HPE Community
Communications and Wireless
1847860 Members
4722 Online
104021 Solutions
New Discussion

network planning

 
SOLVED
Go to solution
Yong Shiuh Rong
Frequent Advisor

‎02-16-2004 03:35 PM

‎02-16-2004 03:35 PM

network planning

I am planning to connect 2 office togather through VPN, is there any good VPN router to recommend? Is there any router have firewall, proxy as well as VPN function?
0 Kudos
12 REPLIES 12
Jerome Henry
Honored Contributor

‎02-16-2004 11:24 PM

‎02-16-2004 11:24 PM

Solution

Re: network planning

Depends on your link... dsl ? ATM ? Frame relay ? One ethernet connection indisde ? Price restrictions ?
Linksys offers fair entry level models, cisco is good for sure, but more expensive...

J
You can lean only on what resists you...
Keith_62
Occasional Advisor

‎02-17-2004 07:13 PM

‎02-17-2004 07:13 PM

Re: network planning

I agree with Jerome regarding entry level routers but the new 3Com routers are worth looking at, some better features than Cisco, cheaper and easier to set up.

Regards

Keith
Keith - HP Partner
Yong Shiuh Rong
Frequent Advisor

‎02-17-2004 07:17 PM

‎02-17-2004 07:17 PM

Re: network planning

Thanks for the recommendation, I will be using ADSL, I would like to say security is a much concern.

I am looking at watchguard, netscreen, enterasys, top layer at the moment.
0 Kudos
seymour999
Frequent Advisor

‎02-17-2004 11:40 PM

‎02-17-2004 11:40 PM

Re: network planning

We've had good results with some Sonicwall products: http://www.sonicwall.com/
0 Kudos
Stuart Teo
Trusted Contributor

‎02-18-2004 04:44 PM

‎02-18-2004 04:44 PM

Re: network planning

Hi Yong Shiuh Rong,

What's your budget for a firewall/vpn solution? A few other questions would be how many IP addresses are behind each of the firewalls? How many public IP addresses will each office have (NAT)? What kind of encryption do you intend to use? DES? 3DES? AES? AES256?

Appliance solutions like Sonicwall, Watchguard and Netscreen are great for wirespeed performance. They also do not charge per IP address like Checkpoint do. Netscreen has gained a lot of traction in the last 2 years so that says a lot about their products. Also, watch out for the annual subscription that you have to pay for software upgrades or support. That affects your TCO.

I do not like cisco PIX coz it's so complicated to configure them. Take a look at www.astaro.com and www.sofaware.com as well.

The cool thing about Sofaware is it uses Checkpoint's code, i.e. their Inspect (tm) engine. It allows you to perform gateway level content filtering and viral inspection. Good luck!
If a problem can be fixed, there's nothing to worry. If a problem can't be fixed, worrying ain't gonna help. Bottom line: don't worry.
0 Kudos
Jerome Henry
Honored Contributor

‎02-18-2004 05:45 PM

‎02-18-2004 05:45 PM

Re: network planning

Hi,
Among your selection I would consider watchguard, fair prices and good performance. Netscreen is pretty efficient too, but expensive and, as far as I see it, too proprietary in their OS implementation. I like simple and easy to use interfaces, not full of hidden corridors... or I buy a ciso, undoubtedly herder to set up, but strong...

Course your budget and Hwee Liang Teo's questions on encryption and NAT would help choosing a precise model...

J
You can lean only on what resists you...
0 Kudos
Yong Shiuh Rong
Frequent Advisor

‎02-18-2004 05:48 PM

‎02-18-2004 05:48 PM

Re: network planning

Hwee Liang, I never know there are so many encryption. I plan to subscibe 1 public for the branch and upgrade my HQ to five IP package.

There are still a lot I need to look at and listening to.
0 Kudos
Yong Shiuh Rong
Frequent Advisor

‎02-18-2004 06:45 PM

‎02-18-2004 06:45 PM

Re: network planning

Where can I get the better understanding of all the encryption technology?
0 Kudos
Stuart Teo
Trusted Contributor

‎02-23-2004 08:15 AM

‎02-23-2004 08:15 AM

Re: network planning

Google does a good job in bringing up good articles on this subject. Some keywords that might interest you are

Diffie-Hellman (DH)

Internet Key Exchange (IKE)

Encapsulating Security Payload (ESP)

IP payload compression (IPcomp)

Authentication Header (AH)

Rijndael (AES)

Data Encryption Standard (DES)

There are many ways you can create an ipsec vpn tunnel. You may want to ensure that packets were not modified but not be concerned about encrypting the payload (AH). Or you may be paranoid enough to want to encrypt the payload. You may also be paranoid about uncle sam decrypting your payload and want to avoid DES. But honestly, the private key is changed so ever frequently in an ipsec tunnel that one has has to question the sanity of worrying about uncle sam.

AES is popular because (amongst many other reason) it is faster to crunch than DES. Of course a lot of people believe that TwoFish is more secure than DES and AES.

A note on purchasing appliances. Since they do not liberally expose the cpu specs, you want to look at the vpn/ipsec throughput specs. e.g. 10 mbps if using DH & AES may mean 2 mpbs if using DH & DES.
If a problem can be fixed, there's nothing to worry. If a problem can't be fixed, worrying ain't gonna help. Bottom line: don't worry.
0 Kudos
Jerome Henry
Honored Contributor

‎02-23-2004 08:03 PM

‎02-23-2004 08:03 PM

Re: network planning

What do you interconnect ? 2 offices ? Through internet ? Then 2 good solutions for your VPN are L2TP and PPTP, the first being the better.
ON them, the question is how do you encrypt your datas (which algorythm). If this is not your hobby, don't bother to get algorythm differences. They are based on mathematic concepts that are not your main point. Trust your vendor on that.
Today, AES is considered as fairly secure, replacing DES and Diffie Helman, secure but harder to set up as far as the protocol and algorythm implications are concerned. You can encrypt header (to make sure it's not altered, it's called AH) or the full paquet to prevent its reading by a middle man, it's called ESP. Exchanging encryption keys goes thruogh a protocol called IKE
Encryption is a very wide part of the security technology, if you have time and need pointers, just let us know... and make some coffee !

hth

J
You can lean only on what resists you...
0 Kudos
Stuart Teo
Trusted Contributor

‎02-24-2004 05:05 AM

‎02-24-2004 05:05 AM

Re: network planning

Hi,

AES does not replace Diffie Hellman. DH is the public key exchange method used to secure a channel for (symmetric algorithm) private key exchanges. Thought I'd just clarify on that point. But like the above post said, ignore all these garble if you're not transmitting top secret data & go for the coffee instead. ;)

Side-note: your reseller might not sell you L2TP or PPTP or MPPE because it may not make them money. And it is also true that PPTP isn't secure enough. L2TP...mmm...ok. MPPE is a big improvement over L2TP.
If a problem can be fixed, there's nothing to worry. If a problem can't be fixed, worrying ain't gonna help. Bottom line: don't worry.
0 Kudos
Yong Shiuh Rong
Frequent Advisor

‎02-24-2004 12:36 PM

‎02-24-2004 12:36 PM

Re: network planning

Thank you for all the information, I am a novice user since. I think I will go for the mid range VPN router firewall.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.