VPN/Firewall Solution for the Office

[ng12345]

I was hoping for some advice on what to do with my office setup to make everything more "secure"

Currently we have 2 branch offices (5-7 computers each), 1 main office (10-15 computers), and ~5 "tele-workers."

All of our data is stored at the main office and accessed by the branch offices and teleworkers through a terminal services connection set at the highest encryption level.

Currently there is no VPN solution in place.

Our IT guy wants us to implement some sort of VPN solution that will link up the offices and make the terminal services connections "more secure." He recommended a sonicwall solution.

In an attempt to do some research before buying equipment, I looked around at the cheap/free solutions (hacking together a hamachi vpn/use linux'd up linksys routers) to the more expensive stuff - cisco, sonicwall, watchdog

By doing the research I was only more confused since I know the free solutions would work but it seemed a little shabby. However, the more expensive stuff has confusing price structures and random service charges and subscription charges added here and there. After spending a couple days sifting through the stuff I could not put together an adequate price comparison of what would suit our needs and what we would spending each year on support and what not.

I was wondering what recommendations you guys could give as to who to go with to fit our needs.

What I was looking at:
Sonicwall TZ-170s for all 3 sites
Cisco 850 for branch offices, 870 for main office (wasn't too sure if vpn tunnel meant number of sites that could connect or the number of computers)

Thanks in advance for any help/suggestions

Let me know if you need more informaiton

I would prefer a solution with the least amount of annual cost that can provide the core protection and security (VPN, firewall)

 

[alocurto]

I use TZ-170's they are AWESOME. Easy to implement and on the cheaper side. The Sonic Wall VPN client is VERY easy for end users to use.

 

[Riverhound777]

Another vote for the Sonicwalls. I know the security suite yearly fee can be a turn-off, but with it you really only need anti-virus on each local PC. And even then it is only for internal virus protection.

 

[Genx87]

I user Juniper firewalls here and love them.

Netscreen 5XTs to be exact. They may have something newer however, havent checked.

 

[ng12345]

Thanks for the advice

was just a little concerned about the per user costs of every feature that sonicwall offers

i was using firewalls.com to get prices and they were listing something like $600/yr for gateway/firewall services etc on a $300-500 router -- it just didn't make sense to me -- are all these features really worth that much?

 

[RebateMonger]

You don't need to subscribe to anything but, probably, the SonicWall Service Contract. If the AntiVirus or Web Block lists are valuable to you, then you can subscribe. I see little value in the AV services, since you STILL need to have AV installed on your Servers and client PCs.

We were going to install a SonicWall TZ-170 at one remote site, to work with an SBS 2003 ISA 2004 Server at their main site. We found SonicWall's customer support miserable in this regard. They told us we were on our own and we soon discovered that the problems we were having had to do with a known IPSec bug in Windows Server 2003 SP1 (which is fixed in SP2). It causes a Windows Server to timeout every couple of minutes and force a rebuild of the IPSec Security Association, which can cause a Terminal Service connection to fail. I was shocked that their Technical Support didn't know about the IPSec bugs in Server 2003 SP1.

We ended up using a $60 Netgear FVS114 at the remote site, which works fine with ISA 2004 in a site-to-site VPN configuration. We're trying to sell the SonicWall, which is tough, since many of our clients see no reason to spend $600 on a router/firewall.

Note that if you are using Terminal Services, the only real advantage of a site-to-site VPN is that it's not vulnerable to "Man-in-the-Middle" attacks, which "normal" Remote Desktop connections are vulnerable to.

Here's a quote by Patrick Rouse, a Microsoft Terminal Server MVP regarding the value of a VPN for a TS connection:

Even in an industry like banking I would neve use VPN to increase security of
an RDP or ICA Connection. For increased security (if you're not satisifed
with the 128 bit encryption that RDP provides) look into secondary
authentication like Biometrics or SecureID/SafeWord.

VPNs are great for connecting remote offices, but way too much
administrative burden to use for individual remote user connections.

Brian Madden and I (along with the rest of the TS MVPs) had this same
conversation with the MSFT TS Product team who was not willing to say that TS
should be deployed over the Internet w/o VPN, but we told them that we do it
and recommend it all the time w/o any issues.

Show me an exploited RDP Connection before deciding you need more security.
Make sure you have a good password policy and that your TS is behind a
firewall and you should be fine.
--
Patrick Rouse
Microsoft MVP - Terminal Server

 

[ng12345]

Thanks for that -- I totally think the same in that RDP connections do not need a VPN to buffer them up

unfortunately our networks are in the healthcare field -- where everything with HIPAA is basically if you aren't spending money out your ears for security then you are not secure enough

one IT guy we spoke to said he would not set up our network unless we bought vpn software

the current IT guy we have thinks everything is secure with TS -- but that each individual network could benefit from the added security (firewall aspect) of a sonicwall router

currently each network is behind a dsl or cable connection (no fios yet!), linksys router, and switches branching to the computers.

Each computer has some form of antivirus software on it (autoupdating but no unified central management)

The only firewall is that which is provided by the routers

i think there is room for improvement -- i would like to see a more unified solution in the offices (same av software, same firewalls/routers)

as an aside -- pm me if you are interested in selling the tz 170

 

[RebateMonger]

Originally posted by: ng12345
unfortunately our networks are in the healthcare field -- where everything with HIPAA is basically if you aren't spending money out your ears for security then you are not secure enough.

Not everywhere. If I wanted to get into an MD's office, I can think of several ways that would be easier than a "Man-in-the-Middle" attack. Many offices use WEP encryption for their WiFi. Every one that I've seen uses the SAME passwords and very easy-to-guess passwords for many of their employees. I'd be shocked if it'd take me more than ten minutes to get into one of my prior clients (a large OBGYN practice), even though we parted ways months ago. They NEVER asked me to sign any HIPAA confidentiality documents, either. The last medical center I visited had ACTIVE accounts for ex-employees who'd left two years earlier.

Regarding VPNs, there's also the option of using Windows Small Business Server 2003, which does Remote Desktop a bit differently and avoids the possibility of a MITM attack.

 

[ng12345]

IN the end -- all it really comes down to is : "will it hold up in court?"

I tried SBS 2003 -- it ends up being much more costly -- especially when a terminal server and domain controller can't be on the same computer

thanks for all the advice -- I don't think we have really moved either way in terms of coming to a decision with which vpn router if any we need to go with.

i am currently trying out a RDP + hamachi setup just to get a sense of how vpn will affect speeds -- though I realized using a vpn software like hamachi would probably compromise the system more -- esp since its more a split tunnel approach -- any thoughts?

 

[kt]

An alternative solution you may consider is SSL VPN. Since it seems like your users are already working off TS. With SSL VPN, you only need to manage the one SSL VPN appliance at the main office. Everyone else just need an internet connection to get to it. Depending on what your needs are, you may not have to install a client on the remote computer. Even then, you may push the client install.

 

[RebateMonger]

Originally posted by: ng12345[/i]
I tried SBS 2003 -- it ends up being much more costly -- especially when a terminal server and domain controller can't be on the same computer

Actually, there's a really neat and cheap way around that. You install Virtual Server on the SBS Server and install multiple licenses for XP Professional. It's no pricier than terminal server licenses, it's secure, and you only need a single server. If you don't need a second terminal server for performance reasons, then you can create a "Terminal Server" on the SBS Server for free.

 

[ng12345]

I read up on Virtual Server but it didn't seem clear as to how other computers could access the server as a "remote user" -- the ts users currently connect over the internet

would this put extra load on the server as compared to if it were running terminal services?

ssl-vpn is really interesting and I think I will be looking into that further -- thanks for the tip -- only thing is those products are even more expensive than the firewall/vpn stuff :-/

hmm -- researching ssl-vpn caused me to stumble onto a much cheaper alternative (though I'm not completely sure of the quality) -- netgear

I'm looking at the FVS338 (Prosafe 50) and the fvx538 (prosafe 200)
they retail for 200 and 400 a piece respectively -- and it looks like no subscirption charges
function as vpn/firewalls
the 338 has 50 tunnels, the 538 has 200 -- both way over what i need -- but the other netgear offerings have very poor throughput (these have 90mbps wan to lan and 60mbps over vpn)
the only advantage of the 200 that is good for me is the 1gb port that I could hook my server directly into

i was thinking one of these would be good for the main office and then maybe the netgear fvs114 for the branch offices (throughput of 11.5mbps wan to lan and 1.5mbps over vpn)

for the teleworkers i could use the netgear ssl312 (retails around 340) which provides them with an easy ssl vpn interface (no extra licenses necessary and pretty secure)

so the end result would be 2 branch offices connecting with terminal services (or even directly) over vpn and the teleworkers accessing the office through sslvpn

are there any holes in this plan? any pros/cons to the netgear stuff

all the eq would be backed by their lifetime warranty -- but i dont know how they compare to sonicwall