SonicWALL TZ 205 or Fortinet Fortigate 60D

[CougTek]

I must find an appliance to provide several VPN connections to different network segments for our customers. Many of our customers have development environments within our office and it would be practical for them to be able to access them remotely.

I already know how to do that on low-end Fortinet equipment, but from what I read, Sonicwall's solutions seem to offer higher bandwidth at similar pricepoints. I also remember that Ddrueding used Sonicwall devices several times in the past. The cost should be limited to 1000$ or less. The models I'm looking for are those mentioned in the thread title : SonicWALL TZ 205 and Fortinet Fortigate 60D. I'm leaning towards the Sonicwall.

Except for the hardware-only device (part# 01-SSC-6945), what else do I need for a 3-years support (in order to be able to download the latest firmware releases) and malware filtering (for the VPN channels)?

Thanks

 

[CougTek]

I might jump to the Sonicwal TZ 215 instead (part #01-SSC-4976). I've read some cooments regarding annoying performance drop on lower-end models. I can find the hardware-only TZ 215 for ~700$CDN. After talking with the management here, we'll skip the malware-filtering option. It is the customers' responsability to install antivirus on their own environment, not ours so we won't pay more to provide a security solution that should be should fall on their shoulders. The 3-years firmware/hardware support is still important though.

 

[CougTek]

Hmmm... the slightly higher-end SonicWALL NSA 220 is only 75$ more than the TZ 215. Food for thought.

 

[ddrueding]

I've had to deal with some SonicWall products, but have never intentionally bought one. I dislike the idea of a subscription/service model for such things. I'm actually having good luck with the business class Netgear products.

 

[CougTek]

Something like a Netgear SRX5308 then? It is true that if I don't need packet inspection, I don't really need a Fortinet or SonicWALL appliance. The SRX5308 only cost 400$.

 

[ddrueding]

Something like a Netgear SRX5308 then? It is true that if I don't need packet inspection, I don't really need a Fortinet or SonicWALL appliance. The SRX5308 only cost 400$.

The 5308 is exactly what I'm using at my main office with 4 3Mbps T-1s going into it. I've managed to get rid of all the hosted services that would require a hole in the firewall, and only have site-to-site VPN links with static IPs. I can tell you that they are very reliable with my kind of simple config. 150+ users that are all YouTube and Facebook happy.

 

[CougTek]

I've managed to get rid of all the hosted services that would require a hole in the firewall, and only have site-to-site VPN links with static IPs.

You made no VPN connection for yourself in case you need to log in remotely?

Oh and what you guys prefer for encryption : 3DES or AES-256? Also, with the recent HearthBleed fiasco, don't you feel IPSec is preferable to SSL VPN? I know the firewall can typically process more data through an IPSec VPN than through an SSL VPN tunnel.

 

[Chewy509]

Re: 3DES vs AES256 - AES256 anyday of the week. (Most VPN appliances have crypto-accelerators these days, so it's not much much of an issue to use AES).

Re: IPSec vs SSL** based solution... This will depend entirely on the OSes and equipment and what they can support. Setting up IPSec tunnels can be problematic if your using different equipment at each end point... (Be warned, as I've seen some IPSec setups that work for a little and then die for no reason).

** If using a SSL based solution, I would recommend using only TLS v1.2 with TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 as the cipher suite. (There are some weakness in using SSLv3 in it's default setup - google "ssl3 weakness" for more info.

 

[ddrueding]

You made no VPN connection for yourself in case you need to log in remotely?

Nope. I use a combination of GoToMyPC and GoToSupport to get in and let my users in.

 

[CougTek]

Thanks. You are both very helpful, as usual.