Options
Branch offices...ZBF or Meraki FW?
hurricane1091
Member Posts: 919 ■■■■□□□□□□
in Off-Topic
Hey all,
We've been doing split tunneling since well before I arrived. I'd like to change that though, but having all offices go back to HQ and through HQ internet is not possible because of bandwidth restrictions. I am considering two options. 1 is going with a Meraki FW at each branch office (25-150 people generally) and the other is going with a ZBF on the router out there. I have experimented in the past with ZBFs and I believe they will work without us spending additional money. I would essentially only allow traffic needed to set up DMVPN tunnels inbound, and allow well known protocols going outbound (http, https, ICMP, etc). Statefulness will allow the return traffic back in, if I am understanding this all correctly.
My concern is this: is the ZBF enough? If someone internally clicks a malicious link, the traffic will be allowed to return in anyways. Where as at HQ, we have an IPS system to help prevent that. Not even sure if the Meraki FW can do those things or not, as I am in my early consideration stage, but would appreciate some input.
The setup is this: 25 branch offices with a 4331 or 2921 router, connected to 1-2 Meraki switches, with Meraki APs. Internal traffic traverses the DMVPN tunnel, external traffic goes straight to the internet. We do NAT on the branch router obviously. This has always been the case since well before I arrived, but I am foreseeing time to work on this very soon, so I'd like to make some changes.
We've been doing split tunneling since well before I arrived. I'd like to change that though, but having all offices go back to HQ and through HQ internet is not possible because of bandwidth restrictions. I am considering two options. 1 is going with a Meraki FW at each branch office (25-150 people generally) and the other is going with a ZBF on the router out there. I have experimented in the past with ZBFs and I believe they will work without us spending additional money. I would essentially only allow traffic needed to set up DMVPN tunnels inbound, and allow well known protocols going outbound (http, https, ICMP, etc). Statefulness will allow the return traffic back in, if I am understanding this all correctly.
My concern is this: is the ZBF enough? If someone internally clicks a malicious link, the traffic will be allowed to return in anyways. Where as at HQ, we have an IPS system to help prevent that. Not even sure if the Meraki FW can do those things or not, as I am in my early consideration stage, but would appreciate some input.
The setup is this: 25 branch offices with a 4331 or 2921 router, connected to 1-2 Meraki switches, with Meraki APs. Internal traffic traverses the DMVPN tunnel, external traffic goes straight to the internet. We do NAT on the branch router obviously. This has always been the case since well before I arrived, but I am foreseeing time to work on this very soon, so I'd like to make some changes.