I need help choosing a firewall/vpn solution.

I need help choosing a firewall/vpn solution. I would MOST appreciate
anyones help in making this choice. I have been reading these
newgroups, speaking with sales engineers and trying to make the most
intelligent decision on my own. I have to admit the more I learn the
more I can define what I need...but cannot determine a final product
selection.

We are a small business with limited funds. When I spoke with Cisco
they told me that they had a small-business solution designed to be
both affordable and easy to use. It was only $15,000 !!! I guess
Cisco is too big to know what a small-business budget is. :) I would
like to keep my budget between $2000 and $4000.

Here is what I really need to purchase.

I want to purchase a new firewall/UTM device to replace my aging
SonicWall Pro 200. I need this device to be able to route traffic with
different rules for each route AND act as a DHCP server. I will try
and explain what I mean by this with an example. I have a network of
around 25 computers and 4 servers.. We have a block of 64 public ip
address that are using for external access. The 4 servers are as
follows:
1. Microsoft Small Business Server 2003 with Exchange Server running.
2. Microsoft Windows Server 2003 with Citrix Presentation Server
running.
3. A Windows XP security camera server with proprietary video remote
services.
4. A VOIP PBX telephone server (not connected currently...but want it
to be).
The 25 computers consist of primarily Windows XP boxes with a couple of
Mac OSX and Windows 2000 boxes. We also have around 10
network-connected devices (i.e. network printers, scanners, time
clocks, etc.). We have 5 mobile users who need to be able to connect
to our network through some type of VPN solution. We also have a
branch office that has a SonicWall TZ170 Wireless.

My requirements for this project are as follows:
1. The device(s) must be a DHCP server for our internal network
(192.168.168.x).
2. The device(s) must be able to reserve internal addresses for certain
devices so that they will always keep the same ip (so that our ip
printers & devices will always be at a certain 192.168.168.x address).
3. The device(s) must be capable of taking requests for various
external public IP addresses and transferring that traffic to static
internal-network devices. In example, taking our external IP address
64.207.227.12 and route that traffic to our internal network Exchange
server residing at 192.168.168.15. This feature must be able to apply
different security policies (open port settings) to different
extIP/intIP translations. We need to lock down our Exchange server as
tight as possible and allow our camera server to be almost wide open.
THIS IS VERY IMPORTANT AND IS THE MAIN REASON THAT WE ARE REPLACING THE
SONICWALL PRO 200, AS IT IS NOT CAPABLE OF THIS FEATURE.
4. The device(s) must be able to connect to our Branch Office's
SonicWall TZ170 Wireless device creating a VPN tunnel so that the users
at that office are able to share our network without having to run
local VPN software. (I might be willing to replace the TZ170W if the
solution required it)
5. We currently use the VPN solution provided in Microsoft's Small
Business Server 2003. We like this because it doesn't require any
extra software on the remote users computers. We are however
interested in replacing this with an SSL VPN device for ease of use and
cross-platform support. We have several users that would like to
connect via their smartphones and know that this is an option with some
manufacturers SSL-VPN products. It would be nice if this SSL VPN
device could verify that the connecting user has virus software
installed PRIOR to letting them connect.
7. Must be easy to setup and maintain. If we add another server it
must be easy to create a new public-to-private iIP route with unique
policies/rules WITHOUT disturbing the other previously configured
settings. This is one problem with our current SonicWall Pro 200...we
tried to install a new VOIP server and we couldn't open the ports for
just that device...we had to open them for all the traffic.

I sincerely appreciate your help and if I can do anything to help
clarify my needs please let me know. I cannot tell you how grateful I
am for the help.

<><
michael

Re: I need help choosing a firewall/vpn solution.

michaelb wrote:
> I need help choosing a firewall/vpn solution. I would MOST appreciate
> anyones help in making this choice. I have been reading these
> newgroups, speaking with sales engineers and trying to make the most
> intelligent decision on my own. I have to admit the more I learn the
> more I can define what I need...but cannot determine a final product
> selection.
>
> We are a small business with limited funds. When I spoke with Cisco
> they told me that they had a small-business solution designed to be
> both affordable and easy to use. It was only $15,000 !!! I guess
> Cisco is too big to know what a small-business budget is. :) I would
> like to keep my budget between $2000 and $4000.
>
> Here is what I really need to purchase.
>
> I want to purchase a new firewall/UTM device to replace my aging
> SonicWall Pro 200. I need this device to be able to route traffic with
> different rules for each route AND act as a DHCP server. I will try
> and explain what I mean by this with an example. I have a network of
> around 25 computers and 4 servers.. We have a block of 64 public ip
> address that are using for external access. The 4 servers are as
> follows:
> 1. Microsoft Small Business Server 2003 with Exchange Server running.
> 2. Microsoft Windows Server 2003 with Citrix Presentation Server
> running.
> 3. A Windows XP security camera server with proprietary video remote
> services.
> 4. A VOIP PBX telephone server (not connected currently...but want it
> to be).
> The 25 computers consist of primarily Windows XP boxes with a couple of
> Mac OSX and Windows 2000 boxes. We also have around 10
> network-connected devices (i.e. network printers, scanners, time
> clocks, etc.). We have 5 mobile users who need to be able to connect
> to our network through some type of VPN solution. We also have a
> branch office that has a SonicWall TZ170 Wireless.
>
> My requirements for this project are as follows:
> 1. The device(s) must be a DHCP server for our internal network
> (192.168.168.x).
Why ? , you have W2K3- Servers, which can do the job better, than every
firewall i know.
> 2. The device(s) must be able to reserve internal addresses for certain
> devices so that they will always keep the same ip (so that our ip
> printers & devices will always be at a certain 192.168.168.x address).
On DHCP-Server: static entries, on Firewall dito. no problem.
> 3. The device(s) must be capable of taking requests for various
> external public IP addresses and transferring that traffic to static
> internal-network devices. In example, taking our external IP address
> 64.207.227.12 and route that traffic to our internal network Exchange
> server residing at 192.168.168.15. This feature must be able to apply
> different security policies (open port settings) to different
> extIP/intIP translations. We need to lock down our Exchange server as
> tight as possible and allow our camera server to be almost wide open.
> THIS IS VERY IMPORTANT AND IS THE MAIN REASON THAT WE ARE REPLACING THE
> SONICWALL PRO 200, AS IT IS NOT CAPABLE OF THIS FEATURE.
OK, but you don't need only a new firewall (hardware), you need a
concept. Never allow traffic from the untrusted to the trusted network.
Therefore exists a DMZ. if you are running Exchange and IIS public
visible in the internal lan, you don't need a firewall, you can use a
simple router, the security is the same.
> 4. The device(s) must be able to connect to our Branch Office's
> SonicWall TZ170 Wireless device creating a VPN tunnel so that the users
> at that office are able to share our network without having to run
> local VPN software. (I might be willing to replace the TZ170W if the
> solution required it)
If it is a standard IP-sec VPN, it should be no problem with most solutions.
> 5. We currently use the VPN solution provided in Microsoft's Small
> Business Server 2003. We like this because it doesn't require any
> extra software on the remote users computers. We are however
> interested in replacing this with an SSL VPN device for ease of use and
> cross-platform support. We have several users that would like to
> connect via their smartphones and know that this is an option with some
> manufacturers SSL-VPN products. It would be nice if this SSL VPN
> device could verify that the connecting user has virus software
> installed PRIOR to letting them connect.
a VPN endpoint in the internal lan: brrrr.
> 7. Must be easy to setup and maintain. If we add another server it
> must be easy to create a new public-to-private iIP route with unique
> policies/rules WITHOUT disturbing the other previously configured
> settings. This is one problem with our current SonicWall Pro 200...we
> tried to install a new VOIP server and we couldn't open the ports for
> just that device...we had to open them for all the traffic.
VOIP is a problem, because it oftens has the need of dynamic ports. This
is also a must to place him in the DMZ
>
> I sincerely appreciate your help and if I can do anything to help
> clarify my needs please let me know. I cannot tell you how grateful I
> am for the help.
OK, some ideas for firewalls:
1. Astaro (www.astaro.com) as UTMS-Firewall, but you have to look for a
consltant in your region.
2. Cisco ASA 5505 or 5510, depending on your real needs.
3. take a look to M0n0wall (http://m0n0.ch/wall/) and spend money for
servers and proxies (as ALG) in the DMZ.

A budget from 0€ (m0n0wall) up to 3000€ Astaro, Cisco ASA 5510, without
implementation is imho realistic.

bye
Christoph

>
> <><
> michael
>

Re: I need help choosing a firewall/vpn solution.

michaelb wrote:


>
> We are a small business with limited funds. When I spoke with Cisco
> they told me that they had a small-business solution designed to be
> both affordable and easy to use. It was only $15,000 !!! I guess
> Cisco is too big to know what a small-business budget is. :) I would
> like to keep my budget between $2000 and $4000.
>
> Here is what I really need to purchase.

WatchGuard and SnapGear have FW appliance solutions in your price range.

http://www.cdw.com/shop/search/results.aspx?key=watchguard&s r=1&platform=all&x=30&y=9

http://www.watchguard.com/

SnapGear

http://www.securecomputing.com/index.cfm?skey=1485

If you want to know more about the products, then I suggest you get on
the phone with them and go to their Web site and look at product spec.
sheets.

Re: I need help choosing a firewall/vpn solution.

Michael,

I am a Sonicwall partner. They have a number of different possibilities that are well within your price range. I would be happy to discuss what Sonicwall can offer you. Feel free to give me a call at my office or drop me an email at jamie at danmarkcom dot com.
--------------
Posted via http://www.firewallalarms.com

Re: I need help choosing a firewall/vpn solution.

Sorry. I left off my office number in the last post, and I can't seem to get the edit to stick. My office number is 256-766-1580.
--------------
Posted via http://www.firewallalarms.com

Re: I need help choosing a firewall/vpn solution.

Post removed (X-No-Archive: yes)

Re: I need help choosing a firewall/vpn solution.

Thank you for your suggestions so far. I am learning tons. I probably
need to hire a consultant but in my budget it isn't easily done. I am
glad that I have this forum to help me make the decision.

Thanks again for the recommendations.

Keep them coming...even if only to flame my original post. I take
constructive criticism pretty well. ;)

Re: I need help choosing a firewall/vpn solution.

On 7 Jan 2007 15:27:27 -0800, "michaelb" wrote:

>Thank you for your suggestions so far. I am learning tons. I probably
>need to hire a consultant but in my budget it isn't easily done. I am
>glad that I have this forum to help me make the decision.
>
>Thanks again for the recommendations.
>
>Keep them coming...even if only to flame my original post. I take
>constructive criticism pretty well. ;)

I would recommend you take a look at a lower-end Sidewinder G2 appliance
while your researching firewalls
http://www.securecomputing.com/index.cfm?skey=20&lang=en

I've used them for years and they are rock-solid.

I also suggest that you only use the firewall to allocate DHCP to your VPN
clients and use an internal DHCP server for the internal clients.