VPN for small 2-site office

[dgeesaman]

Hello, first post here.

I manage the IT equipment for my wife's small business. There are 5 users on an SBS 2003 server for providing Exchange and network drive storage. Currently users access the server using the MS VPN client by connecting directly to the SBS when they are in the satellite office or from home. The internet connections are cable modem connections. Our internet and file sharing bandwidth usage is relatively light, given that the files are not very large and no streaming content. Local stuff is on 100Mbit ethernet.

I would like to establish a persistent VPN tunnel between the satellite office and main office using devices that are reliable and don't require reboots or other babysitting. I would also like to improve security for each site and keep cost under $1000. I'm generally computer savvy but I don't do networking all day long so the technology has to be approachable.

It seems to me a good approach would be to install an appliance at each site that stay connected and provide firewalling for the local sites. Past experience has created a distaste for SOHO stuff in the $50-150 range. I see various devices in the $300-600 range from Cisco, Sonicwall, Zyxel, Fortinet and many others. The reviews on this site have been helpful but nothing has jumped out at me as "the answer".

Aside from the need for the VPN/firewall I would find value in these additional features:
- Anti-Spam
- Anti-Virus
- Web content monitoring and filtering
- 4-8 100Mbit ports
- Wireless (has to be robust, not requiring reboots to keep going). 802.11g would be nice.

Q1: The concept of UTM is appealing to me, but is this robust and does it work well? What major features of UTM are notably weaker than the unbundled alternative of same class?

Q2: Assuming I buy a VPN/firewall device for each end, would I be wise to buy the wireless router separately for each site? If there is not much difference I'd prefer to have them in one device

Q3: Which systems might you suggest? Keep in mind subscription pricing for UTM support needs to be reasonable for our limited user base.

Thanks for any and all suggestions. I feel guilty in that I have very little knowledge I can use here to help others, but oh well. If you have trouble with your car let me know. In the meantime I'll keep reading and researching.

Dave

 

[YeOldeStonecat]

I've been using Untangle at more and more of my clients.
www.untangle.com
(also reviewed here A Powerful Open Source UTM: Untangle Gateway Reviewed )
They start with a free open source version...the caveat with Untangle is you install it on your own hardware. I've been using small form factor business desktops, usually leftover models like Dell Optiplex GX240/260/280 models, or HP/Compaq Evo business desktop models like the D510sff. I slip in a 2nd network card, perhaps add a stick of RAM, put in a new hard drive...and presto, a nice firewall appliance. Basically leftover early Pentium 4 desktops.
Cost to you...maybe some RAM, and a new hard drive.

I'm of the belief that plain old NAT routers are no longer viable as the only firewall for a business network, so I've been busy on upgrading existing clients from NAT only to UTM protected networks. The added layer of security when it comes to additional scanning for viruses/spam/phishing...have been worth it. Untangle also has an effective anti Spyware module that in my experience has been effective and making a big drop in the amount of "rogue/fake alert" problems at my clients.

They do have added packages and bundles that you pay for, such as a very good Spam module (CommTouch) for when you run your own Exchange servers, and other modules you can look at.

I don't know how your have the e-mail setup on the SBS box, if it's through another provider, SMTP smart hosting, POP3 connector, etc.

I have clients using Untangle at multiple sites where I have VPN tunnels setup between the sites, using Untangles OpenVPN module (included in the free version). Very rock solid VPN tunnel, it's been the easiest and most problem free VPN setup I've deployed (including Fortigates, Sonicwalls, Cisco, Linksys/Cisco, Endian, PFSense).

As for reliability, using opensource products like Untangle depend on the quality of the hardware it's installed on, as well as supported compatibility. Sticking with solid business grade workstations with Intel chipset, Intel and 3COM NICs, I've had a good experience with the product. Using workstation that are several years old, since Untangle is build in Debian linux..helps with native OS support rather than trying to get current model hardware. A good way to recycle too!

Anyways, more thought on UTM...yes, IMO it's worth it over just a NAT router. Also..as mentioned above, I don't know what your e-mail setup is, but many UTM appliances have anti SPAM modules that can help you there.

What are your needs for web filtering/reporting? Educational facility?

I'm a fan of separating the wireless from the main unit. I know it's nice to have 1x unit be your *router *switch *wireless....but I tend to prefer separating the 3. Router..by itself. Switch..by itself. Wireless..access point(s) by itself/themselves.
Reason? Better performance..for one. No "shared processor" trying to do it all. And..once in a while, for some reason, you might have to reboot your router. Having it separated from the main switch, it will not impact current office productivity as far as the LAN is concerned. Some routers with built in ports...if you power cycle the router, it power cycles the built in switch. The accounting lady logged into Quickbooks Pro or some other accounting application that runs from the server is now swearing at you.

Running wireless access points instead of a combo unit, the wireless seems to run more reliably in my experience. I'm a fan of using 3rd party firmware like DD-WRT or Tomato, and using them as access points. At home I run a Linksys/Cisco wrt150N that's flashed with DD, running in access point mode. I don't think I've rebooted it since I brought it home last spring and installed it. Usually have about 4-5 wireless clients at our house using it too.

Changing subject to your SBS setup, why the VPN exposed, instead of just using Remote Web Workplace portal? What is the typical use of the remote satellite users?

 

[dgeesaman]

Thanks for the very detailed reply. I appreciate your input.

I'll try to answer the questions:
"I don't know how your have the e-mail setup on the SBS box, if it's through another provider, SMTP smart hosting, POP3 connector, etc. "

We are running Exchange Server 03 on the SBS. The only external access is the outlook web interface is enabled. POP3 connector is not enabled.

"What are your needs for web filtering/reporting? Educational facility?"

This company has 2 offices and 3 full-time personnel (my wife and 2 employees) these employees have opportunity to slack off. We've already had a couple of past employees who basically quit doing work when nobody else was around and it really hurt the company, then of course they file for unemployment. (It takes especially focused employees to be successful in this environment, but it will be a couple more years until more bodies can be at each office.) Having clear reporting data saves a lot of money and hassle when they are fired for performance reasons but they file for unemployment.

Ideally I'd like a filtering system that locks down during certain hours - say to open up to social networking sites and portals during lunch hour. I'm not out to prevent access to all kinds of things; these are adults. I'm more interested in having the ability to control persistent problems if they arise.

"Changing subject to your SBS setup, why the VPN exposed, instead of just using Remote Web Workplace portal? What is the typical use of the remote satellite users?"

We have not tried RWW. The remote satellite users need access to shared folders on the network, access to the exchange server, and also access to external websites. Of note is a industry-specific management application which runs on hosted windows servers and requires them to remote desktop connect to those servers to access the data. I suspect doing that through the VPN could get ugly, but to be honest I've not tried all of these things yet.

Not sure what you mean about the VPN being exposed. It's not SSH, if that's what you mean. The Firebrick is an SPI firewall and I have opened the port to allow VPN traffic to pass through. I'd like to improve it's security, considering the user's passwords aren't terribly secure.

My brother is also a security / firewall guru who works with larger businesses. He suggested the open source stuff (Smoothwall, Astaro, IPCop, etc) but mentioned that I'd need to get hardware. I'm not against this approach as long as I'm not installing power-hungry machines with a lot of components that might fail.

 

[YeOldeStonecat]

Regarding the e-mail.....the different approaches you can take with the specific Exchange Server that's included with SBS.

*Direct e-mail.....the "MX" record for your e-mail domain points to the WAN IP address that your Exchange Server sits on. E-mail gets sent from "the internet" directly to "your server". This requires you to open/forward port 25 on your firewall, exposing your Exchange Server to the entire world. This is the old way, and the most common way that Exchange Server is setup. It's not my preferred method...as port 25 (SMTP) is wiiiiiiiide open to the entire world, so your mail server is constantly being poked/prodded/someone trying to get into it to turn you into a SPAM relay. Granted Exchange 2K3 is tighter than 2K...but... And your Exchange Server sends mail directly out to the internet, which can sometimes be a handful to manage, ReverseDNS/PTR, keeping your domain from being blacklisted, etc. Other Cons...you need to worry about SPAM and Exchange antivirus much more seriously.

*Having an "SMTP Smart Host"..such as Postini/Appriver/MXLogic. The MX record for your e-mail points to their servers..they catch the mail for your domain, they "wash" the mail of spam, viruses, and phishmail, and they forward that e-mail to your public IP addres..thus your Exchange Server. You set firewall rules (ACLs) to only allow traffic on port 25 to come from your SMTP Smart Hosts pool of IP addresses..thus your Exchange Server only has port 25 exposed to them, instead of the whole world. MUCH more secure. You also send outbound mail to their servers, so you never have to worry about RevDNS/PTR. And..if your internet goes down, or your server does down, they "spool/queue" your e-mail..and it flushes to your server once your server is up again, so you don't lose e-mail. They also will have a web mail interface so you can get access to your e-mail when your servers down. Cost..usually from 12-25 bucks per mailbox per year.

*SBS also has a rather unique feature..called the POP3 connector. This allows you to setup your Exchange Server to interface with a POP3 mail server out there, like e-mail from your ISP or some other POP3 host. Sort of like...setting up Outlook with your ISP e-mail. You have your incoming server settings and outgoing server settings...Exchange will send outbound e-mail to your ISPs SMTP server (or SMTP of your choice). Gives you some flexibility. Checks for incoming mail at 15 minute intervals. Pros...if your office internet goes down..e-mail queues up at your POP host..downloads once online. Cons...for larger SBS networks of many users..can become problematic. And some people don't like that 15 minute wait..for incoming e-mail.

 

[YeOldeStonecat]

Web filtering...I'd like to explore this some more...regarding your 2x locations.
Most UTM appliances that do web filtering/reporting will have features such as reporting and/or blocking websites by categories..."social", "vacation", "personal e-mail", "job searches", etc.

Usually you have satellite offices surf the web right out through their internet connection, not through the VPN tunnel and out of "mothership". Although you can...it's just slower for them because of going through the skinny pipe of the VPN tunnel. So a UTM appliance is put at each location.

In this category...in my opinion nothing stands out as far as UTM products which provide this feature. The ones I've worked with are quite similar..they can log what you want them to, and they can block what you want them to, and yes if someone who knows computers and networking really wants to fiddle..they can bypass them by doing proxy server stuff. And yes you can lock down the workstations even more to prevent that..and enter the cat 'n mouse game, but this is SMB networking, generally things are kept loose.

Another alternative...."big brother watching" software like Spector Software
http://www.spectorsoft.com/
They have several different packages, from "monitoring your spouse" stand alone products to more SMB and corporate products designed to monitor employees at a company. To be honest, this product gives you the most detail...you can see eeeeeeverything they're doing..surfing, e-mailing, instant messanging. Talk about detailed reports....you got it here. Even down to how much time is spent lurking at facebook and surfing profiles, full logging of instant messengers.

 

[YeOldeStonecat]

Regarding the open source router distros...such as those your brother mentioned. I'm a fan of those, I usually change my router at home several times per year to try out something new. There are a LOT of cool distros out there. One of the first I tried was IPCop years ago, and it has a "UTM-like" add-on called Copfilter. Sorta dated a bit though. PFSense is great, it's what I usually use at home, it's more into traffic shaping/qos, and VPNs, great for online gaming. m0n0wall, Smoothwall, ClarkConnect (sort of like open source Small Business Server, ClearOS..based on Clark, very cool package, ..onto more UTM ones..
Astaro...a very mature product, been around a while.
Endian is another one I've used...it was based on IPCop with the Copfilter add-on..although in a more...groomed package.
Untangle...the one I've been using a lot lately. Only thing..needs some higher horsepower units to run on. For an office as small as your 2 locations....I can't justify it. Astaro has some products on smaller hardware appliances that will work well for your setup, as well as fit within your budget.
I'm also a strong fan of Junipers products, based on using some (their SSL VPN appliances)...and their excellent support. Pricey though.
WatchGuard FireBox is another product that comes on hardware. I've seen their products, but I haven't looked at their content filtering.

 

[dgeesaman]

Again, wow, thank you for all the detail.

We are currently MX set to the external IP address with 25 opened to allow it to the server. This allows us to manage the email addresses and backups locally with minimal intervention. Viruses by email are a concern, yes. We run anti-virus on each client but it's been a mish-mosh and not all of them are the same. Because I have my own 7-5 job I rarely see the users and their laptops in person and have little opportunity to make sure all is well. The SMTP Smart Host has great appeal to me, I will look into that. We considered POP3 back at SBS deployment but determined the 15min wait and lack of configurability was not worth it. We have gotten a couple of email servers that reject our emails and it's been on my todo list to try and understand why they're doing it.

I would expect that I need to employ a similar device at each office, given that the only difference between them is the presence of the SBS. Any UTM that is included would have to exist at both locations since it would be hoggish to route all branch office traffic through the VPN.

I guess my ultimate question about UTM is: at these price points, are the UTM features I see advertised generally functional? Or are they prematurely deployed / excessively stripped down / unreliable / performance hogs / <insert other reasons why affordable technology is not useful here>.

 

[YeOldeStonecat]

In my opinion, no they are not premature.
The effectiveness of their anti malware...."it helps"..and the more your layer your networks protection, the more effective the sum of your protection.
As for reporting, it's one area Untangle is "so-so" on....there's enough info there to give to the bosses.

Excessively stripped down....some come with a suite of features, others allow you to get features ala-carte.

Interesting timing...Tim had this quick news article about a new Netgear product
http://www.smallnetbuilder.com/security/security-news/31061-netgear-intros-sub-300-utm

I can say one thing about Sonicwall products....they're pricey, they have annual subscription renewals which are pricey, sometimes their support is hard to work with..but the products themselves...rock solid, fast, solid VPN tunnels.
http://www.smallnetbuilder.com/secu...30963-sonicwall-tz100w-utm-appliance-reviewed
Sometimes a slightly steep learning curve on some models, to implement the VPN, but..pretty much, once done....set it and forget it...let the system run for a few years.

 

[dgeesaman]

In my opinion, no they are not premature.
The effectiveness of their anti malware...."it helps"..and the more your layer your networks protection, the more effective the sum of your protection.
As for reporting, it's one area Untangle is "so-so" on....there's enough info there to give to the bosses.

Excessively stripped down....some come with a suite of features, others allow you to get features ala-carte.

Interesting timing...Tim had this quick news article about a new Netgear product
http://www.smallnetbuilder.com/security/security-news/31061-netgear-intros-sub-300-utm

I can say one thing about Sonicwall products....they're pricey, they have annual subscription renewals which are pricey, sometimes their support is hard to work with..but the products themselves...rock solid, fast, solid VPN tunnels.
http://www.smallnetbuilder.com/secu...30963-sonicwall-tz100w-utm-appliance-reviewed
Sometimes a slightly steep learning curve on some models, to implement the VPN, but..pretty much, once done....set it and forget it...let the system run for a few years.

Yes, I saw that article on the UTM5. I had considered one of those for the branch office and a UTM10 for the main office. Given that it's probably better if I have the wireless AP done by another device, these will work quite well. Initially I was investigating similar devices that also included wireless.

Dave

 

[claykin]

Look @ Zyxel USG series. I recently deployed a USG 200 and couldn't be happier. VPN has been rock solid. Previously used Zywall 2+ and 5 and they are also solid products.

Look @ OpenDNS for content filtering. Free and easy to setup.

I'm skeptical of gateway AV. In my testing and real world use I've seen plenty of viruses sneak through. Gateway AV is limited in what it can scan and detect. Smart virus writers get around nearly all gateway AV solutions. Gateway AV can be a good first line of defense but it will not replace client AV.

 

[YeOldeStonecat]

I'm skeptical of gateway AV. In my testing and real world use I've seen plenty of viruses sneak through. Gateway AV is limited in what it can scan and detect. Smart virus writers get around nearly all gateway AV solutions. Gateway AV can be a good first line of defense but it will not replace client AV.

I absolutely agree that it shouldn't replace a client on the local workstations/servers. It should be employed as an added layer of security. If you have one brand AV on your workstations/servers, and another brand doing gateway scanning, you're protected by the broader spectrum of the sum of those 2. If one missed a threat, the 2nd one might pick it up.

I use the same Eset NOD32 antivirus at 99% of my clients..as I'm a reseller with them, but at clients that I have a UTM appliance (usually Untangle) at....I have a noticeable drop in malware problems...most notably the rogues/fake alerts.