VPN project

Hey..

Looking for some input and suggestions as I have been researching all the various typical security and networking companies for the best VPN solution to implement at my firm. Currently using a Cisco ASA 5520 for just the VPN functions.

Requirements:
* High performance, currently peaks at like 50-75 users, but needs to be able to sustain up to 500 in case something happens like a DR/BCP/etc scenario
* SSL VPN for users with easy to use client, very straightforward and automatic click and connected.
* IPSEC VPN for site to site tunnels
* Avaya IP phone VPN support remotely (IPSEC)
* Wan acceleration (to help performance), but we can implement Riverbed Steelhead mobile to accomodate this, just unfortunately requires another client/agent

Of course needs to be a solid product with good support, etc etc.

I have looked at the following:

Juniper MAG/Secure Access
Cisco ASA 5525-X
F5 LTM + APM (overkill and pricey, but get more than just VPN..)
Sonicwall
Barracuda

Any recommendations and experiences you may have or implemented? I am going back to ease of possibly just upgrading the equivalent next gen model, migrate the config, have professional services check configuration and get wan acceleration through riverbed. I would consider IPSEC VPNs for clients, but seems that still just compatibility issues with home networks, remote locations etc..just would prefer to avoid that unless somehow resolved. I do know some IPSEC are coupled with SSL now if didn't work first time.

Thanks in advance.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

NightShade03

So the way I see it you have two options here. First of all, drop the Sonicwall and Barracuda vendors...those aren't serious players in this space and every Gartner / marketing report on the planet will validate that.

I like the idea of keeping the Cisco ASA, using the modules for SSL and IPSEC, and then adding the Riverbed Steelheads behind that. Great solution, robust, and not *too* expensive.

Your other option would be to take a long hard look at your current applications within your environment and see how the F5 solution would benefit them. When you are talking sub 100 users Juniper is going to be a better solution and cheaper, however because you have a requirement to scale up to 500 users...you will need to buy up to 500 user licenses for Juniper. This can get very pricey and you may not even be using them all the time so it is practically a waste. You would also need 3 Juniper MAG boxes, 1 for the licensing server and the other 2 for HA cluster. The licensing server is essential to ensure that the licenses that you buy are stuck on the boxes you associate them to originally.

With the F5 solution as you mentioned, you are getting more than you need because of the additional feature set that F5 offers. Yes it will be more expensive, but you can do SSO, load balancing, IPSEC, SSL, and if you wanted to WAN acceleration as well. Additionally F5 just changed their licensing model with their launch of the Synthesis platform which should make it a little cheaper for you and give you even more features.

Personal preference would be the F5 route because once you have it you'll find there are so many more things you can do with it, however from a financial perspective Cisco+Riverbed is not a bad way to go either.

Source: I sell these things all days long

Any questions I'm happy to help (can even hook you up with a good reseller if you need).

googol

That is my assessment as well. I am basically down to those two, but working with a budget, I might not be able to spring the extra money for the F5 solution. It looks like would need the new 2000 series hardware, then LTM, then APM, and if we wanted to optimize it some more, the AAM. I noticed that F5 only came into the VPN scene like 3-4 years ago, just added the feature in their software and off they went.

I appreciate the assistance and insight. I have a VAR right now, but might check out yours as we like to get second opinions to confirm.

F5 can take over for load balancers, firewall, VPN, and more, but we do not like to put too many eggs in one basket for various reasons.

Just wish there was a dedicated VPN solution, but all seems to be bundled up with other things these days to provide more "value".

NightShade03

Well Juniper's MAG is a dedicated solution, but there are limitations with something like that because now you have another application to manage and it is an expensive one to boot. You could also look into StoneSoft for a stand alone software VPN/SSL. They have some pretty good features and integrate SSO + 2 Factor Auth.

I do agree that some businesses are concerned about putting all their eggs in one basket, but at the end of the day there is a reason you have HA and from a management/support perspective it is easier on you and gives you only one throat to choke when things don't work properly

googol

Having a HA setup for F5 would drive up the costs even higher. Currently do not have a HA setup for VPN, as we just fail over to the other site(s), which covers in case internet link(s) went down. If we had to in a pinch, can always setup VPN on firewall or other product as you know.

Seamless roaming is a major requirement, as some users are on wifi, some on MiFi 4G cards, hotel wireless, slow broadband and other various connections and sometimes switching between them.

Seems like I am missing another product or two, but doesn't look like it.

it_consultant

googol wrote: »

Hey..

Looking for some input and suggestions as I have been researching all the various typical security and networking companies for the best VPN solution to implement at my firm. Currently using a Cisco ASA 5520 for just the VPN functions.

Requirements:
* High performance, currently peaks at like 50-75 users, but needs to be able to sustain up to 500 in case something happens like a DR/BCP/etc scenario
* SSL VPN for users with easy to use client, very straightforward and automatic click and connected.
* IPSEC VPN for site to site tunnels
* Avaya IP phone VPN support remotely (IPSEC)
* Wan acceleration (to help performance), but we can implement Riverbed Steelhead mobile to accomodate this, just unfortunately requires another client/agent

Of course needs to be a solid product with good support, etc etc.

I have looked at the following:

Juniper MAG/Secure Access
Cisco ASA 5525-X
F5 LTM + APM (overkill and pricey, but get more than just VPN..)
Sonicwall
Barracuda

Any recommendations and experiences you may have or implemented? I am going back to ease of possibly just upgrading the equivalent next gen model, migrate the config, have professional services check configuration and get wan acceleration through riverbed. I would consider IPSEC VPNs for clients, but seems that still just compatibility issues with home networks, remote locations etc..just would prefer to avoid that unless somehow resolved. I do know some IPSEC are coupled with SSL now if didn't work first time.

Thanks in advance.

The Meraki security devices have what is, in essence, a Riverbed built in to the device.

There are a couple of ways you can deploy remote workers, for example with ZR1 remote office gateways or with a traditional VPN setup.