VPN Endpoint Router Question Redux (longish)

Hi All,

To expand on my previous question re: VPN endpoint routers, I'd like
to offer a bit more information.

I have 2 wired networks I want to connect. The connections must be
secure, and have to meet HIPAA standards as a minimum.

Let's call one network WORK, and the other HOME.

Both networks are working exactly as I want them to on separate,
individual basis, other than the fact that I will soon be required to
be able to access, query, and interact with certain websites from
WORK. The HOME network works exactly as I want, and is currently
connected with a broadband wireless internet connection. That
connection can be changed to DSL if having both systems on the same
type of connection would be helpful.

Due to geography, WORK will require a DSL internet connection.
Presently, WORK does not have an internet connection, but one will be
required shortly.

I have 2 employees at WORK that will be required to interact with 2 or
3 rather large websites (domains), BUT I wish to limit ALL other
internet activity on their machines. Both have been known to take
part in P2P neworks, downloading questionable files, and generally
wasting employer time with web surfing. They have both previsouly
lost jobs due to their downloading practices, crashing previous
employers machines with downloaded virii as well as at least one
proven instance of ID theft (not by the employee, but by downloading a
logger). I still haven't decided if I will even allow these 2
employees e-mail rights, and if I do, it will be behind a strong
antiviral and antispam head-end. 2 other employees at WORK will need
full internet access as well as e-mail rights. They are very computer
literate and savvy, and I'm not worried about them actively
downloading virii, etc., although their machines will be equipped with
incoming/outgoing virial filters as well as e-mail scanning. There
are also several printes on the WORK network, in most cases connected
via printer servers. Due to certain program requirements, the
computers at WORK are running either W2K or WinME.

What I want for the HOME situation is to be able to work after hours
from home as though I were physically present at the worksite (making
the HOME network simply appear as an extension of the WORK network).
My wife also consults in the business, and would need the same rights
from her machine. The HOME network is presently covered by a NAT
firewall/router, zonealarm on both machines, and one machine is
covered by Norton, the other by Panda. Spybot also runs in the
background of both machines. There are a couple of other computers at
home that wouldn't require connection to WORK, and the printers at
home are a mix of local and networked (print server) printers.

I think my best solution would be 2 similar VPN endpoint routers.
From the literature I have been able to download, it appears that
SonicWall may be my best bet, but I'd certainly prefer something in
the Netgear/Linksys price range.

If an older freestanding computer (600 mhz range) could perform all
these functions under some specific software, that could also be a
consideration, but I am unfamiliar enough with the software to know
exactly what to be looking for. Extra, older computers we've got.

It seems like the VPN endpoint routers would be the cleanest and most
reliable route to go, but realize that I do have to perform some major
restrictions on a couple of the WORK machines to keep the networks
secure.

For those that have waded through this missive, THANK YOU!

Any help or suggestions are highly appreciated. If possible, I would
appreciate brand/model numbers (and if in the case of routers like
SonicWall I'd appreciate knowing model# and which modules would be
most appropriate). While I do a fair job on local networks, this is
my first attempt at combining remote networks requiring high security,
and we're located truly in the boonies, with the nearest IT tech
"specialist" approximately 140 miles away. Few have shown interest in
coming out at any price, and the few that will come want a moderate
fortune just to come out and do a survey and estimate.

Also, full disclosure router logs would be a plus, although not an
absolute necessity. BTW, I was thinking 8-port routers at each end,
to allow for the print servers as well as future expansion.

TIA

Bob Clark

You want an advanced security configuration and you'll need to be well
versed in this stuff to pull it off. I imagine a novice having a very
difficult time setting this up. I'd use a couple of bsd routers and
cisco 2950 switches. You're looking at VLANs and DMZs to pull this off
properly. The trick is making your firewall the central component of the
network.

Bob, I don't know anything about what Dom said, I'm sorry. Umm, the
Sonicwall should be able to do what you are needing, but the cost is an
issue. I don't like how they cost, but they work sawesome and have in my
opinion all the security and dual networks abilities that I can imagine, but
also I'm not even close to being a network admin or expert. I'm not even
like an intermediate network guy, but I do know some stuff here and there.

I would suggest if possible stay away from the low end devices such as
Linksys, Belkin, Netgear, Dlink, anyone found in a local Comp Usa, Best Buy
type store will not be able to do what you're needing. I would be surprised
if any type of local store like those had anything to do this stuff. at
least none of the ones here do. Also I have found every single report I've
read online about Dlink, Netgear and Linksys have not been good about the
home stuff. Well, some have, but rare that I've seen it.

I do know some stuff about the Sonicwall that is for sure. I think it will
have all the securty features you need. Built in gateway virus protection,
you can tell the virus protection what to scan for, HTTP, pop3, smtp, ftp,
etc or even you can tell it to scan tcp/ip which basically says to scan
every packed yet it does scan everything so you'll notice it, plus you can
enable it on whatever zone you want, lan, wan etc, Spam protection is also
built in, Ani Spyware protection is built in, IPS will block all the bad
stuff and built in are all the p2p networking apps. All you do is enable IPS
on whatever zone you want to have it on such as WAN, zone 1, zone 2 type
stuff. No more p2p. I've used IPS and blocking p2p on the wan port and p2p
was totally blocked. You can enable and disable all of the security features
per user too. For 8 ports you'd want to add a switch then to the Sonicwall
since you'd probably look at one of the lower end sonicwall units, meaning
price, not really in features. Sonicwall would have 10 node use, 25 and
unlimited. This means basically users/computers. You can set up user
accounts and user groups also that have custom security. You can enable
logging and pick anything you want to log, it's literally amazing how much
Sonicwall will log, it's got so many choices it confuses me. You can have
the logs emailed daily, when full or when certain events occur. You get
ViewPoint which is one heck of an awesome monitoring utility. It's got pie
charts, graphs etc and what happens is the Sonicwall will send that
ViewPoint server all the log inormation and then ViewPoint lets you view it
in a graphic way that is way easy to understand and evaluate.

If you go to sonicwall web site as you might have done so you will see on
the left side of the sonicwall home page there should be a link called demo.
That will take you to SoniOS Enhanced. It runs on some of their very high
end unit and will give you the ability to use the SoniOS Enhanced, just not
save of course. It's awesome.

Yes, some units have dual wan ability and you can also customize each
connection for security, bandwidth management and so forth.

Go to www.sonicguard.com and check out their TZ150 and then TZ170. The TZ150
can not use the SonicOS Enhanced though and I think you might need the
SonicOS Enhanced with everything you need to do.

I don't know what else there is from other brands that can do what you have
mentioned. I only know Sonicwall and the linksys crummy soho stuff. I
believe the Sonicwall can do everything you need, but of course am not 100%
sure. One very nice thing is if you want to you can go to www.sonicguard.com
and call them. Talk to Hillel, you pronounce it Hilly. It's an 800 number
free call. He is my sales rep, he's got an accent like South African I
think, but forget. I think he's really nice and really wonderfull. He helped
me pick what unit I needed and since then has been awesome to deal with. He
should be able to get you the lowest cost unit that will do what you need.
If you do call him please let him know that I sent you there. Joe Moilanen.
He might not remember, but he might. My fathers name is Dan Moilanen. I just
renewed our security subscription a couple days ago. I'm not going to get
anything from you telling him I sent you other then I'll feel good inside
cus they really do good at Sonicguard. Plus I think it'd just be neat if he
knew I was when I can, telling people about them and Sonicwall. It's no big
deal though.

I think if you think Sonicwall should have what you need, keep this in mind
when looking at other brands too. It is possible you find something cheaper.
One thing I like about Sonicwall support is that they send you advance
replacement units when needed. They overnight them too. They have for me
anyhow. They pay for the shipping too.

Joe





"Bob" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi All,
>
> To expand on my previous question re: VPN endpoint routers, I'd like
> to offer a bit more information.
>
> I have 2 wired networks I want to connect. The connections must be
> secure, and have to meet HIPAA standards as a minimum.
>
> Let's call one network WORK, and the other HOME.
>
> Both networks are working exactly as I want them to on separate,
> individual basis, other than the fact that I will soon be required to
> be able to access, query, and interact with certain websites from
> WORK. The HOME network works exactly as I want, and is currently
> connected with a broadband wireless internet connection. That
> connection can be changed to DSL if having both systems on the same
> type of connection would be helpful.
>
> Due to geography, WORK will require a DSL internet connection.
> Presently, WORK does not have an internet connection, but one will be
> required shortly.
>
> I have 2 employees at WORK that will be required to interact with 2 or
> 3 rather large websites (domains), BUT I wish to limit ALL other
> internet activity on their machines. Both have been known to take
> part in P2P neworks, downloading questionable files, and generally
> wasting employer time with web surfing. They have both previsouly
> lost jobs due to their downloading practices, crashing previous
> employers machines with downloaded virii as well as at least one
> proven instance of ID theft (not by the employee, but by downloading a
> logger). I still haven't decided if I will even allow these 2
> employees e-mail rights, and if I do, it will be behind a strong
> antiviral and antispam head-end. 2 other employees at WORK will need
> full internet access as well as e-mail rights. They are very computer
> literate and savvy, and I'm not worried about them actively
> downloading virii, etc., although their machines will be equipped with
> incoming/outgoing virial filters as well as e-mail scanning. There
> are also several printes on the WORK network, in most cases connected
> via printer servers. Due to certain program requirements, the
> computers at WORK are running either W2K or WinME.
>
> What I want for the HOME situation is to be able to work after hours
> from home as though I were physically present at the worksite (making
> the HOME network simply appear as an extension of the WORK network).
> My wife also consults in the business, and would need the same rights
> from her machine. The HOME network is presently covered by a NAT
> firewall/router, zonealarm on both machines, and one machine is
> covered by Norton, the other by Panda. Spybot also runs in the
> background of both machines. There are a couple of other computers at
> home that wouldn't require connection to WORK, and the printers at
> home are a mix of local and networked (print server) printers.
>
> I think my best solution would be 2 similar VPN endpoint routers.
> From the literature I have been able to download, it appears that
> SonicWall may be my best bet, but I'd certainly prefer something in
> the Netgear/Linksys price range.
>
> If an older freestanding computer (600 mhz range) could perform all
> these functions under some specific software, that could also be a
> consideration, but I am unfamiliar enough with the software to know
> exactly what to be looking for. Extra, older computers we've got.
>
> It seems like the VPN endpoint routers would be the cleanest and most
> reliable route to go, but realize that I do have to perform some major
> restrictions on a couple of the WORK machines to keep the networks
> secure.
>
> For those that have waded through this missive, THANK YOU!
>
> Any help or suggestions are highly appreciated. If possible, I would
> appreciate brand/model numbers (and if in the case of routers like
> SonicWall I'd appreciate knowing model# and which modules would be
> most appropriate). While I do a fair job on local networks, this is
> my first attempt at combining remote networks requiring high security,
> and we're located truly in the boonies, with the nearest IT tech
> "specialist" approximately 140 miles away. Few have shown interest in
> coming out at any price, and the few that will come want a moderate
> fortune just to come out and do a survey and estimate.
>
> Also, full disclosure router logs would be a plus, although not an
> absolute necessity. BTW, I was thinking 8-port routers at each end,
> to allow for the print servers as well as future expansion.
>
> TIA
>
> Bob Clark

On Mon, 5 Jun 2006 08:48:13 -0700, "AMDX2" <(E-Mail Removed)> wrote:

>Bob, I don't know anything about what Dom said, I'm sorry. Umm, the
>Sonicwall should be able to do what you are needing, but the cost is an
>issue.

Yes, the higher expense was what I was trying to get around. However,
the more I think about it, I probably would only need the high-end
router at work so long as I could access it via vpn by either a less
expensive vpn endpoint router or even software client from
home/travel. The big issue is in being able to highly and very
selectively restrict internet access on 2 of the work machines. From
what I read, both Linksys and Netgear have business class vpn endpoint
routers that appear to do everything I need except for that very
selective internet control (at least if you consider using software
antiviral/spam stuff on the machine).

>I don't like how they cost, but they work sawesome and have in my
>opinion all the security and dual networks abilities that I can imagine, but
>also I'm not even close to being a network admin or expert. I'm not even
>like an intermediate network guy, but I do know some stuff here and there.
>
>I would suggest if possible stay away from the low end devices such as
>Linksys, Belkin, Netgear, Dlink, anyone found in a local Comp Usa, Best Buy
>type store will not be able to do what you're needing. I would be surprised
>if any type of local store like those had anything to do this stuff. at
>least none of the ones here do. Also I have found every single report I've
>read online about Dlink, Netgear and Linksys have not been good about the
>home stuff. Well, some have, but rare that I've seen it.

In general, I agree with you about all the above hardware. Most of
their home/SOHO stuff is crud, but I've had some good results with
some D-link and Netgear business class stuff (all wired). But again,
I've not needed anything with this level of control or security
before, and I'm not really comfortable with their devices for the work
end application, especially considering most of the reports out there.

I know that there is a lot of linux stuff going around, and that the
wireless guys have done some really phenomenal router software that
some are running on SBC's. Unfortunately, I'm not aware of any
out-of-the-box type linux router software that can do what I need, and
as long as it would take me to learn enough linux to be able to do
anything meaningful with it, I could buy several Sonics if my time
were worth anything at all. A shame I can't find a good software
solution, since I have a number of 5-600 mhz machines which are
perfectly good, but couldn't give away, and are a bit slow for the
software we run at the office (the reason they're surplus)
>
>I do know some stuff about the Sonicwall that is for sure. I think it will
>have all the securty features you need. Built in gateway virus protection,
>you can tell the virus protection what to scan for, HTTP, pop3, smtp, ftp,
>etc or even you can tell it to scan tcp/ip which basically says to scan
>every packed yet it does scan everything so you'll notice it, plus you can
>enable it on whatever zone you want, lan, wan etc, Spam protection is also
>built in, Ani Spyware protection is built in, IPS will block all the bad
>stuff and built in are all the p2p networking apps. All you do is enable IPS
>on whatever zone you want to have it on such as WAN, zone 1, zone 2 type
>stuff. No more p2p. I've used IPS and blocking p2p on the wan port and p2p
>was totally blocked. You can enable and disable all of the security features
>per user too. For 8 ports you'd want to add a switch then to the Sonicwall
>since you'd probably look at one of the lower end sonicwall units, meaning
>price, not really in features. Sonicwall would have 10 node use, 25 and
>unlimited. This means basically users/computers. You can set up user
>accounts and user groups also that have custom security. You can enable
>logging and pick anything you want to log, it's literally amazing how much
>Sonicwall will log, it's got so many choices it confuses me. You can have
>the logs emailed daily, when full or when certain events occur. You get
>ViewPoint which is one heck of an awesome monitoring utility. It's got pie
>charts, graphs etc and what happens is the Sonicwall will send that
>ViewPoint server all the log inormation and then ViewPoint lets you view it
>in a graphic way that is way easy to understand and evaluate.
>
>If you go to sonicwall web site as you might have done so you will see on
>the left side of the sonicwall home page there should be a link called demo.
>That will take you to SoniOS Enhanced. It runs on some of their very high
>end unit and will give you the ability to use the SoniOS Enhanced, just not
>save of course. It's awesome.
>
>Yes, some units have dual wan ability and you can also customize each
>connection for security, bandwidth management and so forth.
>
>Go to www.sonicguard.com and check out their TZ150 and then TZ170. The TZ150
>can not use the SonicOS Enhanced though and I think you might need the
>SonicOS Enhanced with everything you need to do.
>
>I don't know what else there is from other brands that can do what you have
>mentioned. I only know Sonicwall and the linksys crummy soho stuff. I
>believe the Sonicwall can do everything you need, but of course am not 100%
>sure. One very nice thing is if you want to you can go to www.sonicguard.com
>and call them. Talk to Hillel, you pronounce it Hilly. It's an 800 number
>free call. He is my sales rep, he's got an accent like South African I
>think, but forget. I think he's really nice and really wonderfull. He helped
>me pick what unit I needed and since then has been awesome to deal with. He
>should be able to get you the lowest cost unit that will do what you need.
>If you do call him please let him know that I sent you there. Joe Moilanen.
>He might not remember, but he might. My fathers name is Dan Moilanen. I just
>renewed our security subscription a couple days ago. I'm not going to get
>anything from you telling him I sent you other then I'll feel good inside
>cus they really do good at Sonicguard. Plus I think it'd just be neat if he
>knew I was when I can, telling people about them and Sonicwall. It's no big
>deal though.
>
>I think if you think Sonicwall should have what you need, keep this in mind
>when looking at other brands too. It is possible you find something cheaper.
>One thing I like about Sonicwall support is that they send you advance
>replacement units when needed. They overnight them too. They have for me
>anyhow. They pay for the shipping too.
>
>Joe
>
I believe I'm going to follow your advice, and will call Sonic in the
next few days and talk with Hillel. From what I've been able to read,
it looks like I'll likely need the TZ-170 or TZ-170SP for work, and
perhaps be able to economize a little with the home router. (I'm
presently using a very plain Belkin router at home, but only because
it's what the wireless ISP provided, and is the only one they
guarantee to support.) There may be other decent less expensive
hardware routers out there that can do what I need, but if there are,
I haven't been able to find them based on the on-line documentation
available.

Thanks, Joe!

Bob Clark

BTW, I'll mention your name to Hillel when I speak to him. Wish it'd
get you a referral commission.<G>
<snip>

Bob, I remember when I was looking for a device in 2005 Jan, I spent 2-6 hrs
per day for 2 weeks to find the Sonicwall. So I think it is possible if
there was something similar with a bit less cost I should have found it. I
am not sure, but I should have found something.

I tried a couple from others, but they didn't do everything I wanted and
still cost a lot.

The one thing I like about the Sonicwall is how easy it is to use the
SonicOS. There are some difficulties, but I think that is because I don't
know much about high end firewall rules and terminology.

Joe


"Bob" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> On Mon, 5 Jun 2006 08:48:13 -0700, "AMDX2" <(E-Mail Removed)> wrote:
>
>>Bob, I don't know anything about what Dom said, I'm sorry. Umm, the
>>Sonicwall should be able to do what you are needing, but the cost is an
>>issue.
>
> Yes, the higher expense was what I was trying to get around. However,
> the more I think about it, I probably would only need the high-end
> router at work so long as I could access it via vpn by either a less
> expensive vpn endpoint router or even software client from
> home/travel. The big issue is in being able to highly and very
> selectively restrict internet access on 2 of the work machines. From
> what I read, both Linksys and Netgear have business class vpn endpoint
> routers that appear to do everything I need except for that very
> selective internet control (at least if you consider using software
> antiviral/spam stuff on the machine).
>
>>I don't like how they cost, but they work sawesome and have in my
>>opinion all the security and dual networks abilities that I can imagine,
>>but
>>also I'm not even close to being a network admin or expert. I'm not even
>>like an intermediate network guy, but I do know some stuff here and there.
>>
>>I would suggest if possible stay away from the low end devices such as
>>Linksys, Belkin, Netgear, Dlink, anyone found in a local Comp Usa, Best
>>Buy
>>type store will not be able to do what you're needing. I would be
>>surprised
>>if any type of local store like those had anything to do this stuff. at
>>least none of the ones here do. Also I have found every single report I've
>>read online about Dlink, Netgear and Linksys have not been good about the
>>home stuff. Well, some have, but rare that I've seen it.
>
> In general, I agree with you about all the above hardware. Most of
> their home/SOHO stuff is crud, but I've had some good results with
> some D-link and Netgear business class stuff (all wired). But again,
> I've not needed anything with this level of control or security
> before, and I'm not really comfortable with their devices for the work
> end application, especially considering most of the reports out there.
>
> I know that there is a lot of linux stuff going around, and that the
> wireless guys have done some really phenomenal router software that
> some are running on SBC's. Unfortunately, I'm not aware of any
> out-of-the-box type linux router software that can do what I need, and
> as long as it would take me to learn enough linux to be able to do
> anything meaningful with it, I could buy several Sonics if my time
> were worth anything at all. A shame I can't find a good software
> solution, since I have a number of 5-600 mhz machines which are
> perfectly good, but couldn't give away, and are a bit slow for the
> software we run at the office (the reason they're surplus)
>>
>>I do know some stuff about the Sonicwall that is for sure. I think it will
>>have all the securty features you need. Built in gateway virus protection,
>>you can tell the virus protection what to scan for, HTTP, pop3, smtp, ftp,
>>etc or even you can tell it to scan tcp/ip which basically says to scan
>>every packed yet it does scan everything so you'll notice it, plus you can
>>enable it on whatever zone you want, lan, wan etc, Spam protection is also
>>built in, Ani Spyware protection is built in, IPS will block all the bad
>>stuff and built in are all the p2p networking apps. All you do is enable
>>IPS
>>on whatever zone you want to have it on such as WAN, zone 1, zone 2 type
>>stuff. No more p2p. I've used IPS and blocking p2p on the wan port and p2p
>>was totally blocked. You can enable and disable all of the security
>>features
>>per user too. For 8 ports you'd want to add a switch then to the Sonicwall
>>since you'd probably look at one of the lower end sonicwall units, meaning
>>price, not really in features. Sonicwall would have 10 node use, 25 and
>>unlimited. This means basically users/computers. You can set up user
>>accounts and user groups also that have custom security. You can enable
>>logging and pick anything you want to log, it's literally amazing how much
>>Sonicwall will log, it's got so many choices it confuses me. You can have
>>the logs emailed daily, when full or when certain events occur. You get
>>ViewPoint which is one heck of an awesome monitoring utility. It's got pie
>>charts, graphs etc and what happens is the Sonicwall will send that
>>ViewPoint server all the log inormation and then ViewPoint lets you view
>>it
>>in a graphic way that is way easy to understand and evaluate.
>>
>>If you go to sonicwall web site as you might have done so you will see on
>>the left side of the sonicwall home page there should be a link called
>>demo.
>>That will take you to SoniOS Enhanced. It runs on some of their very high
>>end unit and will give you the ability to use the SoniOS Enhanced, just
>>not
>>save of course. It's awesome.
>>
>>Yes, some units have dual wan ability and you can also customize each
>>connection for security, bandwidth management and so forth.
>>
>>Go to www.sonicguard.com and check out their TZ150 and then TZ170. The
>>TZ150
>>can not use the SonicOS Enhanced though and I think you might need the
>>SonicOS Enhanced with everything you need to do.
>>
>>I don't know what else there is from other brands that can do what you
>>have
>>mentioned. I only know Sonicwall and the linksys crummy soho stuff. I
>>believe the Sonicwall can do everything you need, but of course am not
>>100%
>>sure. One very nice thing is if you want to you can go to
>>www.sonicguard.com
>>and call them. Talk to Hillel, you pronounce it Hilly. It's an 800 number
>>free call. He is my sales rep, he's got an accent like South African I
>>think, but forget. I think he's really nice and really wonderfull. He
>>helped
>>me pick what unit I needed and since then has been awesome to deal with.
>>He
>>should be able to get you the lowest cost unit that will do what you need.
>>If you do call him please let him know that I sent you there. Joe
>>Moilanen.
>>He might not remember, but he might. My fathers name is Dan Moilanen. I
>>just
>>renewed our security subscription a couple days ago. I'm not going to get
>>anything from you telling him I sent you other then I'll feel good inside
>>cus they really do good at Sonicguard. Plus I think it'd just be neat if
>>he
>>knew I was when I can, telling people about them and Sonicwall. It's no
>>big
>>deal though.
>>
>>I think if you think Sonicwall should have what you need, keep this in
>>mind
>>when looking at other brands too. It is possible you find something
>>cheaper.
>>One thing I like about Sonicwall support is that they send you advance
>>replacement units when needed. They overnight them too. They have for me
>>anyhow. They pay for the shipping too.
>>
>>Joe
>>
> I believe I'm going to follow your advice, and will call Sonic in the
> next few days and talk with Hillel. From what I've been able to read,
> it looks like I'll likely need the TZ-170 or TZ-170SP for work, and
> perhaps be able to economize a little with the home router. (I'm
> presently using a very plain Belkin router at home, but only because
> it's what the wireless ISP provided, and is the only one they
> guarantee to support.) There may be other decent less expensive
> hardware routers out there that can do what I need, but if there are,
> I haven't been able to find them based on the on-line documentation
> available.
>
> Thanks, Joe!
>
> Bob Clark
>
> BTW, I'll mention your name to Hillel when I speak to him. Wish it'd
> get you a referral commission.<G>
> <snip>
>