4

I support a small office (15 users, ActiveDirectory, Windows 2008 and Windows 7). We've been using LogMeIn Hamachi for VPN, to enable our remote users to get to the file shares from home. It's been working fine, as our performance needs are small.

As more users come online, I'm starting to look at other solutions. What should I consider when weighing the cost for something like the SonicWall NSA 2400? What does that extra $2450.00 get us beyond the $50.00 I'm paying for Hamachi? Is an appliance like this overkill for a small office?

Update 1: This is a little different than the question "Hardware firewall vs VMware firewall appliance", which distinguishes between a hardware appliance and a VM-based (but still dedicated) appliance. We're using neither of those currently.

Update 2: The answers to the question "Why buy high end hardware firewalls?" do provide some good reasons, my favorite being "paying to have someone to blame."

Community
  • 1
Lemur
  • 141
  • 1
  • 5
  • possible duplicate of [Hardware firewall vs VMware firewall appliance](http://serverfault.com/questions/401440/hardware-firewall-vs-vmware-firewall-appliance) – ewwhite Jun 01 '13 at 00:21
  • possible duplicate of [Why buy high end hardware firewalls?](http://serverfault.com/questions/190712/why-buy-high-end-hardware-firewalls) – Wesley Jun 01 '13 at 05:38
  • 1
    This doesn't really answer your question, but my three recommendations for software firewalls are : http://www.untangle.com, http://www.clearfoundation.com/Software/overview.html, and http://www.pfsense.org. – spuder Jun 01 '13 at 05:59
  • 2
    1) Support. 2) Probable acceleration (ASICs for AES encryption, TPM integration. – Tom O'Connor Jun 01 '13 at 22:37
  • @spuder: Not a direct answer, but does give me a couple good alternatives. Thanks! – Lemur Jun 02 '13 at 19:08

2 Answers2

6

I prefer to have a hardware VPN endpoint. If I were to use a software-based VPN running on a commodity server (or virtualized), it would probably end up running on hardware more expensive than the all-in cost of an appliance solution...

I'd go with something in between, though...

The $500-$700US Cisco ASA 5505 can support 25 VPN clients, has good mindshare and is rock-solid. It integrates with Active Directory for authentication and has a nice SSL VPN option in addition to the traditional IPsec client.

I don't think I'm alone in having had production trouble with Sonicwall devices. Expensive, sometimes unstable and definitely not the go-to option for the engineers I know.

ewwhite
  • 194,921
  • 91
  • 434
  • 799
  • 1
    +1 - My experience with Juniper SRX 2xx's and Cisco ASA 55xx's is good, as well. I'd add you should be careful deploying any hardware VPN device if your environment is one with any BYOD. Especially if they happen to use non-standard OS like Solaris. Even just Mac OSX, sometimes. Most Cisco and Juniper devices, for instance, either do not provide standards-compliant VPN technology (like IPSEC or, ugh, PPTP) - or they do, but only for extra $$. They want you to use proprietary clients and then don't provide those clients for Linux or Mac or Solaris, etc, or those clients cause problems. – Nex7 Jun 01 '13 at 06:23
  • That's a good point; it's a good idea for us to review the list of devices we want to support beyond the Windows ecosystem. Do devices from these vendors typically provide clients for iOS or Android systems? – Lemur Jun 02 '13 at 19:06
  • 1
    @Lemur The Cisco ASA IPSec solution is pretty standard. I've never had issues connecting across platforms. It supports the native clients built into MacOS X and iOS devices. Windows support is fine via Cisco Anyconnect and the Cisco VPN client. Linux support is available through [**vpnc**](http://www.unix-ag.uni-kl.de/~massar/vpnc/). I'm pretty sure there's an Android option. – ewwhite Jun 02 '13 at 19:13
1

Appliances can offer better performance because they use ASICs and a special purpose operating system. OSes such as Linux and Windows are general purpose operating systems. They are designed to be able to perform all sorts of different tasks and run all sorts of different kinds of software. As such, they make compromises, sacrificing pure speed for broad compatibility.

Hardware appliances don't make those compromises.

On the other hand, computers are very powerful these days. VPN software loaded on a general purpose OS like Windows or Linux is... can be... more than capable of serving the needs of a small office.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • 3
    _Some_ hardware appliances don't make those compromises. Others are just Linux boxes with a vendor's logo slapped on them. – Michael Hampton Jun 01 '13 at 00:21
  • @MichaelHampton Point taken. – Ryan Ries Jun 01 '13 at 00:29
  • Performance is important, but isn't enough on its own to consider moving for. Any additional details on the different tasks and software you mention, that might make it worth the cost? – Lemur Jun 01 '13 at 01:13
  • It depends on your needs, and what you already have. If you already have a good server hanging around not doing anything, then making it into a VPN endpoint might be a good idea. If you have no gear on hand and are looking for a solid, turn-key solution quickly, then your best bet will most likely be an appliance. That is why both things exist - because there is a time and a place for both things. – Ryan Ries Jun 01 '13 at 04:14