Small Business Firewall/VPN

The network is the forum.

Moderators: Steel, notfred

Small Business Firewall/VPN

Postposted on Tue Aug 21, 2012 3:05 pm

We're changing to Comcast from ATT DSL at the office in a month or so and it's gotten me to thinking about getting a more "business class" solution for firewall/routing duty. We've currently got an integrated modem/router/WAP combo that works well enough, but a few weeks ago I got an alert from the server that someone was trying to hack into it using a bunch of random user names. The server isn't sitting in the DMZ or anything like that - I've got maybe 5 ports open for remote access, but apparently someone figured out where we were on the interwebs and was trying to get in. I shut down all the ports and the attacks have stopped, but it got me thinking that perhaps a better firewall solution would be appropriate with VPN for remote access. It got me nervous that someone got as far as touching the server, even though they never got in (although, with port forwarding I suppose that makes sense). I would like any hacking attempts to be stopped BEFORE they get to the server :)

We're a small business with a server and between 6-10 client computers at any given time. I would like VPN for remote access and I would like that to be something the doesn't require a special client if at all possible. Decent firewall features to keep out the hackers would also be nice. I'm not sure we need router level virus protection/etc that some of the solutions seem to offer. While cost is a concern, I don't have a problem spending a little more if it makes sense. I would like to avoid expensive annual subscriptions and service contracts if possible. I'm fairly tech savvy, but this is a new area for me, hence the request for someone with more experience and a recommendation for a good product.

Based on my limited knowledge and some searching I've narrowed my choices to the following. Looking for opinions on these as well as recommendations for others. I did find a few threads here: viewtopic.php?f=14&t=73230&p=1034861&hilit=vpn+firewall#p1034861 and here: viewtopic.php?f=14&t=79681&p=1104182&hilit=vpn+firewall#p1104182 but one is a bit older and the other has a slightly different focus.

Watchguard for $693
http://www.newegg.com/Product/Product.a ... 6833182102

Fortinet for $300
http://www.newegg.com/Product/Product.a ... 6833269034

Netgear for $162
http://www.newegg.com/Product/Product.a ... 6833122446

Any thoughts and comments would be appreciated.
i7-3770K | Asus P8Z77-V LK | 8GB DDR3-1600 | HD5850 | 128GB 840 Pro | Samsung F3 1TB | U2412M | Define R4 | Seasonic 520W M12II | Win7 Pro x64.
frumper15
Gerbil Team Leader
Silver subscriber
 
 
Posts: 238
Joined: Mon Jan 18, 2010 3:25 pm

Re: Small Business Firewall/VPN

Postposted on Tue Aug 21, 2012 3:29 pm

Have you looked over at SmallNetBuilder? They have reviewed a few similar products (not sure if any of the ones you listed are in their archives). You might also try their forums if you don't get what you're looking for here. AnandTech and Ars also have areas where IT types hang out, and it might be worth gathering as many opinions as possible.
UberGerbil
Gerbil Khan
 
Posts: 9976
Joined: Thu Jun 19, 2003 3:11 pm

Re: Small Business Firewall/VPN

Postposted on Tue Aug 21, 2012 4:38 pm

I use Sonicwall and Zywall stuff at work. The configuration of the Sonicwall is convoluted, and most of the extras are at additional cost. The Zywall is a little more streamlined, but the SSL-VPN is awful and the IPSec client is $5 per seat.

pfSense or Untangle are two good choices if you want something full featured with minimal cost, and you can scale them up by adding bigger hardware. Then there is DD-WRT based stuff. While those routers, like the Asus RT-N66U, aren't as powerful as x86 based stuff like pfSense or Untangle, they are more like appliances then the others.

I would highly reccomend OpenVPN AS as a separate VPN solution. It's cross-platform, and it works well. The licenses are $5 per year, with a minimum of 10, but that's still cheaper per year then other solutions which aren't as widely supported.
Flatland_Spider
Gerbil Elite
 
Posts: 831
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: Small Business Firewall/VPN

Postposted on Wed Aug 22, 2012 3:21 am

Fortigate 40c/60c? or whatever that is compareable to Cisco ASA 5505/5510 or Juniper SSG 5/20 is probably still the best bet for good small business version of enterprise firewalls. Either of those would probably serve you quite well depending on exactly what features you need. Juniper is also turning more towards their SRX-series, so the SRX-100 or 200 might be the thing to look at if you are looking at juniper. JunOS is a different beast then ScreenOS though. If you want anything smaller than that, go with Fortinet, at least they have a enterprise class of firewalls. I would not trust netgear in the enterprise for anything more then dumb table switches and modems, which is about the same level as dlink or linksys.
Aphasia
Grand Gerbil Poohbah
 
Posts: 3424
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden

Re: Small Business Firewall/VPN

Postposted on Wed Aug 22, 2012 6:56 am

Couldn't resist sticking my oar in.

For an office with 10 people in it I'm really not sure I see the point of a fancy enterprise firewall. The actual firewall part of such a firewall isn't really any more effective than what you get on good domestic routers... a stealthed port is still just a stealthed port and an open port still gives access to what's inside.

Most of the extra stuff those enterprise firewall devices do is aimed at... enterprises. Fancy routing configs between multiple internal networks, multiple public IP NAT setups, hardware DMZs, site-to-site VPNs etc. None of which you need in an office with 10 users (in most cases, and given that you've been working without them you're probably in that majority).

So what does that leave you with? IDS, IPS, AV scanning and content control / site blocking.

- The content control and site blocking might be handy if you've got staff who like to surf for porn or visit facebook on company time so that's potentially useful (though it's not something you've said your interested in)

- AV scanning sounds great but it's often a pain as it means your internet traffic is going via a proxy. That's fine but it is another thing to go wrong and getting https going through it is more configuration.

- IDS / IPS (intrusion detection/prevention system) sounds like a great idea but as I understand it there is a school of thought that they are just tick box items that The Boss can parade in front of the board at meetings. Seriously though they probably do have a role to play in big enterprise where someone who knows what he's doing can keep an eye on traffic for thousands of users but I'm not convinced they have a place in a 10 user office.

Also keep in mind that to some degree all three of these things will require subscriptions to work so factor that into your costs.

Finally consider that stuff like Cisco ASAs or even Zywalls are MUCH more complicated to configure properly than the kinds of routers you've been using and a badly configured firewall can be worthless.

Sorry to have been so negative (it come easily to me), here are my constructive suggestions:

Security is all about adding layers (hence a nice new firewall is attractive) however you've got to make sure those layers are doing something meaningful. Starting with what you've already got:

Any firewall will block incoming connections to blocked ports, if you've opened ports so that services you need can be used then there isn't that much you can do about it. So one big question is: what exactly have you got in your office? I'm going to assume it's SBS handling you windows domain, exchange and remote web workplace.

If the system has to receive email then you're probably going to need port 25 open no matter what (there are ways round that and I'll go into them if you want) though you can disable smtp logins anyway (IIRC it's off by default in sbs these days) which stops anyone brute forcing your server this way.

- Only allow services you need through the firewall. All the other ports SBS opens on your router (web, rdp, rww, IMAP, POP3) can be closed off entirely or accessed through a VPN. Of course that's a pain but it is doable. If you go down this road then you really need something certificate based rather than username/password. You should be able to use your server for this task. If you don't like the built in VPN stuff (I'd avoid PPTP and use IPSec) then I'll second Flatland's openVPN suggestion. It's great for computer connections (though you do have to install client software) but usually isn't supported on mobiles.

- Make sure you're keeping all your internet facing services up to date.

- Make sure you've got a decent password policy in place (even if you're not exposing username/password logins directly to the internet by requiring VPN connection first). Have a talk with your users to make sure they know how to make a good password. It's no use requiring at least one capital letter, number or symbol and 9 chars if everyone uses "Password1". I recently had a talk with a woman who's hotmail account had been hacked 5 times in 6 months. Turns out she though a person's name was a good password and that no one else could possible think of replacing "l" with "!" or "o" with "0" :roll:

- Make sure you've got some kind of script in place to block IPs that try to brute force your passwords. X failures in an hour and the IP gets blocked for a month, that kind of thing. There should be plenty of powershell scripts floating around for doing that.

- Consider getting proper ssl certificates for your server rather than using self signed ones.

- Only give users who need remote access such access.

- Consider requiring external access comes only from specific IPs or subnets. It's a bit old skool but if your users only need access from their home connections and those home connections can have static IPs or are all on the same ISP you can lock them down that way. Most domestic routers allow this though an enterprise firewall would give you more options.

Brute force attacks on passwords happen all the time and there are lots of things to do before dumping time and money into a new firewall.

EDIT:
Just to clarify, there's nothing magic about having your VPN on the firewall rather than the server. As I see it the main reason for having a firewall with a VPN server on it is to support site-to-site VPNs so your offices stay connected while your servers get rebooted (handy for keeping VOIP systems etc running). Road warrior VPNs (that's connections from individual remote users) might as well be handled by your server as it keeps all your user management in one place and chances are that if your server is down there won't be anything for the remote users to connect to anyway.

Sorry for the mega post but there really is lots to do before spending money on a fancy firewall :wink:
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2254
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: Small Business Firewall/VPN

Postposted on Wed Aug 22, 2012 8:04 pm

Theres no point in a fancy firewall, thats why everything is in the lowest end of the spectrum. What you do want is a firewall that is reliable and can do what you want compared to the soho things that try to emulate the features of the enterprise things but fall short and have worse way with configuring things. Not to mention that since even small enterprise gear uses the same software as the larger gear, most of the documentation, guides ans best practices for setting it up is freely available and so is knowledge and support if you come to a point where you cant to it yourself or god forbid, the company grows or add things that might necesitate changes later.

Take the listed netgear for instance, it seems to do just about everything that the any of the other so called enterprise based ones do, but where netgear falls shorts in my experience, unless they magically changed the last years, is that it's often even harder to configure it properly thanks to a often nonsensical gui. Still, it comes down to what you actually want to do.

I would say it's more the ability to have it act router, several internal networks, hardware dmz and ssl-vpn for the road warriors, that make it valuable for SOHO, just because you can have a single device doing most of the those thing and not having to have a larger setup or putting multiple roles on the same server where the company data resideds. The parts with IDS/IPS/AV is the parts unnecessary in the SOHO setting. IDS/IPS usually takes way to much time to bother with, because theres not such a thing as fire and forget, it's a process that needs to be used and audited regularly to have any value, otherwise it's as you say, a checkbox for management.

You are correct on a bunch of other points though, and that is it's a question about layering if you want decent security. But I disagree that there isnt a difference in having the internal server handle the RAS compared to having it on the firewall. Especially if that server shares the company data. You can still have a unified user management since most firewalls support either ldap/radius or other authentication methods, but you get better separation in how and what you allow. Or since the amount of people is pretty low, you just want to separate the autentication depending on who has access to the server and rights to change things.

The biggest problem though is that beyond the general advice and best practices, theres really too little info in the OP to say anything specific how they should set up things. And no matter which way they go, there is one thing that probably tops everything else to start with, and that is actually having sat down and thought out what the company needs and how to facilitate that. It might not be a firewall at all, although a good firewall can facilitate a better design while their current one might not... or it might be that the money is better spent on furthering the education of the it-guy, or something entirely different.

Which is where a bunch of your other points come in, if they havent thought of those already, that would be a good start. Good security, when it comes down to it, is dependent on people being aware of security and act securely, otherwise it usually doesnt matter how good your tech and setup of it might be.
Aphasia
Grand Gerbil Poohbah
 
Posts: 3424
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden

Re: Small Business Firewall/VPN

Postposted on Thu Aug 23, 2012 5:52 am

Aphasia wrote:The biggest problem though is that beyond the general advice and best practices, theres really too little info in the OP to say anything specific how they should set up things. And no matter which way they go, there is one thing that probably tops everything else to start with, and that is actually having sat down and thought out what the company needs and how to facilitate that. It might not be a firewall at all, although a good firewall can facilitate a better design while their current one might not... or it might be that the money is better spent on furthering the education of the it-guy, or something entirely different.

Which is where a bunch of your other points come in, if they havent thought of those already, that would be a good start. Good security, when it comes down to it, is dependent on people being aware of security and act securely, otherwise it usually doesnt matter how good your tech and setup of it might be.


That hits the nail bang on the head.
Fernando!
Your mother ate my dog!
cheesyking
Minister of Gerbil Affairs
 
Posts: 2254
Joined: Sun Jan 25, 2004 7:52 am
Location: That London (or so I'm told)

Re: Small Business Firewall/VPN

Postposted on Thu Aug 23, 2012 2:55 pm

As far as company needs - I think it probably matches a lot of small businesses. I would like to balance security, features, and cost. We certainly don't represent a huge target for hackers (at least I don't think so) but all the same, seeing attempts to access the server hundreds of times in an hour certainly caught my attention. I attempt to facilitate good security practices in the office - strong passwords, up-to-date client computer virus and malware protection, etc. I monitor windows patching on machines to make sure as many holes are plugged as possible. The market I'm looking at right now - everything from a Linksys with DDWRT or Tomato on it all the way up to some kind of $1,500 Unified Threat Management appliance with another $500 a year in subscriptions to make it all work to the fullest. I'm a little lost at the moment. I currently have all the ports closed, as I mentioned, but when I did have them opened, it was only for ports that I needed for Remote Desktop, Remote Web Workplace (for some employees that neede the ability to get on from home occasionally), and a few other innocuous applications. I might not understand this correctly - but my understanding is that VPN at the router level should allow me to completely keep those ports closed until someone connects to the VPN at which point it is as though they are on the network directly. I'm sure there's much more to it, but I think I at least have the general concept correct. I assume there are plenty of applications that would allow me to run a VPN on my server (it's probably even built in at some level, I would guess) for little or no cost, but I just don't like some person in Russia to be able to hit my server unabated attempting to guess a password, or more likely, using some program to do it for them. Our current Netopia appears to have some level of threat recognition built in (judging by the security logs on it) but there are still plenty of tries to get to the server before that kicks in. I like the added layer of having a hardware device that is the gatekeeper before someone can get to the server.
That being said, I don't believe I need the level of filtering/protection/etc. that is offered in the more expensive UTM devices (please correct me if I'm wrong) so then I'm left looking at VPN and overall features/usability combined with price considerations. I'm not a networking veteran (obviously) but I can usually figure things out if they have either decent documentation or intuitive interfaces. That being said, I'm left wondering if I'm better/best off getting a WRT54GL and putting DDWRT on it (that uses OpenVPN, right?)and seeing if it meets my needs or get the Netgear and see how painful it might be to use when balanced against cost and features. The Watchguard and Fortinet look very nice, but they should be if they cost 3-8x as much as other solutions.
I appreciate everyones' suggestions and advice and would really love if someone could recommend a specific device they have had a good experience with that meets my needs without breaking the bank.
i7-3770K | Asus P8Z77-V LK | 8GB DDR3-1600 | HD5850 | 128GB 840 Pro | Samsung F3 1TB | U2412M | Define R4 | Seasonic 520W M12II | Win7 Pro x64.
frumper15
Gerbil Team Leader
Silver subscriber
 
 
Posts: 238
Joined: Mon Jan 18, 2010 3:25 pm

Re: Small Business Firewall/VPN

Postposted on Thu Aug 23, 2012 5:06 pm

If you're not serving anything off the server, email, HTTP, FTP, etc., you shouldn't have any external ports open to it. Those external services should be on a different server firewalled in a DMZ anyway.

You are correct about the way a VPN works, and it sounds like you just need a VPN.

Something running DD-WRT, like an Asus or Buffalo router, will work as an OpenVPN server, or if you have an old desktop sitting around, CentOS 5 and OpenVPN AS works too. I have a setup like the desktop that is in "testing" at the moment. It's in testing for the Windows users because I need to figure out client side scripting, but it works better then our expensive SSL-VPN for the Mac users and Linux user which means it's production for them and me.

OpenVPN AS is the commercial version of OpenVPN. It has a web GUI to help with configuration, it has the OpenVPN Connect client which is dead simple to operate if a little inflexible, and the support staff is very helpful. I think it also has the ability to authenticate against AD while the regular OpenVPN does not, but it's worth the $50 for 10 licenses.

It doesn't have a nice portal like some commercial routers with encrypted file browsers and Java based RDP/VNC clients, and you will get your hands a little dirty on the command line from time to time. For instance, you have to export the five files from the command line, if you want to use a third party OpenVPN client, and you do have to script the database dumps a little bit.
Flatland_Spider
Gerbil Elite
 
Posts: 831
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539

Re: Small Business Firewall/VPN

Postposted on Thu Aug 23, 2012 6:59 pm

Another alternative if you have a few old machines kicking around is pfSense.
Deanjo
Gerbil XP
 
Posts: 395
Joined: Tue Mar 03, 2009 11:31 am

Re: Small Business Firewall/VPN

Postposted on Fri Aug 24, 2012 9:13 am

Indeed. An old Core 2 desktop running pfSense will blow most low end stuff out of the water.
Flatland_Spider
Gerbil Elite
 
Posts: 831
Joined: Mon Sep 13, 2004 8:33 pm
Location: The 918/539


Return to Networking

Who is online

Users browsing this forum: No registered users and 2 guests