Suggestion on a good VPN solution to go with a Cisco PIX firewall

[Santa]

We are in the process of getting a PIX firewall solution installed and were wondering if anyone out there has had experience with the Cisco VPN solution 3000 or 5000 model. We were probably looking for a modular based solution that can be expanded beyond the 100 initial that it might come with.

Other VPN solutions that you might be using in conjunction with a Cisco PIX are welcomed also but we are mostly a Cisco Shop and would rather stick with Cisco. We were entertaining the idea of Checkpoints solution but being that we would need to purchase a Server to go with it we weren't sure.

Any input would be appreciated. Cost is a pretty big issue.

 

[tim0thy]

I would think a server would cost less than Pix since you will have to buy the OS from Cisco as well, and cables, could get pretty expensive.

 

[Santa]

 

[nexus9]

Cisco recently bought a company called Altiga, which make a VPN box. We got one in as a demo, and it was very easy to set up. I've also worked extensively with Checkpoint Firewall-1; two things to watch out for from Checkpoint:

1. Their licensing sucks. You have to get licenses from them for EVERYTHING, and it's a real pain in the butt.

2. If you go with checkpoint, be careful what reseller you buy from. We made the mistake of buying through Cabletron, and they totally suck. They don't know the product, and have a really bad relationship with Checkpoint.

3. If you go with Checkpoint, consider buying dedicated hardware from Nokia (IP440/IP650, etc). These boxes are really sweet and have stuff like BGP and VRRP which make load balancing and fault tolerance pretty painless.

-Nexus9

 

[Santa]

We liked the idea behind Cisco's licensing whereas there is an unlimited client license and the max concurrent connection amount is dependent on the VPN box.

Those boxes? that you said..

<< Nokia (IP440/IP650, etc >>

are they servers?

If we did do Checkpoint MCI/World Comm (our frame provider) would probably be our support and inital configuration contact.

Nexus9: Which would you say is easiest to setup and less hassle to keep up? Checkpoint or the Altiga/Cisco VPN models? Which works best with the Cisco PIX? Are you running Cisco's PIX or Checkpoint's Firewall?

 

[5dollahoe]

if you have any linux/unix experience use an opensource solution. VPN in linux is EASY. If you're the windows-type admin, u might try LT2P between a windows2000 box and nearly any cisco router. i know an L2TP VPN can be established with a cisco 2500 and any number of VPN clients. THat means remote users on laptops running win2000 can remotely access files.

If you need further advice drop me a line and we can set up some remote configuration services or someothing like that. Obviously if youre looking for a solution like this you run a large network. No consulting fees for emailing me.

email me
I'm a CCNA and self-proclaimed jack-of-all trades.

 

[Santa]

First off thanks for answering and any advice you may provide 5dollahoe.

We are predominatly a Windows shop.. Too much training to go twords the Linux/*nix route at this moment. I thought about that as an issue but after playing around with the configurations at home I wasn't sure how to intergrate it into a firewall well enough (which ports to forward ect..)

If we went with the PIX and say a cisco solution they would set all that up and give us formal training. I was also concerned about how you said that Win2k machines can login remotly (can win9x and ME login?) these will probably be the predominant machines in remote locations.

I thought what MS wanted for security and what they push in Win2K was PPTP? L2TP is also an option? How do you get VPN clients for the client machines connecting up?

What would you say is a machine powerful enough to run as a stable and reliable VPN machine? Most Likley Dell Rack system is what we are looking at.

Question about Cisco Routers: Should the routers such as the 2500 have the VPN module or is there a module that it needs so that it will connect automatically? This could reduce cost in terms of types of network connection (DSL/Work Cable vs. frame relay) Also has anyone worked with the Cisco 1720 Modular Access Router? This might be a nice router that seems to have VPN capabilites built in and would be a nice small module router for a smaller office.

 

[5dollahoe]

I'm not certain what Microsoft &quot;recommends&quot; but nearly any MS implemented security is less robust than a dedicated machines (like a cisco router). bare in mind any machine u use as a VPN server will be entirely exposed to the internet. You could do port forwarding to the VPN server by your edge router. Then only that port would be exposed.

In my networks I use Windows only as an internal server. I suspect Win2k Server has a VPN solution similar to how RAS (over modem) for NT4. However, exploits pop up to quickly for my tasted to run windows fully exposed to the internet.

Heres a technet reference for MS and Cisco interoperability.
Technet Article

MS claims PIX with the newest IOS will do the same thing as other routers.
Technet on PIX
This may be ideal since you keep one core router/firewall and everything still goes through it.

About capable machine hardware, I suspect anything in the P3 class range with decent I/O (fast SCSI or maybe small RAID array) will do.

From my understanding, no special hardware is required to implement VPN. You should only need an IOS that supports it. If your PIX is fairly new it should, if not contact Cisco for an upgrade image.

What version of Cisco's PIX firewall do u have?

Do you run Windows2000 on your network or a mix of NT4 and some win9x machines? I dont think win9x supports PPPTP or L2TP but im not certain.

BTW, Linux requires little training on the sysadmins end. Just burn yourself a copy of the newest linux, sit down and install it, play with it for days, and read as much as you can. Ive only been using it since last May. Besides, lots of nice linux gurus, and novices, will gladly try and help u with learning the linux trade.

 

[Santa]

Great links there 5dollahoe they were very helpful.. I will need to do some more reseach if I am to think about a *nix solution. In your setup are you using a Hardware firewall and a *nix VPN solution? If so from your statement of security being a very key issue, do you still have your VPN server outside the firewall?

We are probably looking at the PIX 515 for it seems to fit out enterprise the best.

I saw this quote while I was there and wasn't sure what it meant...



<< All four Cisco Secure PIX Firewall models have IPSEC encryption built-in, permitting both site-to-site and remote access VPN deployments, and operate on a hardened operating system focused on protecting both the security of the device and the networks its protects. >>



Now I thought the PIX itself coudn't create the VPN link. I thought it was able to work with a VPN server to create a Site-to-Site link. If the PIX itself can create the link what is the point of having a seperate VPN server or VPN device?

To the best of my knowledge the PIX was just a standalone firewall solution..

 

[CTR]

PIX 550 works great with IPSec. The Windows IPSec client software is free, so that makes it the cheapest VPN solution, eh? My company has been running a VPN in this configuration for about 8 months now with no problems. Currently we are only doing about 100 IPSec sessions, since we are serving about 3000 users from behind this one PIX. Once we get another firewall (probably Checkpoint) we are going to ramp up the VPN project and dedicate the PIX to it.

Two things you haven't mentioned that might generate more responses:
1. How big will your VPN be and how will it need to scale in the next 2 years?
2. How many internal connections are you going to be pushing through your PIX?

 

[Santa]

Connection size:

Site-to-Site Tunneling
Now: 3-5 branches
2-years: 5-6 branches

Client-to-Site
Now: 25-35 concurrent users (user base of around 100-150)
2-years: 100-150 concurrent users (user base of perhaps 500-1000)

Why would you go with a Software based Firewall solution if you already started with a PIX? Problems? Issues? We will also be hosting about 500-1000 users behind the firewall.

So your telling me that the PIX 550 is a Firewall/VPN solution in one package? Whats something like that run average? We were looking at around 20-23k for the cisco PIX and a cisco VPN solution that we priced out ourselves but if your saying that the PIX will handle VPN connection as well why would they sell a seperate VPN device? Security?

 

[CTR]

Heh...don't get me started on Cisco sales tactics. They have bought so many companies that they don't know what to sell anymore. Tell your VAR you want to terminate IPSec sessions on the PIX 550. See what they come up with as far as price. You will also need to upgrade your remote routers to IPSec feature packs, unless you have already done so. So there is some hidden cost here. But IPSec is extremely secure.

We're moving to checkpoint for 1 main reason: we're tired of administering the firewall for the Unix guys -- adding hundreds of conduits and such for their servers. If we go to software firewall, then they have to do the administration themselves. Checkpoint is also a really good firewall and should scale better with the hardware we have budgeted for it. We're supposed to have like 6000 people hired by the end of next year. Honestly, our PIX is being over-used right now, but it is hanging in there.

The 550 will handle the VPN stuff you described, and 1000 customers is definitely do-able. In the worst case you can always buy another 550 when this one starts to choke.

 

[Santa]

lol yea thats what I feel like while looking through the list of products they provide. Seems like alot of their hardware do differnt things. I am going to see if I can get a quote on the PIX 550 and perhaps run with that.

I just did a search on their site for PIX 550 and came up empty. Do you know of a direct link for their site or another site that has this device?

 

[nexus9]

We are running Checkpoint Firewall-1 on our Nokia boxes. This is both the firewall and the VPN (although it doesn't have to be both). The nokia is dedicated hardware/operating system that runs checkpoint and has a lot of routing and redundancy features like VRRP, BGP, etc. Checkpoint is very easy to administer after you set it up. The Altiga was easier to set up initially.

-Nexus9

 

[Santa]

When talking to our VAR he said that he has not heard of the 550 and doing the searches throughout the net I didn't see any 550. He asked if it is the 520 I was thinking about . I asked him back in turn what he recommends.. Can someone verify there is such a device?

 

[CTR]

Yeah, it's PIX 520, not 550. Sorry for the confusion.