Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsIT Pro and developersFirewall & VPN recommendations for an organisation of about 60 people
lchiu7

6521 posts

Uber Geek
+1 received by user: 543

Trusted

#110881 17-Oct-2012 21:26
Send private message

Somebody asked me this and I didn't really know how to respond so I thought I would ask the forum.

They are looking to secure an Internet connectiion to their organisation that will support about 60 users. The connection is to be used for e-mail and Internet. It's a dedicated circuit offering fixed national traffic speed of about 20Mbs and international up to 2Mbs but burstable up to 5Mbs.

A vendor who would also provide some services were recommending a Fortigate solution that would provide firewall and IDS. They said a Fortigate 100D would be their recommended model (at about $5K) so provide the resiliency and speed required. The connection would also have to support up to say 10 VPN connections (IPSEC).

That seemed pretty expensive so I just did a quite look at the Fortigate web site and noticed their 40C model is rated up to 200Mbs and seemed like it would do the job.

Just wondering what forum members think of this and perhaps have any personal recommendations.

Thanks




Staying in Wellington. Check out my AirBnB in the Wellington CBD.  https://www.airbnb.co.nz/h/wellycbd  PM me and mention GZ to get a 15% discount and no AirBnB charges.

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2 | 3
1080p
1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  #702711 17-Oct-2012 23:00
Send private message

Wow, $5k...

I would build a small pfSense solution for a couple of hundred or less and use that. At 25Mbit/s and sixty users you will not come close to stressing this equipment and it has built in options for VPN solutions and even a captive portal if you'd like to provide Wi-Fi for customers or business guests.

http://www.pfsense.org/



1080p
1332 posts

Uber Geek
+1 received by user: 152
Inactive user


  #702712 17-Oct-2012 23:01
Send private message

Additionally, commercial support options are available from the pfSense guys in case that is a business requirement.

Zeon
3926 posts

Uber Geek
+1 received by user: 759

Trusted

  #702722 17-Oct-2012 23:21
Send private message

Using PFsense here for 200+ users and up to 150mbps of IPSEC traffic at any time (which is a LOT of encryption). The major advantages of PFsense is its only limited by the speed of your hardware and running on standard x86/x64 you can get pretty damn fast at pretty cheap prices.

Their commercial support is also pretty good. Used about 3 hours over the last few years and more to do with network issues than PFsense issues.

I've tested it up to around 750mbps of actual internet throughput on a 1gbps connection. Only problem is that its IPv6 version is very slow in development :(

No need for all that expensive hardware TBH unless you want the "amazing" feature set.




Speedtest 2019-10-14



Chippo
129 posts

Master Geek
+1 received by user: 52

Trusted

  #702724 17-Oct-2012 23:33
Send private message

The 100D is a fairly standard box for an office of this size - RRP is about $4,440 with first year of support. If budget and overall goal weren't really specified then they've probably assumed usual medium business LAN layout (WAN, LAN, Wireless, DMZ and Guest network - with gigabit firewall between them) and also been quoted the standard UTM bundle, which gives you a whole bunch of added features like Web Caching, Web Content Filtering, Application Control, Traffic Shaping, AntiVirus and options for managed wireless and reporting.

If cost is a primary concern and you really don't see any benefit in those added features, they should relay this back to their service provider. They've got plenty of options to quote smaller units (For 60 staff without any UTM I might look at a 80C although you loose the gigabit ports). Just be wary that the smaller you get the less functionality and resource that's available. Web Caching as an example is only really useful from the 100D up.

Alternatively something like a Juniper SRX210 would be lower cost and can quite happily be licensed for this many "Pulse" IPSec VPN users. It's a little tougher to manage day to day and you loose a bit of the fancy per-user firewall and SSLVPN type of functionality of the FortiGate, but it'd be less expensive than the FortiGate and far less power-hungry than an old beige-box pfsense appliance.




I work for a global Data Protection Software company - But my opinions are my own.

BarTender
3629 posts

Uber Geek
+1 received by user: 2572

ID Verified
Trusted
Lifetime subscriber

  #702729 18-Oct-2012 00:24
Send private message

+1 IMHO to pfSense, if you're running vmware ESXi you can just run your pfSense as a VM and with proper routing keep it isolated from your core network.
Then use the Shrew Soft VPN Client on your workstations.. And you would be away.

Jeeves
301 posts

Ultimate Geek
+1 received by user: 90


  #702796 18-Oct-2012 10:26
Send private message

100d seems way over rated for you. I'd go with the 80c or even as low as the 60c if you don't want all the bells and whistles.

 
 
 
 

Shop now for Lenovo laptops and other devices (affiliate link).

BTR

BTR
1527 posts

Uber Geek
+1 received by user: 449


  #702805 18-Oct-2012 10:42
Send private message

A Sonicwall TZ series box might do the trick. They are the entry level box but do both SPI and DPI as well as supports site to site and site to client VPN. TZ215 is less than 2K

Ragnor
8279 posts

Uber Geek
+1 received by user: 585

Trusted

  #702879 18-Oct-2012 12:38
Send private message

Sonicwall or Fortigate are the standard go to options for this sort of thing.

pfsense is a great option though since you can install it as a VM on commodity hardware, it has most of the of the features of commercial options but not all eg: gateway anti virus and anti spam etc.

lchiu7

6521 posts

Uber Geek
+1 received by user: 543

Trusted

  #702965 18-Oct-2012 14:20
Send private message

Thanks for all the replies. I fed them back and received the following clarification.

They want IDS and some basic AV protection.  All the servers would have AV as well as the Windows clients.

They also want a VPN solution that has Windows, IOS and Android clients.

They don't need traffic shaping (not a lot of P2P going on and the only no browser traffic is some Skype).

There will be an ISA server at the back end of the firewall support OWA and Activesync for phones and tablets.

They would prefer a dedicated box versus a computer type solution (like PFSense) and possibly have two boxes with one in a cold standby mode. If the primary box dies, then they can just swap out the box until a repair or replacement comes along.

I still think for that the 100D is overkill and the 60C would do. In fact they could purchase two 60C's.

They also need some assistance with setting up the firewalls (rules etc.) and on demand consulting for regular updates or problems.




Staying in Wellington. Check out my AirBnB in the Wellington CBD.  https://www.airbnb.co.nz/h/wellycbd  PM me and mention GZ to get a 15% discount and no AirBnB charges.

BTR

BTR
1527 posts

Uber Geek
+1 received by user: 449


  #702983 18-Oct-2012 14:37
Send private message

I know with Sonicwall they do a high availability unit (second unit at reduced price) which takes over if the primary unit fails for what ever reason, hardware, link or cable. With the entry level units this does require an additional license but with the bigger units it comes built in I'm pretty sure.


Sonicwall also does gateway Antivirus and Client AV enforcement but once again requires a license. I would recommend that your friend talk to their supplier as most firewall companies will offer very competitive pricing.

lchiu7

6521 posts

Uber Geek
+1 received by user: 543

Trusted

  #703062 18-Oct-2012 16:42
Send private message

Who are the NZ agents for Sonicwall?  Thanks




Staying in Wellington. Check out my AirBnB in the Wellington CBD.  https://www.airbnb.co.nz/h/wellycbd  PM me and mention GZ to get a 15% discount and no AirBnB charges.

 
 
 
 

Shop on-line at New World now for your groceries (affiliate link).
rhysb
435 posts

Ultimate Geek
+1 received by user: 7

Trusted

  #703079 18-Oct-2012 16:47
Send private message

The Fortigates also do HA.






myopinion
939 posts

Ultimate Geek
+1 received by user: 112


  #703087 18-Oct-2012 16:56
Send private message

We use these guys firewall solution which is a plug and play box. If it breaks they send you a new one and away you go: http://www.makonetworks.com

BarTender
3629 posts

Uber Geek
+1 received by user: 2572

ID Verified
Trusted
Lifetime subscriber

  #703088 18-Oct-2012 16:59
Send private message

Still think pfSense is the best option especially if you have a Virtualised environment with spare capacity.  Just dedicate a network cards to routing out to the internet, and since it sits on your ESX server / SAN, if that blows up you're dead in the water anyway.  So no need to purchase new hardware.

Come on Laurence... Pull out the geek card and make it happen :)

BTR

BTR
1527 posts

Uber Geek
+1 received by user: 449


  #703258 18-Oct-2012 22:36
Send private message

lchiu7: Who are the NZ agents for Sonicwall?  Thanks




Connector systems are the distributor, they should be able to pass on details of a reseller in your area.

 1 | 2 | 3
View this topic in a long page with up to 500 replies per page Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright