We currently have Cisco ASA 5505’s in place at our hub, and one at each remote site, to create a VPN network. These ASA’s are EOL this year, and I just found out that replacing these will come at a huge cost as we no longer qualify for previous discounts.
This leaves us at a fork in the road where since we’re going to shell out lots of $ for ASA’s, to evaluate what else is out there. There are only 2 IT staff in the dept. so setup/deployment/maintenance needs to be easy. We don’t do a lot of fancy NAT’ing or etc with our ASAs now.
I’ve looked into Meraki products for their ease of setup, quality of device, and quick support. I’m leery on trying to sell admin on the recurring costs of their licensing, however that does include automatic firmware updates and service though. Has anyone used these devices (specifically the MX100 and MX64) and can comment?
One consultant said Sophos firewall, but little else. Another has said Palo Alto, another for Ubiquiti.
There are about 300 total devices on our network (including workstations and VMs). Some are at the offsite locations and may have as many as 4 workstations each.
You probably want to consider the throughput you need at each location when you determine what devices to deploy.
How many remote sites do you have? Is centralized management a requirement for you?
I know that Meraki Access Points will not work if their subscriptions expire (well, IIRC they’ll run for about an hour after reboot, then stop functioning).
Not to complicate things, but we use SonicWALL Devices and we’ve just started to deploy some Sophos Virtual Appliances in our environments, the Sophos UI is a bit more intricate than the SonicWALL. I have heard rumblings here about SonicWALL support being sub-par, but I’ve never had any issues with them, and I’ve yet to have to call Sophos support for anything.
Meraki are awesome, but they aren’t cheap. If you have limited network engineering skills, I recommend these 100%. I have one client w/ MX100 and we love it, well, everyone except the network engineer:). You do need to keep subscriptions in force. The one thing I don’t like about Meraki is the unencrypted L2TP VPN client requirement.
Every other client we have is SonicWALL (I have about 150 of these in the wild), after we migrated off of Cisco PIX/ASA’s a while ago. SonicWALL’s are pretty simple to manage. You don’t have to buy security subscriptions if you don’t want to, but if you do web access from the site, it is highly recommended. SonicWALLs you determine the model you use based upon the # of hosts behind the firewall and on what security services you will use, if any. So, for the main site, maybe an NSA3600 w/ gateway security suite (aka TotalSecure) and then you can run w/ the SOHO or TZ300 models at the remote sites. Most issues w/ SonicWALL can be attributed to undersizing the units. You can’t run a TZ300 w/ Security services for a 100 computer network for example. People do it, then complain about performance.
Meraki, Sophos or MyDigitalShield are excellent solutions for this.
Sophos has a native site-to-site VPN solution and small devices (called “REDs”) for sites with just a few workstations. They’re rock solid and just work. If you exclusively use REDs, only the central device has to be licensed. However, note that all traffic will have to be passed back to the central device for full UTM protection. Complicated to configure. Security is mid-line out of the box, if you change the default settings it becomes good.
If you want optimization and significantly improved security, MyDigitalShield has a solution that works very well. Their datacenter becomes the hub and each site connects to it. This means each site gets full UTM functionality without saturating the connection at a central site. This is a zero-configuration solution and security is phenomenally tight (they even provide you with a $50-100k cyber breach policy). They use SD-WAN QOS to help you get more out of your sites.
Meraki is a powerful, off the shelf solution. It just works and works very well. The downside is that their products are expensive and require annual licensing. Very easy to setup. Out of the box security is decent, but hackers know what the default settings are and can bypass them.
We can offer you discounts on all of these options and remote configuration support, if you need it.
I’ll weigh in for ubiqiti, edgerouter for the offices, er-x would handle the throughput, does site to site vpn and can do openvpn, L2TP or PPTP dial in vpns. The configuration is piss easy, can do wan fail over and they are cheap enough that you could leave 2 or 3 on site as spares at each location and still come out way ahead compared to a cisco anything.
We have quite a few clients with Merakis and they are very easy to manage. They are probably not the cheapest solution but if there is limited IT staff to support them, I would consider the recurring fee’s as part of the associated cost of keeping this type of environment running. Setup is very easy and it is easy to get support or assistance with configuration.
We use Sonicwalls for site-to-site VPN for our clients and have never had any issues with it. We’ve also enabled the client VPN portion of Sonicwall and it works easily enough. They have a Windows 10 “app” you can download from the Windows Store that lets you then use the Dell Sonicwall VPN provider for creating and managing the connection using the built in Windows 10 network/vpn connections window. Which makes things easier than having to use a separate application.
I’d be inclined to endorse Merakis. You said that they’re within your budget, and expense is usually the problem with Meraki. You said you had limited networking skills, and Meraki are about as easy as they come.
I tend to push for Meraki firewalls and WAPs everywhere. They’re more expensive, but they’re so easy to support that I suspect the TCO may be lower. Firmware is updated automatically. Site-to-site VPNs between Meraki firewalls is pretty much automatic. Configuring firewall rules is so simple, you almost don’t need to know how a firewall works. It’s simple to get reports on web usage.
I wish they made switches that weren’t absurdly expensive, so that I could buy those too.
There might be people doing something complicated or weird that Merakis don’t do well, but I can’t think of any particular problems that we’ve had with them. When we have had problems, their support seems to be pretty good.
Can’t believe no one has mentioned PFsense. Netgate owns them they just started providing more robust support and are working on a centralized dashboard that has a low monthly cost to monitor multiple devices. Its free for licencing runs FreedBSD has regular updates supports IPD/IDS setups, has built in OpenVPN support and is extremely easy to configure for IPSec tunnels for site to site connectivity.
We have been incredibly happy with the Watchguard solution for both site-to-site and client VPN. They tend to be very cost competitive as well. Might want to look into it before making a decision.
Have you looked into Fortinet? They have a strong UTM platform, easy site to site VPN wizards and will continue working even if a subscription/maintenance runs out. Based on bandwidth and users I would think a 60d or e at each location would probably cover it, maybe a 100e at the main location.
Their bandwidth is maxed at 30mbps with a Comcast connection (we won’t pay for more). My real concern would be at the hub, where the bulk of our users are and where the remote sites currently go out to the internet (we don’t have split tunneling on). Our primary internet is 75/50 and seems to be good thus far.
Another concern is how client VPNers would connect to a meraki. Is there a software program I install, or do I have to configure the native windows setup to vpn?
Meraki Expensive? Common misconception. They are comparable to any other UTM on the market today. If you do the math, they are cheaper than most other UTM. You can compare them to sophos, sonicwall, palo alto. Meraki is cheaper on the base MX64 model with the advanced security license. People are getting hung up on the idea that if the subscription dies, so does the device. When does any respectable MSP let their subscription expire on any of the UTMs mentioned above. If the answer is never, then it comes out to the same or less per month to utilize the device and all the fantastic management features it comes with.
I hate to say that I have limited network skills, but I do. I went through college and Cisco NetAcad, so at one point I was well versed in networking…but since I came on at my current employer, we use minimal networking with HP Procurves, and these ASA’s were already configured and running with EasyVPN, so I couldn’t find a need to rip out the backbone of our offsites just for kicks. Perfect “if you don’t use it, you lose it” situation. Due to staff retirements, my dept has been cut in half from 4 to 2…not a bad situation, just busy, so if something as important as network and vpn security can be made easy, I’m down.
What do you mean by “unecnrypted L2TP vpn client” requirement? I have a MX64 at home and use my android to connect…it’s a L2TP/IPSec setup with PSK. Isn’t that encrypted?
I have heard many Redditors talk about SonicWall but never looked at them…never heard of anyone local using them…but I’ll give it a shot! I appreciate it!
Thanks! I know prices are cheap on Ubiquiti from Amazon…it seems our local ISP also deals with that brand themselves…
I’ve heard about the EdgeRouter line… I haven’t ever dealt with them but admin is looking for keywords, so I’d need to make sure that the site-to-site and field access VPN connections are AES 256…that’s the case, correct?
What about updates? is there a frequent need to update firmware? what about support or licensing?
I want to lean towards Meraki since they’ve hitched their horse to Cisco…I still value their name in the networking and security space, but know that the Meraki line is akin to the Apple of IT: easy and it works.
Since this is an enterprise environment, I don’t want to skimp out and buy some Amazon specials…but at the same time all this news came after we had already done our yearly budgets. It looks like I could get a full replacement with Meraki’s and a one year licensing for less than the same numbers of ASA 5506’s.