Site to site VPN

[azev]

I have Sonicwall 330 in our corp office. All the field/sales people usualy dial in using the vpn software that came in with the sonicwall to pull up some document in our server. When the sales people at home, most of them have broadband. In the last few months we are having big virus problem, expecially trojan viruses. Next may, we are upgrading everybody computers and reinstalling all the software form them, this time we will remove all their previllege to install non company software.
I am also wanting to give them some firewall device to sit between their computer and their broadband modem. I would like to get them a soho sonicwall, but the cost is too much for the budget that I have. I need something that cost no more than $150-$200, but will hopefully does site to site vpn from their home to the corporate office, and protect them from hacker and trojan viruses. Any suggestion on hardware that will solve my problems ??
Any info is greatly appreciated.

Thanks

 

[FOBSIDE]

Are these different users that will each have their own firewall/VPN or is this a group of users connecting to the same office VPN? You kind of confused me.

 

[azev]

I have about 50 sales people who work from their home. I want "Wished" I can create a site to site tunnel from their home to corporate.

Are these different users that will each have their own firewall/VPN or is this a group of users connecting to the same office VPN? You kind of confused me.

Only one user per tunnel.

 

[FOBSIDE]

Can't you just use a hardware firewall/VPN box on the office side? You can create a login for each user on the box and then you wouldn't have to worry about what's on the user side. Basically all the users at home can VPN to through the box, which is the only way to access the server in the office. I don't like to use firewalls that require a per seat license, meaning pay per user connection. I know Sonicwall is like that. Do you have to worry about different platforms connecting or will it be all Windows?

 

[azev]

Well actually, when I bought the sonicwall 330 it came with 200 vpn licenses and software. Currently all our users are doing exactly as you describe, they all just dial in to the box and connect from their winxp laptop. I wanted to get some sort of firewall for these people that work from home, so that they are protected; expecially we've been getting quite a lot of trojan viruses on their computers. I was hopping I can find some firewall hardware firewall that will protect them from hackers, trojans, and will do a site to site VPN to my sonicwall.

 

[spidey07]

Azev,

This is a VPNs worst nightmare and we all struggle to keep client PCs protected when using broadband. I use zone alarm and integrity server to push personal firewalls to every machine and it works great. YOU set the policy and the user can't muck with it.

But before that you may want to think seriously about strong network wide virus protection, something where the clients will automatically check with their virus server for updates periodically. Trend Micro works pretty well. I'd start on the anti-virus route first.

 

[azev]

Well, I think our virus protection program is pretty decent; Before we have all this firewall and stuff, everybody is using Mcafee asap. That software package works great, it updates on its own and basically fall under the zero administartion scheme. When we got our firewall, I got a server base antivirus (norton corporate edition) to protect all the users in the corporate and our mail server. We still have about 2 years of contract with Mcafee so I let the field users stay on Mcafee.

I was hopping I can find some cheap firewall that will tunnel to my Sonicwall at the corp office while protecting them form all the common attack, expecially hacker and trojan. I've heard about the software firewall you mention, but the price is out of our budget right now.

Out of desperation I was thinking about getting them each a linksys BEFSR41 or BEFSX41. At the very least it will do some nat-ting and protect their laptop from common attack, and they can be firewall endpoint (BEFSX41) or atleast do pptp passthrough (BEFSR41).

Well, I am still trying to find the best solution for this. If you have some ideas, keep it coming guys... !

Thanks

 

[FOBSIDE]

I know that in Windows (not sure which versions), you can set the network location to do VPN and disconnect all other network connections. When I connect to a VPN through my laptop, it signs me off Instant Messenger, I can't check mail, etc. That way my only connection is straight into the office VPN.

 

[spidey07]

azev,

The virus software should protect you from trojans. but that aside...

The linksys will work, smaller sonicwalls would be ideal (ipsec between vendors is still spotty), cisco pix501. They're all SOHO based nat devices with the sonicwall and cisco having firewall functionality. My vote is for the cisco just because it is incredibly flexible.

 

[gaidin123]

We are also wrestling with these issues right now. We're still in the testing phase with a small number of users being our guinea pigs.

Right now we've ordered a bunch of the Linksys BEFSX41 since they were the same price as the normal BEFSR41s and seem to have better firewalling features, are working on anti-virus for the "at home" clients, and at least turn on the XP built in firewall. I'm still worried about what will come out of the VPN tunnels on to our network but it's either that or no off site access which just isn't acceptable to some upper management. It's really a lose situation for the IT department but you do whatever you can to minimize the likelyhood of being compromised.

We are working on the "no administrative rights" for the home users but in some cases I doubt it will be possible but for most we should be able to do that.

Gaidin

 

[azev]

My vote is for the cisco just because it is incredibly flexible.

I agree with you spidey, but my budget doesnt allow me to go for cisco. I personally have cisco pix501 at my house.
I thought about getting cisco pix515 but *NEW* they cost so much. I went with sonicwall because I heard good news about them compared to other hardware firewall product with the same price. I really want to go with sonicwall soho edition for each field users, but they cost $700 a pop, and that is far out of my budget.

Gaidin, why dont you let me know how your project goes ! Btw what kind of hardware firewall do you have for the central office ??

Here's a silly question, is there such firewall that will do point to point firewall only on demand ? For example, you have 2 location, 1 dc in each location with 10 users each. You want to create tunnel only when the dc is syncronizing with the other dc, this can be domain info replication, dfs, etc. Either that or have a static tunnel between the 2 network, but I want every client on each network to access the internet directly not through the tunner or a proxy server.

 

[Daniel]

Originally posted by: azev I really want to go with sonicwall soho edition for each field users, but they cost $700 a pop, and that is far out of my budget.

Have you looked at the Sonicwall Tele3 series, maybe I'm misreading their specs but it looks like it could work and be cheaper than the Soho3 models.

 

[azev]

how about webramp 700 for a client ?? they seems to have the same operating system !