1

I am looking to set up a VPN and DMZ solution for a small business. Here is some background and some of their requirements:

  1. The is a small business with maybe a dozen servers and another half-dozen workstations. It provides a public web application with a database backend. Cost is a big factor as is a solution that is easy to set up and maintain.
  2. 2 physical locations need to be linked via a site-to-site VPN
  3. Remote access must be provided via client-to-site VPN for out-of-state contractors (5 or fewer most likely)
  4. VPN clients for (3) above need to run on Windows (XP and Win7) and Linux (Ubuntu)
  5. A DMZ will be required at each of the two physical locations to house the web application servers.
  6. Any solution must be implemented and maintained by people who are fairly competent with systems administration but who are not networking experts.
  7. I want to avoid any PC-based solutions like OpenVPN. Nothing against OpenVPN or similar solutions, I just want to keep it simple with an appliance of some sort.

I was looking at low cost devices like a couple of CISCO RV042s since it seems to provide everything I need out of the box. I'm not sure if I'm going too cheap however so I'm looking for a sanity check. Is this a decent solution for a small business or should I be looking at other solutions?

craigm
  • 11
  • 3
  • PFsense on an old desktop – Jacob Mar 04 '12 at 23:50
  • I should have mentioned I want to stick with an appliance for simplicity. I edited my question to reflect this. – craigm Mar 04 '12 at 23:59
  • I can give you my experience with the LinkSys RV082: Kill it with napalm and run away screaming. Get a small server, put Untangle or ClearOS on it. That or look into an Endian appliance. All of those solutions are all-in-one and no-muss-or-fuss. – Wesley Mar 05 '12 at 00:10
  • 3
    @Jacob Never, ever, ever, never, ever, under *any* circumstance put anything even remotely business related like a firewall/gateway system on an old desktop PC. Ever. – Wesley Mar 05 '12 at 00:10
  • @WesleyDavid I always use server H/W, but when cost is a factor, sometimes just suggesting reuse of old HW can get funds approved at a tight budget place. – Jacob Mar 05 '12 at 00:33
  • @Jacob: PFSense on an old desktop is essentially free, and if it comes to a VPN and your budget is zero, you are doomed anyway. Using an old desktop will bite you exactly at the moment when you absolutely cannot afford any downtime. – Sven Mar 05 '12 at 01:03
  • Every manufacturer from Cisco to Zyxel sell a firewall+ appliance geared towards the SMB market. I mean, literally, everyone sells something that meets your requirements. – gravyface Mar 05 '12 at 01:50
  • Welcome to Server Fault! This question was closed because shopping recommendations are outside of the scope of Server Fault. [Please ensure you are familiar with the FAQ](http://serverfault.com/faq#questions). – user9517 Mar 05 '12 at 14:32

4 Answers4

2

I'd suggest a Cisco ASA 5505 firewall appliance (something like #ASA5505-50-BUN-K9). It's under $500US.

With it, you have:

  • Cisco mindshare. People do know how to setup and configure these units.
  • Site-to-site IPSEC tunnels are easy to configure via the web interface.
  • Client connections are possible with included clients for Mac, Windows and Linux.
  • DMZ is available.

Cost may be an issue, but this isn't an area you should skimp on.

ewwhite
  • 197,159
  • 92
  • 443
  • 809
  • I looked at CISCO ASA devices, but their licensing confuses me. When they say 50-user limit, it is unclear to me what that means. 50 VPN users? 50 internet connections? Something else? – craigm Mar 05 '12 at 01:22
  • 50 simultaneous users. If you have more than 50 users/computers at the site, then you should go with the unlimited model (~$125 more). It's also 10 simultaneous IPSEC VPN connections. I'm not sure on the limit for web/SSL VPN connections. – ewwhite Mar 05 '12 at 01:32
  • The 50 user license is more than enough for your needs. They just don't want big enterprises with 100's of users using this low cost device... – Jonesome Reinstate Monica Mar 05 '12 at 03:53
1

Another option would be Fortinet's line of devices. Based on your requirements, a Fortigate 40C or a bit higher end Fortigate 60C would do the trick. They are excellent for site-to-site VPNs, have a dedicated VPN client available (or you can use the OS's builtin PPTP client).

They are cheaper than Cisco kit, but excellently built. That said, Fortinet pushes their subscription services (AV, Anti-Spam, etc) which it sounds like you don't need - most resellers should offer a SKU without these additional services, which will bring down the price some more.

Last thing - it looks like there is no longer a dedicated DMZ port on the refreshed model line, but you can reconfigure the switch ports to your liking, including DMZ.

Skawt
  • 698
  • 4
  • 9
0

While this doesn't do much for your site to site need, one super low cost (free or close) way to do workstation to site vpn is via SSH. SSH is a secure tunnel, and is a VPN in all useful respects.

VPN clients, like Putty, will redirect traffic from a local port across the VPN to your SSH server. The overall setup is:

  • Set up SSH server software on existing server that resides in a DMZ or inside/trust network
  • Open firewall to allow public to get to the SSH port
  • Set up SSH client on remote workstations.

SSH Client: Putty is a great, free, SSH client, but there are others.

SSH servers: Built in to linux. Freeware and low cost commercial options on windows. http://en.wikipedia.org/wiki/Comparison_of_SSH_servers

Jonesome Reinstate Monica
  • 5,445
  • 10
  • 56
  • 82
0

Mikrotik. Simple like that - their hardware is unkmatchable in price, does 90% of what Cisco does for like 5% of the price. You can likely get away with a 750 or even a 450 - I use a 450 on my main office, a 1100AH for my data center and 750's for remote locations. The price is a joke.

TomTom
  • 51,649
  • 7
  • 54
  • 136