VPN question... i am clueless

[santz]

I have hired a small company to buy and establish a server with
1) windows server 2012 and
2) Five microsoft windows terminal server cal license for remote connection

This is to establish VPN connections from outside to access the server. He is pushing me to buy something like a "sonicwall" or a "Fortigate 40C", which would require me to pay for 5 licenses with yearly license renewal to (sonicwall/fortigate) for keeping the connections

I already have a asus RT66U router which has a built-in VPN server.

My question is:

1) would the ASUS router not be able to do the job sufficiently to setup a VPN server to enable remote clients from connecting to the server?

2) why is my contractor pushing me to get sonic firewall / fortigate? do they have more features/ security like a better firewall? and

3) why do these companies fortigate/ sonic charge an annual license fees?

any help is truly appreciated..

 

[smakme7757]

You start by defining, specifically what your security requirements are.

As an example:
Requirements:
1. Need remote access
2. Has to be secure/encrypted
3. Want a stable connection
4. Want software which is easy to use

Risk acceptance:
----------------------------------
1a) Cannot afford a break in
1b) Can afford a break in

2a) All Data is confidential
2b) Some data isn't confidential

3a) Possibility of attack is high
3b) Possibility of attack is medium
3c) Possibility of attack is low
----------------------------------
Answering simple questions like that will allow you to better gauge your requirements. You don't even have to understand the technology once those questions are answered.

The Fortigate40C is a Unified Threat management (UTM) system. Meaning that it covers a larger range of attacks above and beyond what you standard firewall will achieve alone.

I haven't read the marketing info, but as a guess it will have:
*Anti-Spam
*Intrusion Detection/Prevention
*Most likely its own VPN service
*network based antivirus
-and so on.

It's essentially an "All in One" box to cover most critical aspects of a network. It will then sit at the front of your network and monitor everything that goes in and out. Depending on your current attack profile it might or might not be worth the money. but you have to Define your attack profile to know if it's worth the investment or not.

The biggest problem is that these devices require networking know-how to configure them, so unless you can manage it yourself you will be bound to that company to service and configure the device to your needs. I guess the moral of my long winded story is: Only buy the product if you feel you need it. Otherwise a Windows VPN behind your ASUS NAT router will most likely be enough security.

The salesman will push everything possible to sell to a customer. The fact that you have said "Security", but havn't given him any constraints leaves him open to push more products than you might actually need.

 

[Mushkins]

If you're hiring a consultant and buying server hardware but only have/need five licenses, i'm assuming this is for a business. I would not personally rely on a SOHO router like the Asus N66U to meet your security needs. You're clearly looking to move up and are expanding your infrastructure, it doesnt make sense to undersell your needs, but only you can assess how secure your data needs to be.

The Asus N66U will let you configure these connections, but you may need a custom firmware like DDWRT/Tomato for the advanced functionality.

A device like a Sonicwall is not just a router, its a network security appliance. It can do active intrusion detection, enforced client antivirus, content filtering, advanced routing, VLANs, point-to-point VPNs (if you ever have multiple offices), individual secure VPNs, and a whole slew of other things that Asus cant handle. It's also considerably more powerful hardware, able to handle all of these advanced features while supporting business level throughput. For example, i'm using a Sonicwall NSA 240 in an office of nearly 60 people with all those features enabled. I wouldn't try to hook up 60 people to that SOHO Asus *without* those features, it would slow to a crawl or lock up

The annual licensing can be a pain, some vendors use this model, others don't. They sell the devices for a lot cheaper than the one-and-done companies (An entry level Sonicwall TZ 205 is like $200). The good news is that you can pick and choose which services you actually need to reduce costs, and they're fairly affordable even for small businesses. But the big thing is the 24x7 customer support. You have *any* problem with the device and you can call Sonicwall support directly and they'll help you out. That includes configuration help. Its no substitute for an on-site expert for serious issues, but for stupid small stuff it saves you a call to your IT vendor thats going to ding you the cost of 2 years of that Sonicwall support to come out and do it

Remember, it's better to have a little more security than you need than a little less security than you need, especially if you're in a regulated industry like healthcare or insurance.

 

[Cerb]

1) would the ASUS router not be able to do the job sufficiently to setup a VPN server to enable remote clients from connecting to the server?

Yes and no. Yes, it can. No, it won't be fast enough as you add clients, assuming your internet connection is not too anemic. No, it won't be able to incorporate any additional network protection than just being a dumb firewall--at least not without becoming very slow, for what it may have sufficient flash and RAM for.

2) why is my contractor pushing me to get sonic firewall / fortigate? do they have more features/ security like a better firewall?

Used to those, probably, compared to what else is out there. A cheap x86 box with any number of Linux firewalls, or PfSense, would also do the job as well and cheaper. But, you'd have to find someone to set it up and support it.

3) why do these companies fortigate/ sonic charge an annual license fees?

To make money. Just selling parts and going break fix and service calls makes for highly irregular income. So, they sell devices relatively cheap, often at cost or less, and make money on the ongoing licensing.