VPN Concentrator help

[BoomAM]

Hi.
Im looking at getting a VPN Concentrator for our network here at work.
Now, ive identifyed a Netgear SSL312 as the one that offers the most value for money, however it appears to need to be behind a firewall or proxy to functions securely, which isnt an option here, as our firewall/proxy is also a VLE, and putting a VPN concentrator between that and our network isnt a good idea, as it would lower the bandwidth to the VLE for our network to 100meg.
So i was thinking of having it outside of the network, with it behind another dedicated firewall.
The problem is, that this other firewall HAS to have a specific external IP to be set for it to connect to the net.

Does anyone know of one that would do the job?

Thanks in advance all. .

 

[mejinks]

Hi.
Im looking at getting a VPN Concentrator for our network here at work.
Now, ive identifyed a Netgear SSL312 as the one that offers the most value for money, however it appears to need to be behind a firewall or proxy to functions securely, which isnt an option here, as our firewall/proxy is also a VLE, and putting a VPN concentrator between that and our network isnt a good idea, as it would lower the bandwidth to the VLE for our network to 100meg.
So i was thinking of having it outside of the network, with it behind another dedicated firewall.
The problem is, that this other firewall HAS to have a specific external IP to be set for it to connect to the net.

Does anyone know of one that would do the job?

Thanks in advance all. .

Im a little confused here, why does the second firewall have to have a specific IP address? Are you saying you can't just get a static ip from your ISP? I know it sounds a kludge, but can't you set the VPN and firewall into a DMZ created on the first router?

 

[BoomAM]

Im a little confused here, why does the second firewall have to have a specific IP address? Are you saying you can't just get a static ip from your ISP? I know it sounds a kludge, but can't you set the VPN and firewall into a DMZ created on the first router?

This isnt a home project.
Our internet connection here at work relys on a device on our end 'managing' this connection, with a specific external IP that must be set manually.
Traditionally, this has been our ISA Proxy. From wednesday onwards, it'll be a linux based VLE doing web filtering/proxying.
But in order to keep full bandwidth to our VLE from the local network, im gonna have to have the VPN Concentrator on the 'outside' of the VLE, with a firewall between the VPN Concentrator and the actual net connection.
Example:

Local Network-->VLE Proxy/Web Filter-->VPN Concentrator-->Firewall-->Internet.

 

[oddjob62]

I would put the external interface of the VLE and the VPN connected directly to the FW. Then the internal interface from both connected to the LAN

 

[BoomAM]

I would put the external interface of the VLE and the VPN connected directly to the FW. Then the internal interface from both connected to the LAN

So have two routes in and two routes out?

Willing to do, but i still need to find a firewall that allows me to set external IPs.

 

[sidethink]

Like a Pix or a Netscreen?

 

[oddjob62]

So have two routes in and two routes out?

Willing to do, but i still need to find a firewall that allows me to set external IPs.

the Conentrator isn't a route out. It's only a route in. Any external PCs that vpn to it will still use the VLE as their default gateway.

I'm not sure what you mean about the firewall... most firewalls i know will let you set the external ip address (sidethink has listed 2 very good examples)

 

[BoomAM]

Like a Pix or a Netscreen?

Are they two firewall products/devices?

the Conentrator isn't a route out. It's only a route in. Any external PCs that vpn to it will still use the VLE as their default gateway.

I'm not sure what you mean about the firewall... most firewalls i know will let you set the external ip address (sidethink has listed 2 very good examples)

A concentrator routes traffic both ways. If it didnt, then why are most of them devices that sit between the internet and an internal network?

 

[oddjob62]

Are they two firewall products/devices?

Yes, Pix manufactured by Cisco, Netscreen by Juniper.
Although thinking about it, why do you need another firewall? Can't you just plug both the VLE and the VPN into the router, then assign each an IP from your public address pool?

A concentrator routes traffic both ways. If it didnt, then why are most of them devices that sit between the internet and an internal network?

Ok maybe i wasn't making myself clear. Devices on the LAN don't see the Concentrator as a gateway. To most LAN devices, the concentrator just looks like another device on the network.When an external device is connected to the concentrator, a virtual IP is established, this is used by the external device to communicate with devices on the network.

 

[BoomAM]

Yes, Pix manufactured by Cisco, Netscreen by Juniper.
Although thinking about it, why do you need another firewall? Can't you just plug both the VLE and the VPN into the router, then assign each an IP from your public address pool?

Because the VPN concentrator will be sitting outside the VLE.
The full gigabit link from the VLE to the rest of the network is needed.
The 'thing' that we plug our internet in is a router from county, that requires the traffic from our network to come from/to a specific IP, which our current ISA server has.
So what we'd do is have the edge of our network, the bit that plugs into 'the internet' to be a firewall to help protect the VPN Concentrator, which would also shield the VLE.
So the setup would be:
Internal Network --> Primary Network Switch --> VLE --> VPN Concentrator --> Firewall --> Internet.

Ok maybe i wasn't making myself clear. Devices on the LAN don't see the Concentrator as a gateway. To most LAN devices, the concentrator just looks like another device on the network.When an external device is connected to the concentrator, a virtual IP is established, this is used by the external device to communicate with devices on the network.

True, but theres still that 'alternative' path that could compromise our network. The VPN Concentrator we're thinking of getting is a dumb one, no firewall, no NAT.
So sitting it behind a firewall gives us that protection.

 

[#Chri5#]

You could replace these 3 tasks "VLE --> VPN Concentrator --> Firewall" with a single SonicWall box, say a Pro 2040 (1u rackmount, unlimited nodes). You have an option for content filtering web traffic (along with anti-virus, anti-spyware and IPS) but you would lose the proxying functionality. If that's important, the SonicWall will do the job of VPN termination and firewalling in a single appliance (unless you want SSL-VPNs)

You'd set the WAN port of the SonicWall to have the required IP your router expects. This could then terminate either site-to-site (firewall to firewall) VPN tunnels or software client VPNs (SonicWall have their own VPN client software which is easy to configure).

Does your internal LAN run a different IP scheme to the IP required by the router? Did you run the ISA box as dual-homed? Answer this I can draw it up for you if needed.

What's your budget for the firewall / VPN box?

 

[BoomAM]

You could replace these 3 tasks "VLE --> VPN Concentrator --> Firewall" with a single SonicWall box, say a Pro 2040 (1u rackmount, unlimited nodes). You have an option for content filtering web traffic (along with anti-virus, anti-spyware and IPS) but you would lose the proxying functionality. If that's important, the SonicWall will do the job of VPN termination and firewalling in a single appliance (unless you want SSL-VPNs)

You'd set the WAN port of the SonicWall to have the required IP your router expects. This could then terminate either site-to-site (firewall to firewall) VPN tunnels or software client VPNs (SonicWall have their own VPN client software which is easy to configure).

Does your internal LAN run a different IP scheme to the IP required by the router? Did you run the ISA box as dual-homed? Answer this I can draw it up for you if needed.

What's your budget for the firewall / VPN box?

SonicWall isnt exactely cheap.
I was looking at this £200 VPN Concentrator + £200 for a VPN Firewall.

The VLE Web Proxy/Filtering went in this morning.

 

[#Chri5#]

How many nodes (devices on your LAN) do you need to support?

 

[Biffa]

Have a look at this picture: http://www.netcraftsmen.net/welcher/papers/fig200407b.gif

Your VPN concentrator should be in your dirtynet, behind the router, physically in the same network as your firewall. To do this you will need a secondary IP Address from your provider. If you don't have a block of IP addresses you will probably have to get a new set of IP addresses.

Then traffic should be routed from the VPN concentrator to the firewall into the network.

Ideally you should setup a VLAN for VPN traffic and rules on the firewall to lock down the access to the internal network for VPN users. Don't treat them as internal network users. (ideally)

You should not route any traffic going out of your network via the firewall through the concentrator. It should not in any way affect the bandwidth for the rest of the network at any point.

Alternatively you can get a firewall that will do all VPN concentration work built in. You should only need a VPN concentrator for 100 users or over.

Some Linux based firewalls have VPN features built in, and because they are "standard" PC hardware have a lot more CPU processing power to handle VPNs than a small firewall router. This is relevant because VPN concentrators are only really needed if your firewall can't handle the CPU load of VPN connections.

 

[BoomAM]

How many nodes (devices on your LAN) do you need to support?

As in, how many clients at once need to be able access the internal network externally?
Probably 1-5. At least me, and upto 4 others, max.

Your VPN concentrator should be in your dirtynet, behind the router, physically in the same network as your firewall. To do this you will need a secondary IP Address from your provider. If you don't have a block of IP addresses you will probably have to get a new set of IP addresses.

It'll be in the same network with it how i suggested. Our hypothetical firewall will be acting as the edge of the network, with everything else inside of it.

IIRC, there are something like 4 IPs for us to use from the router at county.
So i suppose, doing as you lot suggested, i could have a mini-switch connected directly to the router at county, and then the VLE connected to one port on it, and a firewall for the VPN on another port, with its own connection then going into the main switch?
As the network traffic to the internet is set to go through our VLE, so the 'other' connection out through the VPN isnt seen by them?

Alternatively you can get a firewall that will do all VPN concentration work built in. You should only need a VPN concentrator for 100 users or over.

Some Linux based firewalls have VPN features built in, and because they are "standard" PC hardware have a lot more CPU processing power to handle VPNs than a small firewall router. This is relevant because VPN concentrators are only really needed if your firewall can't handle the CPU load of VPN connections.

Suggestions as to firewalls with VPN Concentrator functions?

 

[#Chri5#]

Ah well, if the LAN is that small, a TZ150 (limited to 10 nodes) is around £200 (+ VPN client licenses). A Total Secure 10 (10 node TZ180 with security services) is £320+VAT.

 

[BoomAM]

Ah well, if the LAN is that small, a TZ150 (limited to 10 nodes) is around £200 (+ VPN client licenses). A Total Secure 10 (10 node TZ180 with security services) is £320+VAT.

So what advantages do those two have over that netgear one i suggested then?

 

[BoomAM]

Right.

Im thinking of doing this:

On the cable that brings the internet in, having a switch, with the VPN Firewall & VLE connected to that, and both then connected to the internal network.

Should work fine shouldnt it?

 

[#Chri5#]

That will make routing inside your network over complicated IMHO.

 

[BoomAM]

How so?

All net traffic will be pointed at the VLE, so the rest of the network wont really communicate with the VPN/Firewall.