[Samurai]

Got my Juniper SSG5 imported from USA. I upgraded the firmware to 6.2.0 rel5.

Setting up the basic firewall is easy. But, I am not convinced it is more friendly than Cisco ASDM. Currently I am using the web interface on the device. I see there is another admin interface called NSM, but I am not sure how to get it to work. I tried to enable NSM, it complains "No Initial ID configured. NSM agent remains disabled."

Quote:

Originally Posted by deepakchiniwal

Yes SSG5 works with ASA 5505 as IPSec VPN Peer.

Still trying to figure how to make it work. The VPN wizards on Juniper SSG5 is very primitive compared to Cisco ASA 5505.

Quote:

Originally Posted by deepakchiniwal

You will never regret once you Juniper devices, considering the fact in ease of use.

Are you sure? The Cisco ASDM 6.2 makes it so simple to configure the 5505 box. As of now Juniper interface appears to be a long cry away from it.

Edit: It worked in first attempt! Thanks to this KB article: Juniper Networks - Configuring the NetScreen Side of My NetScreen to Cisco PIX IPSec VPN - Knowledge Base

[jassi]

^^ Samurai - haven't been on tbhp in a while. I guess the temporary long lead times on asa 5505 hit you as well :-) I hear things will go back to normal in May 2010 and deliveries will return back to normal.
Getting site to site vpn working with the juniper box or any other vendor should be easy as long as they are implementing the ipsec standard correctly (and not doing any fancy proprietary extensions).

[Samurai]

Quote:

Originally Posted by jassi

Getting site to site vpn working with the juniper box or any other vendor should be easy as long as they are implementing the ipsec standard correctly (and not doing any fancy proprietary extensions).

Yeah, I got it working on Sunday itself, within 24 hours of opening the Juniper box for the first time. However, I like the Cisco ASDM interface lot more than Juniper WebUI.

[Samurai]

Bumping this thread after a long time. Meanwhile, I have moved on from Cisco ASA 5505 to SonicWall TZ 105.

I am trying to create a separate subnet, which is isolated from my LAN subnet. I want some controlled traffic flow between the subnet and the office LAN. I plan to setup the control using the SonicWall firewall rules. But here is the thing, I want the machines to see each other directly, if allowed through the rules. What I mean is I want no NAT translation.

LAN_1: 172.16.1.0
LAN_2: 192.168.1.0

LAN_1 is the regular office LAN, the SonicWall LAN IP is 172.16.1.1

The SonicWall has 5 interfaces. X0 is LAN interface (LAN_1) and X1 is WAN.

I am wondering about how to setup LAN_2. Do I buy separate router, or can SonicWall give me this routing ability, if I define one of the available interfaces (X2,X3,X4) for connecting LAN_2?

Keep in mind I am no network engineer. I take care of the network as and when required.

Edit: Yes, it works. Sonicwall can be used as router.

[shashank.nk]

Hi guys,

Need your help to set up a office network with some restrictions. I have a small office with a BSNL broadband that connects to 5 desktops and 4 laptops. I use a DLink DSL-2750U router and the PCs connect via LAN and laptops via WiFi.

I've used OpenDNS to block access to certain sites after I saw huge amounts of data (>100gb) was being downloaded by some staff and that used up all bandwidth leaving net painfully slow by month end. Most downloads were movies,sitcoms,music,software etc.

So after I configured OpenDNS I observed they now download directly via browsers and OpenDNS doesn't block those sites even though its setup to restrict access to P2P/File sharing and storage sites.Typically its a google search which leads them to sites like moviez.net from where they download.

How do I prevent access to such sites, but at the same time allowing legitimate downloads such as attachments received via mail? Will I need new hardware or can the existing router do it ?

[R2D2]

Quote:

Originally Posted by shashank.nk

How do I prevent access to such sites, but at the same time allowing legitimate downloads such as attachments received via mail? Will I need new hardware or can the existing router do it ?

You need a dedicated firewall/router and/or a managed switch. Your Linksys (and other consumer level routers) offer only barebones control over access.

PS - Take a look at the "What WiFi router thread" for suggestions.

[Samurai]

You will need a dedicated firewall like Sonicwall with Security Services license bundle. The basic one won't have it.

[shashank.nk]

Quote:

Originally Posted by R2D2

You need a dedicated firewall/router and/or a managed switch. Your Linksys (and other consumer level routers) offer only barebones control over access.

PS - Take a look at the "What WiFi router thread" for suggestions.

Thank you. I went through the thread,but it seems most discussions relate to routers for homes. Will take a look again and see if I find anything that matches my requirements.

Quote:

Originally Posted by Samurai

You will need a dedicated firewall like Sonicwall with Security Services license bundle. The basic one won't have it.

Is this one made by Dell ? Looks to be quite expensive at 64k+.

[Samurai]

The prices have gone crazy. Just two years ago I could get a basic Sonicwall TZ105 for 13.5K + VAT. The Security Services licence can upgraded on web.

See if one of the Amazon.com seller will ship international: https://www.amazon.com/gp/offer-list...&condition=all

This ebay option looks good: http://www.ebay.in/itm/SONICWALL-01-...0AAOxyXVBSOM2o

Quote:

Originally Posted by Samurai

Keep in mind I am no network engineer. I take care of the network as and when required.

Since I made this comment two years ago, much water has flown under the bridge.

Until 2014 I couldn't do much because of the voodoo management interfaces of Cisco/Juniper. Unless one has certification in those technologies, it is hard to do anything there.

But Sonicwall changed it all. Once I realised Sonicwall has an easy to understand web interface to manage it, I replaced every firewall in our organization to Sonicwall. Since then I have been able to configure DMZs, NATs, redundant/failover WANs, complex access rules, VLANs, HA, custom routes, whole bunch of site-to-site VPNs, OpenVPN over SonicWall, etc. Early this year I even terminated a MPLS link from our customer to our cloud Sonicwall. Their networking guy knew I was a pretender, so he was quite surprised at the end that I managed to configure the complex setup all by myself. I could have never done it with Cisco/Juniper interface.

[R2D2]

Quote:

Originally Posted by shashank.nk

Thank you. I went through the thread,but it seems most discussions relate to routers for homes. Will take a look again and see if I find anything that matches my requirements.

I am specifically referring to open source firewalls like pfSense and OPNSense which can run on PCs and headless computers. These are enterprise class firewalls. Both have an easy to use GUI that helps you tweak and tune every possible aspect of the software.

If you have a low power appliance then it's great. Otherwise install on an old PC and let it perform the duty of a firewall. In case you wish it can do multiple functions like IDS/IPS, IP & Ad blocker, load balancing/failover (with multi WAN connections) proxy server, AV scanner and RADIUS server too.

Be sure to use Intel or Broadcom NICs especially if you have high bandwidth utilisation. Realtek NICs, commonly found integrated on motherboards, are not recommended because of their lower than par performance.

You (or someone else) will require knowledge of networking - IPV4/6, NAT, routing, and using basic FreeBSD/Linux commands. There's plenty of help on the net to help setup and configure the software.

I use pfSense at home with IDS/IPS and Ad blocking. It performs a dual WAN failover/fallback configuration. Couldn't be happier. I also dual boot OPNSense, which is supposedly a fork of pfS, to get a feel of which is better. As of now pfSense gets my vote.

Quote:

Is this one made by Dell ? Looks to be quite expensive at 64k+.

I had considered Dell but it was too expensive for home use. Besides I don't really relish the thought of annual payments for firmware/software updates. So I went with pfSense and couldn't be happier.

[Samurai]

Quote:

Originally Posted by R2D2

I had considered Dell but it was too expensive for home use. Besides I don't really relish the thought of annual payments for firmware/software updates. So I went with pfSense and couldn't be happier.

But his requirement is office/work use, not home use.

I had considered opensource firewall once, but then the security aspect scared me. Home users don't have much to lose financially or data wise in case of a break-in. They can also wait out a security incidence, when you are trying to figure things out searching through the Internet for answers.

But at office, when things go wrong customers expect instant fix. The fact that I am googling for answers won't impress them. In Jan we had a DDOS attack on our cloud setup, enabled by a very poorly designed SBC from Sangoma. We had put the SBC to stop attacks, instead it enabled it. It was a quick session with Sonicwall engineer that pointed out the culprit in 5 minutes.

In small companies that can't afford full time network engineers, you at least need the support from firewall companies. Once we had hired a full time network engineer, he soon left citing lack of work. The chief trouble is companies with less than 100 people rarely need network engineers, they might have one month of work in the entire year. Good network engineers (who actually know stuff) won't be interested in wasting their time in such small places. That is why we buy commercial firewall with support. We can do regular configuration ourselves, but when things go bad, we have the option of calling for expert help instead of googling and praying.

[R2D2]

Quote:

Originally Posted by Samurai

But his requirement is office/work use, not home use.

He's currently using a DLink 2750 serving 5-10 clients. That in my view is more of a home size set up rather than an office.

Besides pfSense can scale up to enterprise needs depending on the hardware you throw at it.

Quote:

I had considered opensource firewall once, but then the security aspect scared me. Home users don't have much to lose financially or data wise in case of a break-in. They can also wait out a security incidence, when you are trying to figure things out searching through the Internet for answers.

But at office, when things go wrong customers expect instant fix. The fact that I am googling for answers won't impress them. In Jan we had a DDOS attack on our cloud setup, enabled by a very poorly designed SBC from Sangoma. We had put the SBC to stop attacks, instead it enabled it. It was a quick session with Sonicwall engineer that pointed out the culprit in 5 minutes.

In small companies that can't afford full time network engineers, you at least need the support from firewall companies. Once we had hired a full time network engineer, he soon left citing lack of work. The chief trouble is companies with less than 100 people rarely need network engineers, they might have one month of work in the entire year. Good network engineers (who actually know stuff) won't be interested in wasting their time in such small places. That is why we buy commercial firewall with support. We can do regular configuration ourselves, but when things go bad, we have the option of calling for expert help instead of googling and praying.

I understand where you're coming from having been in your shoes myself long ago, in the never ending debate between open source or commercial software. This BTW also including the argument over OSes - Linux v/s commercial UNIX flavours and even MS Windows.

Also agree on the issues with retaining network engineers.

I always recommend commercial software for critical needs. When one needs tech support and regular bug fixes or updates its always best to opt for commercial.

If the OP can afford it then he may choose a commercial FW product, with pfSense as the 2nd option. And I say 2nd not because PFSense is any less performant but because you're on your own when it comes to setup and configuration.

BTW, Sharath, if you did try open source firewalls in the past give pfSense a go in a sandboxed environment. It is drastically different from what it was a few years ago. And they provide regular updates. You may be surprised.

OPNSense is still a little buggy but updates/fixes come more frequently, which IMO is testament to the # of issues still prevalent in that software.

[Samurai]

Quote:

Originally Posted by R2D2

He's currently using a DLink 2750 serving 5-10 clients. That in my view is more of a home size set up rather than an office.

But he has employees using it, to serve the customers. Can he afford a break-in or break-down, he has to decide.

Quote:

Originally Posted by R2D2

Besides pfSense can scale up to enterprise needs depending on the hardware you throw at it.

Trouble with opensource is one needs to develop in-house expertise, can't always depend on goodwill from the Internet forums.

We use opensource extensively in areas where we have sufficient knowledge, like IP Telephony. But in areas like firewall, which is not our focus area, I rather have somebody providing critical support.

Quote:

Originally Posted by R2D2

BTW, Sharath, if you did try open source firewalls in the past give pfSense a go in a sandboxed environment. It is drastically different from what it was a few years ago. And they provide regular updates. You may be surprised.

We provide PBX on the cloud (SaaS) to call centers and Telcos. So I can't really afford to experiment with security anymore.

[R2D2]

@shashank.nk

If you want to go the commercial FW route, other than the Dell Sonicwall, a few more commercial options are:

a) Smoothwall - https://uk.smoothwall.com/
b) Untangled - https://www.untangle.com/untangle-ng-firewall/
c) RouterOS by microtik - http://www.mikrotik.com/software
d) Sophos - https://www.sophos.com/en-us/product...-firewall.aspx

They have options for home/home office, SMEs and large enterprises. Hope this helps.

[shashank.nk]

Thank you both for your valuable inputs.

Quote:

Originally Posted by Samurai

See if one of the Amazon.com seller will ship international: https://www.amazon.com/gp/offer-list...&condition=all

This ebay option looks good: http://www.ebay.in/itm/SONICWALL-01-...0AAOxyXVBSOM2o

At 27k, I can consider investing in this if it'll serve my purpose,however not sure if ebay is reliable.

If I were to invest either in Sonicwall or any of the firewalls mentioned by R2D2, will it restrict access to sites on employees' mobile phones as well ?

Currently, Ive disabled Wi-Fi and blocked a whole lot of sites, which has led to grumpy employees since they can't use WhatsApp either.

Quote:

Originally Posted by R2D2

You (or someone else) will require knowledge of networking - IPV4/6, NAT, routing, and using basic FreeBSD/Linux commands. There's plenty of help on the net to help setup and configure the software.

This is a problem for me. Neither I, nor anyone in our firm studied computers to possess the knowledge required for setting up and maintaining commercial grade routers,though I believe this can be outsourced. We rely on Google and some forums to do anything not often done by home users.

Quote:

Originally Posted by Samurai

But his requirement is office/work use, not home use.
But at office, when things go wrong customers expect instant fix. That is why we buy commercial firewall with support. We can do regular configuration ourselves, but when things go bad, we have the option of calling for expert help instead of googling and praying.

Quote:

Originally Posted by Samurai

But he has employees using it, to serve the customers. Can he afford a break-in or break-down, he has to decide.

Absolutely right! I can't afford to lose data, though some downtime is acceptable at the stage and scale we operate now.

Quote:

Originally Posted by R2D2

@shashank.nk

If you want to go the commercial FW route, other than the Dell Sonicwall, a few more commercial options are:

a) Smoothwall - https://uk.smoothwall.com/
b) Untangled - https://www.untangle.com/untangle-ng-firewall/
c) RouterOS by microtik - http://www.mikrotik.com/software
d) Sophos - https://www.sophos.com/en-us/product...-firewall.aspx

They have options for home/home office, SMEs and large enterprises. Hope this helps.

That helps,will examine each option and pick what suits me best.


So after understanding that I may need a commercial grade firewall/router, I called a systems specialist to understand the existing setup and suggest improvements.

So in a nutshell, he explained that right now all systems are connected in a peer to peer network which is not so desirable from a security point of view.
He recommended a Linux server but I rejected it right away when he said it may cost upwards of a lakh and based on my understanding of what he explained, its only required if you have more than 10 systems with need for file sharing,mail server etc.

Then as an alternative,he suggested I invest in a new desktop, more powerful than the existing one's and that would function as a semi server. Something with i5 processor,16gb RAM, 2-3tb HDD and windows 10 pro 64 bit as software. This way all files can be stored only on this computer and backup,restricted access etc becomes easier.

Is this a good idea ? Im hesitant since I don't think its a good idea to store all files only on one computer. Also, if I were to buy this more powerful PC, I'll have to configure firewall only on that pc right ?