Just looking for a simple SSL VPN/firewall possibly with WAN failover. Is it possible to buy something for around $1,000?
It’s for an office of 11 people, I’m not onsite all the time, so high uptime and reliability is greatly desired.
Pfsense with openvpn? Cost : free + whatever hardware you need
Sonicwall TZ 105 or 215.
http://soekris.com/products/net4501-1.html
That plus Gentoo + iptables or (Free|Open|Net)BSD + pf, and OpenVPN would work perfectly for what you want. You could even buy two to keep one on cold standby (closet).
Obvious 100M limitation is in place. Can increment to more powerful models as needed and still remain under budget.
The deluge of people saying ‘open source software, free FTW’ reminds me of something I keep having to repeat at work: but it has to live somewhere. This is a critical device, am I going to throw it on an old computer? Then it’s very prone to hardware failrure. Plus I have to find a place in my rack or sever room to put it. It needs an appropriate sized UPS and I need to have a recovery plan in place (what happens when power supply capacitors start bursting?). Throw it on an old server - fine if I have an old server, but I’m going to have to spend some time checking the server and making sure it’s in good shape. Fans OK? What is the power consumption compared to a standalone router device? If I’m reviving an old server, do I have room for it in my rack/server room and can the UPS handle it or do I need to upgrade the UPS? Throw it on a virtual machine, fine if I have somewhere to put it but I’m going to have to choose carefully, given that a server outage means a network outage.
VS throwing a small boatload of money at Cisco, having an appropriate piece of equipment in my network rack and moving on with my life.
Understood that not everyone has the boatload of money, but OP has a $1,000 budget. Buy the appropriate device and with the time and heartache saved (s)he can move on to the next job.
Cisco ASA 5505 - $550 to $1000, and you can setup WAN failover: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806e880b.shtml
I’m fond of Juniper SRX100H’s for small deployments with those requirements you listed. Looks like the SRX110H’s have come down a bit in price, too.
Juniper likes to advertise different licenses for the lower-end SRX models like AV, anti-spam, etc. Just say no. Dynamic (SSL) VPN works well on an SRX100H, though.
You might also want to try Vyatta. Very powerful firewall that can run on x86 hardware.
Fortinet FortiGate
Fortinet has dominated the Unified Threat Management device class for a long time.
http://www.computerlinks.dk/FMS/19821.gartner_magic_quadrant_for_unified_threat_manage.pdf
A FortiGate 60c runs for less than $1000.
http://www.newegg.com/Product/Product.aspx?Item=N82E16833269031
FortiGate SSL VPN does not require client licenses like many other firewall platforms.
Fortinet has a vast array of products.
http://www.fortinet.com/sites/default/files/basicfiles/ProductMatrix.pdf
WAN failover? Not sure what you mean, but FortiGates also support network load balancing.
Watchguard’s new boxes support this.
Open-wrt with Openvpen = extremely easy to use IMO.
Does anyone have an opinion with Pfense with Open-wrt?
Look into a small Fortigate. It’ll do exactly what you want for under your budget.
Forget SonicWALL, get a NETGEAR DUAL WAN GIGABIT SSL VPN FIREWALL
FVS336G (http://www.netgear.com/business/products/security/wired-VPN-firewalls/FVS336G.aspx) I have them installed at dozens of clients, they’re rock solid and less than $210 on Amazon.com.
Kerio Control is excellent for small business. You can get it as a VMware VA or there are 2 hardware boxes you can purchase from a Kerio reseller (a small shelf mounted box) or a 19" 1U rack.
The Kerio SSL VPN is excellent. Their support is brilliant also. Can hook into AD/OD if you want it to - QoS, VLANs yadda yadda.
Edit: Comes with 4 configurable interfaces on the small box (supports WAN load balancing/failover).
Cisco 5505 ASA. Best bang for your buck. Top of line cisco equipment none of the bullshit netgear/sonicwall/fortinet crap. Cisco w. unlimited user pack is $550 at newegg. This includes unlimited standard encrypted IPSec VPN using the csco vpn client.
Cisco 5505 ASA with 10 SSL VPN Peers includes 10 SSL VPN and cisco’s AnyConnect for 10 concurrent users (no need to get the 25 pack if you only have 10 users, not everyone will be on the vpn all at one time)
$1300 at newegg ASA5505-SSL10-K9
http://www.newegg.com/Product/Product.aspx?Item=N82E16833120074
Untangle’s OpenVPN module is also ridiculously simple to set up and very robust.
OpenVPN is pretty straight forward and easy to setup. Do it via a virtual machine or old hardware, you don’t need much to make it work.
VPN is so rudimentary now a-days that paying for a VPN appliance is silly, it’s like buying fool’s gold.
Second this. pfSense is unbeatable. For the size office you’re asking it’s perfect. You can configure it for regular user/password or radius authentication.
If you do this, remember:
- How much will the hardware cost?
- What’s the warranty on said hardware?
- Do you know enough about pfsense and/or its underpinnings to troubleshoot when it goes wrong? If not, how much is contractor help going to be?
At least with the commercial solutions the answers to these are a little bit clearer, as is the support path.
Don’t you have to pay extra for the SSL VPN option?