Answer the question
In order to leave comments, you need to log in
UTM + IPSec Site to Site for Small Branches
Hello colleagues.
I have a common task.
It is necessary: to
authorize users of the domain through AD;
authorize via the local database devices (phones, tablets, laptops, guests) working via Wi-Fi$
distribute the Internet;
provide load balancing between 2 channels, switching when one of them fails;
filtering URL addresses by groups, do not allow user groups to visit certain groups of sites;
application filtering without installing agents on devices;
intrusion prevention (IPS);
checking traffic for viruses;
VPN Server for IPSec Site to Site and connecting mobile workers to the office;
rapid detection of network bottlenecks and cases of Internet abuse;
improving the performance of services that require high bandwidth, such as VoIP and video conferencing;
QoS;
traffic shaping - so that one employee cannot occupy the channel when there is a queue, but can use the entire channel when, for example, he is alone in the office or when the channel is not fully occupied and there is no queue.
performance requirements.
At the central office, routing up to 100 megabits, IPSec up to 50 megabits, up to 3000 simultaneous sessions, up to 100,000 sessions per hour.
In the regions, routing up to 40 megabits, IPSec up to 10 megabits, up to 1000 simultaneous sessions, up to 20,000 sessions per hour.
What already checked and not quite satisfied?
I took Fortigate 100D and 40C for testing - the devices are excellent, but there are few specialists, and sellers ask for astronomical sums for setting up.
CheckPoint - how good a firewall is, but again, a problem with specialists.
Cisco - ASA and ISR does not implement all features.
The Cisco solution for small business is interesting - ISA500, but there is little information on it. Maybe someone will give feedback.
I also tested the solution on D-Link DFL, Zyxel, Microtik - even less compliance with the requirements.
Colleagues, please share your ideas on how to implement my task?
Who has experience with the ISA500 series?
What software product (trial, free solution, virtual application) can replace the hardware while waiting for delivery and setup?
Answer the question
In order to leave comments, you need to log in
It seems to me that you have very high requirements and a very wide range of tasks for one "box".
Here you need to collect the whole system from different means.
What exactly does Cisco ASA not implement here, with the exception of its functions such as "AD user authorization" and wifi?
Cisco - ASA and ISR does not implement all features.
I want to drop the topic.
I read a bunch of manuals and came to the conclusion that the Cisco ISR / ISR G2 is for me.
But did not find the answer to some questions.
1. authorization of users through AD - I don't want to release unauthorized traffic, I don't want to manage multiple user bases.
2. it is highly desirable to block traffic from all applications except those allowed.
3. reporting and analytics - to see in a general way that people are in the main on the social. networks go, who downloads the most, what type of traffic, etc.
4. repelling attacks - I installed a software solution that showed that they were really trying to hack me, picking up passwords, etc. But at Cisco, this service costs a lot of money (relative to my budget).
Maybe consider the ASA + ISR option?
Didn't find what you were looking for?
Ask your questionAsk a Question
731 491 924 answers to any question