSense as a VM and with proper routing keep it isolated from your core network.
Then use the Shrew Soft VPN Client on your workstations.. And you would be away.




Check out my Mobile Cell Site Google Maps KML Files in my blog.
Now using Google Fusion Tables or Address Lookup or GPS using Smartphone
I update it on a monthly basis automatically from RSM.

47 posts

Geek
  Reply # 702796 18-Oct-2012 10:26 Send private message

100d seems way over rated for you. I'd go with the 80c or even as low as the 60c if you don't want all the bells and whistles.

BTR

142 posts

Master Geek
  Reply # 702805 18-Oct-2012 10:42 Send private message

A Sonicwall TZ series box might do the trick. They are the entry level box but do both SPI and DPI as well as supports site to site and site to client VPN. TZ215 is less than 2K

6895 posts

Uber Geek

Trusted
Subscriber
  Reply # 702879 18-Oct-2012 12:38 Send private message

Sonicwall or Fortigate are the standard go to options for this sort of thing.

pfsense is a great option though since you can install it as a VM on commodity hardware, it has most of the of the features of commercial options but not all eg: gateway anti virus and anti spam etc.



3447 posts

Uber Geek

Trusted
  Reply # 702965 18-Oct-2012 14:20 Send private message

Thanks for all the replies. I fed them back and received the following clarification.

They want IDS and some basic AV protection.  All the servers would have AV as well as the Windows clients.

They also want a VPN solution that has Windows, IOS and Android clients.

They don't need traffic shaping (not a lot of P2P going on and the only no browser traffic is some Skype).

There will be an ISA server at the back end of the firewall support OWA and Activesync for phones and tablets.

They would prefer a dedicated box versus a computer type solution (like PFSense) and possibly have two boxes with one in a cold standby mode. If the primary box dies, then they can just swap out the box until a repair or replacement comes along.

I still think for that the 100D is overkill and the 60C would do. In fact they could purchase two 60C's.

They also need some assistance with setting up the firewalls (rules etc.) and on demand consulting for regular updates or problems.




System One: Popcorn Hour A200,  PS3 (US 60G) dead and now replaced with a PS3 SuperSlim, NPVR running on Sempron 3000 (XP), Sony BDP-S390 BD player, Logitech Revue, Pioneer AVR, JVC 56" D-ILA 720P RP TV

System Two: Popcorn Hour A110 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Toshiba HD-A2 HD-DVD player, Roku XS media player

Check out my blog at lchiu.blogspot.com

BTR

142 posts

Master Geek
  Reply # 702983 18-Oct-2012 14:37 Send private message

I know with Sonicwall they do a high availability unit (second unit at reduced price) which takes over if the primary unit fails for what ever reason, hardware, link or cable. With the entry level units this does require an additional license but with the bigger units it comes built in I'm pretty sure.


Sonicwall also does gateway Antivirus and Client AV enforcement but once again requires a license. I would recommend that your friend talk to their supplier as most firewall companies will offer very competitive pricing.



3447 posts

Uber Geek

Trusted
  Reply # 703062 18-Oct-2012 16:42 Send private message

Who are the NZ agents for Sonicwall?  Thanks




System One: Popcorn Hour A200,  PS3 (US 60G) dead and now replaced with a PS3 SuperSlim, NPVR running on Sempron 3000 (XP), Sony BDP-S390 BD player, Logitech Revue, Pioneer AVR, JVC 56" D-ILA 720P RP TV

System Two: Popcorn Hour A110 ,  Oppo BDP-80 BluRay Player with hardware mode to be region free, Vivitek HD1080P 1080P DLP projector with 100" screen. Harman Kardon HK AVR 254 7.1 receiver, Toshiba HD-A2 HD-DVD player, Roku XS media player

Check out my blog at lchiu.blogspot.com

412 posts

Ultimate Geek

Trusted
  Reply # 703079 18-Oct-2012 16:47 Send private message

The Fortigates also do HA.






527 posts

Ultimate Geek

Subscriber
  Reply # 703087 18-Oct-2012 16:56 Send private message

We use these guys firewall solution which is a plug and play box. If it breaks they send you a new one and away you go: http://www.makonetworks.com

1309 posts

Uber Geek

Trusted
  Reply # 703088 18-Oct-2012 16:59 Send private message

Still think pfSense is the best option especially if you have a Virtualised environment with spare capacity.  Just dedicate a network cards to routing out to the internet, and since it sits on your ESX server / SAN, if that blows up you're dead in the water anyway.  So no need to purchase new hardware.

Come on Laurence... Pull out the geek card and make it happen :)




Check out my Mobile Cell Site Google Maps KML Files in my blog.
Now using Google Fusion Tables or Address Lookup or GPS using Smartphone
I update it on a monthly basis automatically from RSM.

BTR

142 posts

Master Geek
  Reply # 703258 18-Oct-2012 22:36 Send private message

lchiu7: Who are the NZ agents for Sonicwall?  Thanks




Connector systems are the distributor, they should be able to pass on details of a reseller in your area.

 1 | 2 | 3Next
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »
Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when new jobs are posted to our jobs board:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:




News »
Geeksphere TV: Episode 19.1
Posted 25-May-2013 18:19

Amazon brings Kindle Fire to 170 countries, expand app store to more than 200 countries
Posted 24-May-2013 14:41

Gen-i and SAP partner in mobile business
Posted 23-May-2013 09:23

Ericsson to close down telecom cable manufacturing
Posted 23-May-2013 08:46

FaceToFace Communications and StarLeaf bring unique cloud-based videoconferencing to Australia and New Zealand
Posted 22-May-2013 09:12

IBM Watson finds a new job: customer services
Posted 22-May-2013 08:37


Trending now »
Hot discussions in our forums right now:

Fecked up religious people strike again :-(
Created by Mark, last reply by freitasm on 25-May-2013 08:44 (85 replies)
Pages... 4 5 6

Cannabis is illegal yet we have really strong 'legal highs' ?
Created by qwerty7, last reply by freitasm on 23-May-2013 23:20 (74 replies)
Pages... 3 4 5

A new project coming to Geekzone
Created by freitasm, last reply by l43a2 on 24-May-2013 23:02 (342 replies)
Pages... 21 22 23

HTC One (2013) owners' discussion
Created by Dingbatt, last reply by Finch on 26-May-2013 11:12 (1568 replies)
Pages... 103 104 105

Xbox One
Created by DjShadow, last reply by nathan on 26-May-2013 10:56 (78 replies)
Pages... 4 5 6

Monolithic Cement Sheet cladding mid 80s house - "leaky home" or not?
Created by joker97, last reply by mattwnz on 24-May-2013 23:46 (15 replies)

Orcon, Is this for real or a scam??
Created by old3eyes, last reply by DarthKermit on 22-May-2013 19:12 (29 replies)
Pages... 2

Entire house HTPC concept
Created by InfiniteLoop, last reply by darthmeow on 24-May-2013 12:19 (26 replies)
Pages... 2


Geekzone Jobs »
Most recent NZ jobs in technology:

Developer of interactive experiences
Posted 25-May-2013 21:28

Ambitious Project Coordinator
Posted 25-May-2013 19:28

Ambitious Project Coordinator
Posted 25-May-2013 19:28

Exceptional Senior Project Manager
Posted 25-May-2013 19:28

Multitalented Business Analyst
Posted 25-May-2013 18:28

Communicative Test Manager
Posted 25-May-2013 17:28

Flexible Test Manager
Posted 25-May-2013 17:28


Geekzone Live »
Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.

Updates »
Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.