Branch office requiring Firewall

jiajia2

Junior Member
May 30, 2001
15
0
0
hmm.. have seen models with such specs range

Firewall throughput: 10 to 100Mbps

VPN throughput: 4 to 20Mbps..

Of course the higher end models cost quite a bomb..

Just need to clarify:

1. VPN throughput will be the speed at which a user at branch office can link to his head office intranet.... so if say at this branch office, the internet connection is using 512kb ADSL...won't that be the limiting factor?? so a 4Mbps or 20Mbps will not have any diff??

2. What is firewall thoughput? the speed at which users behind the firewall can access the net?... again if it is a 512kb ADSL, what diff would it make to get a 10 or a 100Mbps model??

3. Those high end models only useful if you have a leased line??


Pardon for my lack of knowledge... thanks in advance for ans my queries

 

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
VPN thruput is how fast the firewall can encrypt and decrypt VPN traffic. Usually there are separate numbers for 56bit and 128 bit encryption - lots of processing power used for encryption. So yes, this performance spec really only applies to traffic that the firewall is actively encrypting/decrypting.

The other thruput is how fast the firewall can inspect frames and still forward them with a firewall rulebase applied.

A 100 Mbps firewall with 20 Mbs VPN thruput is hardly necessary unless it is for thousands of users or possible if used as a LAN firewall where it would see anywher near 100 or 20 Mbs.
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
jiajia2,

1. yes. It's good to have a little headroom in your crypto performance, but fundamentally a box with 4Mb/s of performance is overkill for a 512k DSL line. Remember to sum upload and download (512k/512k = 1Mb/s of peak throughput needed).

2. same as above.

3. Higher-end firewalls are for sites that have higher-end lines and/or more users. If you have a hundred tunnels, that fundamentally stresses the box more than if you have one, even though the total bandwidth in use is the same. Ditto on the firewall flow functionality. If you have a 512k/512k DSL line, though, you are probably not playing in the class where you need the higher performance boxes. I'd suggest starting with the cheapest thing that suits your needs and then upgrading later if you outgrow that.

The Linksys BEFVP41, though in many ways very limited, is a great little box for the price and might work well for you. If not, try a Cisco PIX 501.
 

jiajia2

Junior Member
May 30, 2001
15
0
0
I see....

1. So the speed of internet connection has got nothing to do with VPN and Firewall throughput?

2. If say a company(Malaysia) has about 20 - 30 users behind the firewall, they do need from time to time connect to head office in US for a intranet purpose... One of my consideration will be the Max no of VPN tunnels? say if only allow 10 VPN tunnels... only 10 users can VPN to head office at one time?... can't the rest VPN in at all?



Thanks for the recommendations for cisco pix 501... am now looking at snapgear, sonic wall, netscreen & watchguard

Seems that cisco and netscreen really cost a lot...
middle will be watch guard and sonic wall...
while snapgear is cheaper and provides same solution..

any comments?
 

azev

Golden Member
Jan 27, 2001
1,003
0
76
If you're not familiar with either brand, I think Sonicwall has the easiest learning curve.
Dont get me wrong, I think pix501 is a great product, but they are a little more difficult to setup.
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
jiajia2, you can't move more than 1Mb/s total through a 512k/512k line. For various reasons it might be good to have, say, 1.5Mb/s or 2Mb/s of available throughput in your box to make sure it's never the limiting factor, but fundamentally the connection is the bottleneck and so extra throughput on your VPN endpoint and/or firewall shouldn't change anything.

Different vendors do licensing differently. Some actually count IP addresses and so 10 IP addresses in the remote office make 10 "users" against the license locking. Others count tunnels - but if you're connecting one office to another, that's one tunnel, no matter how many IP addresses are on each side. I'd urge you to avoid vendors who do IP address based licenses (Netscreen does this) - it's operationally annoying plus it's just a way to suck more $$ out of you.

If cost is a serious concern, look at the Linksys BEFVP41. They are in many ways limited, but if they have all the features you need they do the job pretty well, and are significantly cheaper than the competition. Snap Gear is Linux based and very very friendly to the community - cool people, decent product. The box is expensive compared to the competition, though. Netscreen is well respected, but I don't particularly like their boxes, especially at the low end. SonicWall is more SOHO than Netscreen and has many of the same faults, but I think they're cheaper.

Watchguard is the only vendor whose box I've had to do an emergency pull out of production. I refuse to work with them now. Their configuration interface is garbage (want to make a change? gotta reboot!), and their box kept crashing under load from blocking worm probes. Simply unacceptable.

Remember that VPN boxes are subject to US export controls and generally cannot be shipped outside the US without government approval. You will be safest buying whatever you want to use in the country it's going to be used in, and you might find that the set of choices you have there is a lot different than the choices you have here.
 

jiajia2

Junior Member
May 30, 2001
15
0
0
wow... thanks for the prompt replies... think I am going learn alot from you friendly guys...

sorry to ask...

1. So say to connect a Malaysian Office to the Head Office in US.... requirement is only ONE tunnel??

2. wat is max no of tunnels for then?? so that users can VPN in from home or something(mobile perhaps).

3. say there are 50 users in branch ...using 512kb ADSL... only one IP (static or dynamic I believe it does not matter right?, so long the US side is static?)... my only concern will be the user license itself?.....

4. since only 50 users, can they all simultaneously VPN into US side with only one tunnel... ?

5. And a firewall throughput of say 50Mbps and VPN throughput of 5Mpbs will be more then suff to handle all needs? do i need to consider any other factors?
 

azev

Golden Member
Jan 27, 2001
1,003
0
76
1. Normally you would connect branch offices with a single site to site VPN tunnel. This way both office will always be connected.
2. Max number of tunnel is determind by the hardware, and how many users will dial in to the VPN hardware. When a site2site VPN from malaysia to US is established, users at home in malaysia can dial in to their office VPN and access data on the US network.
3. For VPN to work properly with less problem, Static IP is prefered; but dynamic can also work depending on hardware. If you have 50 Users, you need to get a firewall that will allow 50 users to connect. I vouch for Cmetz not to get those firewall with IP licenses.
4. If you have enough client license on your firewall and at least 1 VPN tunnel licenses, you can let 50 people connect to your US office using one VPN Tunnel simultaneously.
5. My point of view on VPN throughput is to get a firewall with equal or more(double) Mbps than your wan connection.
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
jiajia2,

1. yes
2. yep. Many low-end routers have like a 5 or 10 tunnel max. They sell big beefy VPN servers with 100/250/500 tunnel licenses as concentrators for lots of remote "road-warrior" / work from home users, each of whom have a tunnel. But you don't need that.
3. yes. You really REALLY want a static IP address; dynamic addressing is a world of hurt with IPsec, and networking in general.
4. yes
5. yes. Consider features and security, of course.
 

jiajia2

Junior Member
May 30, 2001
15
0
0
thanks for answering all my queries so far...

so when some firewalls came with say 5000 VPN tunnels, it is more meant for companies whose has alot of employees who VPN in from outside... per employee one tunnel.

1. When I tried to ask for cisco products, i was instead recommended to get watch guard. Was told that cisco need "a lot of parts" to assemble or something like tat?

I be calling in again to ask further now that i have more knowledge...
i thought the "many parts" will be
a. firewall itself
b. separate user licenses??
c. additional software?

pls correct me if I am wrong.

 

jiajia2

Junior Member
May 30, 2001
15
0
0
hmm... just seen netscreen specs..

1. What do you mean by max no of sessions = 2000?? that means tat at any point of time, only 2000 users can be actively behind the firewall? the user license may be unlimited as the rest of the 2000 workstations might not be "on" at that time? Is this the way to explained sessions?

2. What I dun understand now is Max No of Policies=100?? Since this is listed below the Max No of VPN tunnels, I guess that this means that at any point of time, only 100 users can VPN thru the firewall??
 

cmetz

Platinum Member
Nov 13, 2001
2,296
0
0
jiajia2, "When I tried to ask for cisco products, i was instead recommended to get watch guard. Was told that cisco need "a lot of parts" to assemble or something like tat?"

If it were me (and I'm harsh ;) I would take that and not do business with them anymore.

A PIX 501 10 user (tunnel? I don't remember them doing any wacky per-IP stuff) with 3DES license bundle from CDW is like $420. I don't think you can buy anything from WatchGuard for that. And did I mention that the WatchGuard is a bad box? The PIX has its issues too, but I haven't had to pull one.

1. Probably refers to the number of simultaneous PAT flows; 2k is plenty for 20-30 average users.

2. In Netscreen's world, basically a policy is a tunnel.