Personal VPN Appliance suggestions

[Deeto]

Hi All,

Newbie here looking for your advice. I'm helping a friend out with the network for his small company (<25 employees).

They have about a dozen workstations in the office all configured in a workgroup with a central server for filesharing and storage. They share the internet connection (business class cable with static IP) via a linksys router and switch using NAT.

They want to be able to access the server's shared drive remotely, i.e. from home. They've been using Remote Desktop to connect in but I'm trying to steer them away from that. Basically, I was thinking they could get a personal or small business class VPN appliance for the office and connect in using the VPN client. Connecting into the office securely is critical.

I've been looking around and think I see a handful of potential devices, like Sonicwall or ZyXel, but I have no experience with this stuff. Can you provide me with some advice and recommendations on how you think we should set this up? Any product recommendations?

Thanks in advance!

 

[drebo]

A Cisco ASA5505 will work.

Alternatively, if the server is a real server (which it should be for >10 computers), it has the capability to do PPTP or L2TP VPNs. If they don't want to spend money, this is the way you should go.

If you want to do it the way that security experts say and use a perimeter-based VPN, then you'll need an appliance, like you stated. For that, I would recommend the Cisco ASA5505. Just don't use the 8.3 or 8.22 firmwares. 8.21 works great, though.

Oh, and whether you use Cisco or any other appliance, if you don't understand the basics of VPNs and subnetting and networking, save yourself a boatload of trouble and contract out to a professional to set this up.

 

[Deeto]

Thanks for the reply.

The server they use is a file server, nothing more. If I had been involved in their initial setup years ago, I would have recommended they use a NAS device instead. But they have the server so we figured they'd just keep using it.

The Cisco model you recommended seems like it might be overkill? They'll only need 1 or 2 concurrent VPN connections at any one time. It's really just to enable the owner to connect in securely from home at night and on the weekends.

I do understand networking and generally how this stuff works, I just need some recommendations on equipment. They don't want to break the bank using enterprise level stuff.

Thanks!

 

[imagoon]

Why exactly is remote desktop bad? "Home computers" + "VPN" should set off about 30 130 DB alarms. Home PC's are rarely properly antivirused / antimalware and are often accessed by many different family members. Work laptops connecting in is one thing, home PCs is a recipe for disaster. Now if your goal is to make $$ by supporting all the issues this generates and supporting all the broken home computers...

If these are work laptops then Windows server does include built in PPTP and L2TP support. PPTP is the least hassle but is considered less secure than L2TP. SSL VPN is also taking off now.

 

[gsaldivar]

eBox can give you Linux based enterprise-class performance for free.

http://www.ebox-platform.com/

http://trac.ebox-platform.com/wiki/Screencasts/VPN

(heavy accent warning)

 

[Deeto]

Remote Desktop is not an efficient way to connect into a remote network for file access.

I am just helping them out, I'm not charging them anything. In fact, that's why we want to go with an appliance since it can be remotely managed. These guys don't know anything about server OS's and wouldn't be able to troubleshoot/maintain a Windows L2TP/PPTP configuration moving forward.

There must be a personal class VPN appliance out there for these types of situations.

I'm all ears for other product recommendations.

Thanks!

 

[Cable God]

Juniper SA700 for ~$700 then a user license pack for however many you need. It'll do everything you want and then some. Use the Network Connect feature, and enforce antivirus use/settings/updates in the policy. It's the easiest and safest way to do it the "RIGHT" way.

 

[yuppiejr]

http://www.dsl-warehouse.com/produc...d=251&osCsid=2490cb9b20908126749a3f9d0fed73bb

Draytek Vigor 2955 Dual WAN load balancer and SSL VPN concentrator - $450 shipped.

.. probably a bit overkill but at the pricepoint you get a lot of value for the investment compared to the tier 1 and 2 providers (Cisco, Sonicwall, Juniper - great products all..)... It's not as hairy as a "roll your own" Linux solutions but doesn't nickel and dime you on features like most of the name brands will particularly for VPN licenses.

The unit supports 50 x concurrent SSL VPN connections + numerous IPSEC point to point tunnels (or direct IPSec VPN connections via their free IPSec client..), the ability to add a second broadband connection for fail over + load balancing if you ever need more juice, IPS/firewall/content filtering, QoS, etc... It's also pushing a 90+ Mbps throughput to the WAN which should be overkill for a while.

Astaro also makes a great free "pre-rolled" software only firewall that allows business use of a single instance of their software for free that may fit the bill:

http://www.astaro.com/landingpages/en-worldwide-essential-firewall

 

[RebateMonger]

The server they use is a file server, nothing more.

So what, exactly, is the server?

Also, to better understand the situation, you said 25 employees, but twelve workstations. Does that mean the employees share computers or does it mean that 13 employees don't use computers?

And how many employees IN TOTAL will need remote access to those files? You mentioned one or two simultaneous users. But how many total remote access users? Pretty much just the owner?

Has the owner or employees complained about using Remote Desktop? It's certainly the most secure way to access company files and by working on the files remotely, it often removes the need to transfer files back and forth across the Internet and avoids the whole issue of having multiple versions of the same file.

Finally, are the files of interest shared with all 25 employees? Or are they normally only available to a few people? If so, how many share access to those files?

 

[Emulex]

rdp rocks. a cheapo chinese dual wan router can handle 32 RDP easy - draytek is just a fancy chinese special (check out edimax usa ) or defunct xincom/hotbrick. all the same junk take a close look at all the screens.

rdp is quite secure - esp with use of certificates - and you don't have to deal with added overlay of vpn issues (packet loss,mtu,3g) that can make vpn administrators cry