Firewall (cheap) that supports PPTP inbound to firewall

[Guest]

Archived from groups: alt.computer.security;,comp.security.firewalls,comp.security.misc (More info?)

I have a new client that needs to access their 3 system network from
remote locations, the want to use PPTP inbound, terminating at the
firewall, to access the entire network. In most cases I would have
installed a WatchGuard 500 (since they are a very small office), but
that's too much money for their project.

I've looked at the ZyWall units, but they don't say if the support users
connecting to the firewall directly (from remote locations) using PPTP
and then accessing the network.

Anyone got real experience with a NON-PC based solution, must be an
appliance, that is under $500 and doesn't require proprietary VPN
software?

Thanks,
Mark

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: alt.computer.security;,comp.security.firewalls,comp.security.misc (More info?)

In comp.security.misc Leythos <void@nowhere.com> wrote:

> I have a new client that needs to access their 3 system network from
> remote locations, the want to use PPTP inbound, terminating at the
> firewall, to access the entire network. In most cases I would have
> installed a WatchGuard 500 (since they are a very small office), but
> that's too much money for their project.

> I've looked at the ZyWall units, but they don't say if the support users
> connecting to the firewall directly (from remote locations) using PPTP
> and then accessing the network.

> Anyone got real experience with a NON-PC based solution, must be an
> appliance, that is under $500 and doesn't require proprietary VPN
> software?

D-link 804 and other does IPSec , then you install an IPSec
client on the pc-s.



--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

 

[Guest]

Archived from groups: alt.computer.security;,comp.security.firewalls,comp.security.misc (More info?)

In article <cee9ah$2f2n$2@nyheter.ipsec.se>, phn@icke-reklam.ipsec.nu
says...
> In comp.security.misc Leythos <void@nowhere.com> wrote:
>
> > I have a new client that needs to access their 3 system network from
> > remote locations, the want to use PPTP inbound, terminating at the
> > firewall, to access the entire network. In most cases I would have
> > installed a WatchGuard 500 (since they are a very small office), but
> > that's too much money for their project.
>
> > I've looked at the ZyWall units, but they don't say if the support users
> > connecting to the firewall directly (from remote locations) using PPTP
> > and then accessing the network.
>
> > Anyone got real experience with a NON-PC based solution, must be an
> > appliance, that is under $500 and doesn't require proprietary VPN
> > software?
>
> D-link 804 and other does IPSec , then you install an IPSec
> client on the pc-s.

It was nice of you to point this out, but I specifically asked for PPTP.
Having worked with many firewalls and routers, I'm already aware that
most of them support IPSec.

In case anyone else missed it, I specifically need a PPTP solution.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: alt.computer.security;,comp.security.firewalls,comp.security.misc (More info?)

On Fri, 30 Jul 2004 19:53:22 GMT, Leythos <void@nowhere.com> wrote:


>Anyone got real experience with a NON-PC based solution, must be an
>appliance, that is under $500 and doesn't require proprietary VPN
>software?

A cisco pix 501 will do pptp and costs under 500 USD.



greg

--
Konnt ihr mich horen?
Konnt ihr mich sehen?
Konnt ihr mich fuhlen?
Ich versteh euch nicht

 

[Mike]

Archived from groups: alt.computer.security;,comp.security.firewalls,comp.security.misc (More info?)

Leythos wrote:
> I have a new client that needs to access their 3 system network from
> remote locations, the want to use PPTP inbound, terminating at the
> firewall, to access the entire network. In most cases I would have
> installed a WatchGuard 500 (since they are a very small office), but
> that's too much money for their project.
>
> I've looked at the ZyWall units, but they don't say if the support users
> connecting to the firewall directly (from remote locations) using PPTP
> and then accessing the network.
>
> Anyone got real experience with a NON-PC based solution, must be an
> appliance, that is under $500 and doesn't require proprietary VPN
> software?

A small Linux box running iptables and poptop
http://sourceforge.net/projects/poptop/

I have a number of these working nicely in the field.

Oh ah heck, I just noticed you said NON-PC and must be an appliance.
Sorry, but I'll post anyway because others might find it useful.

 

[Erik]

Archived from groups: comp.security.firewalls (More info?)

>
>Anyone got real experience with a NON-PC based solution, must be an
>appliance, that is under $500 and doesn't require proprietary VPN
>software?
>

Now that is strange: why NON-PC ????
You would buy any strange box with proprietary software in it, but not
a PC with just a proprietary BIOS ?

Or do you mean NON-WINDOZE ?

In that case, nothing cheaper than a Pentium-1 box (people throw these
things away these days) and a Linux-IPTables firewall.
Can be done without a hard disk, right from a floppy or a CD, without
a video card (managed over the net). Needs little memory too.
Two ethernet cards in it.

Bring along a Unix guy to set it all up.

frgr
Erik

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

In article <898ng0le2n5gtp5pap0v1iihu2djsha9ba@4ax.com>, Erik <et57 at
correos calor dot com> says...
>
> >
> >Anyone got real experience with a NON-PC based solution, must be an
> >appliance, that is under $500 and doesn't require proprietary VPN
> >software?
> >
>
> Now that is strange: why NON-PC ????
> You would buy any strange box with proprietary software in it, but not
> a PC with just a proprietary BIOS ?

The reason is reliability and stability. In all the years that I've been
doing this I've never found anything more stable and reliable than a
dedicated appliance device. There is nothing "strange" about a
inexpensive firewall that permits external PPTP connections.

> In that case, nothing cheaper than a Pentium-1 box (people throw these
> things away these days) and a Linux-IPTables firewall.
> Can be done without a hard disk, right from a floppy or a CD, without
> a video card (managed over the net). Needs little memory too.
> Two ethernet cards in it.

I can already setup a PC with nix and various firewall products, that's
not something that this solution needs.

The requirement is an appliance that has stability, reliability, ease of
management (even for a non-firewall type), and PPTP inbound terminating
at the firewall appliance.

A PC running any OS/firewall does not meet the needs for this job.



--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: alt.computer.security,comp.security.firewalls,comp.security.misc (More info?)

On Fri, 30 Jul 2004 19:53:22 GMT, Leythos <void@nowhere.com> wrote:
>
>I've looked at the ZyWall units, but they don't say if the support users
>connecting to the firewall directly (from remote locations) using PPTP
>and then accessing the network.
>

The ZyWALL's are only able to act as IPsec servers. The only support
they have for PPTP is pass-thru.

 

[Guest]

Archived from groups: alt.computer.security,comp.security.firewalls,comp.security.misc (More info?)

Netopia. http://www.netopia.com/products/index.html

Their R910 and 3300-ENT units act as endpoints for both PPTP and IPSEC.
Probably around $200 US retail. I use them at a number of client sites.

I'll usually configure them with PPTP for VPN from PCs running Microsoft's
VPN client, and IPSEC router-to-router.

They're good for anything short of non-VPN inbound connections (e.g., SMTP
inbound for an Exchange server). There, I'd probably look into PIX.

/kenw



Leythos <void@nowhere.com> wrote:

>
>I have a new client that needs to access their 3 system network from
>remote locations, the want to use PPTP inbound, terminating at the
>firewall, to access the entire network. In most cases I would have
>installed a WatchGuard 500 (since they are a very small office), but
>that's too much money for their project.
>
>I've looked at the ZyWall units, but they don't say if the support users
>connecting to the firewall directly (from remote locations) using PPTP
>and then accessing the network.
>
>Anyone got real experience with a NON-PC based solution, must be an
>appliance, that is under $500 and doesn't require proprietary VPN
>software?
>
>Thanks,
>Mark
>
>--

Ken Wallewein
K&M Systems Integration
Phone (403)274-7848
Fax (403)275-4535
kenw@kmsi.net
www.kmsi.net

 

[Guest]

Archived from groups: alt.computer.security,comp.security.firewalls,comp.security.misc (More info?)

In article <b5cog0lct8g7net4vqkkmsj30521lkruua@4ax.com>, kenw@kmsi.net
says...
> Netopia. http://www.netopia.com/products/index.html
>
> Their R910 and 3300-ENT units act as endpoints for both PPTP and IPSEC.
> Probably around $200 US retail. I use them at a number of client sites.
>
> I'll usually configure them with PPTP for VPN from PCs running Microsoft's
> VPN client, and IPSEC router-to-router.

Thanks, I'll check on them. If I understand you, I can connect the WAN
port to a fixed IP, the clients behind NAT, not use port-forwarding, and
remote users can form a PPTP connection to the router and be provided an
internal IP (NAT) on the protected side of the router?


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: alt.computer.security;,comp.security.firewalls,comp.security.misc (More info?)

Not pptp but another CHEEP solution to this problem is to run a Linux
firewall and use Safe Passage as the VPN instead of running PPTP. Safe
Passage tunnels all internet traffice including Windows Filesharing
via SSH (even tunnels DNS requests). So just run an SSH server on the
same linux firewall and you're all set. Note that with Safe Passage
you have to go directly to the domains or IPs of the windows machines
or printers you are trying to access via the VPN (since UDP can't be
tunneled). Email and everything will be secure.

See http://vastrange.com for more information on Safe Passage.

 

[Guest]

Archived from groups: alt.computer.security;,comp.security.firewalls,comp.security.misc (More info?)

In article <e95a3792.0408031438.2cb85faa@posting.google.com>,
scotty@cm.math.uiuc.edu says...
> Not pptp but another CHEEP solution to this problem is to run a Linux
> firewall and use Safe Passage as the VPN instead of running PPTP. Safe
> Passage tunnels all internet traffice including Windows Filesharing
> via SSH (even tunnels DNS requests). So just run an SSH server on the
> same linux firewall and you're all set. Note that with Safe Passage
> you have to go directly to the domains or IPs of the windows machines
> or printers you are trying to access via the VPN (since UDP can't be
> tunneled). Email and everything will be secure.

You know, I'm always amazed at how people want to answer a question,
with very specific needs, with something that does not meet the needs of
the solution.

If I wanted to just enable RAS on the clients server and do a PPTP pass
through on the router I would be just as secure, no additional hardware,
and have it a lot easier to manage for them than installing a Linux
based solution.

I called the Zywall support team and was told that their units are just
high-end routers, that they don't support PPTP inbound connections, only
IPSec connections - which would work if I wanted to do it that way, but
there are a large number of routers that support IPSec that are cheaper
too.

I appreciate you taking the time to reply, but your reply does not fit
the constraints of the solution path.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.firewalls,comp.security.misc (More info?)

On Fri, 30 Jul 2004 19:53:22 GMT, Leythos <void@nowhere.com> wrote:

>
>I have a new client that needs to access their 3 system network from
>remote locations, the want to use PPTP inbound, terminating at the
>firewall, to access the entire network. In most cases I would have
>installed a WatchGuard 500 (since they are a very small office), but
>that's too much money for their project.
>
>I've looked at the ZyWall units, but they don't say if the support users
>connecting to the firewall directly (from remote locations) using PPTP
>and then accessing the network.
>
>Anyone got real experience with a NON-PC based solution, must be an
>appliance, that is under $500 and doesn't require proprietary VPN
>software?

Mark, Have you looked on ebay for reconditioned/used watchguard's?

I recently picked up a FB III 700 for around 300GBP works like a dream
and was in "as new" condition with a 20 seat MUVPN license thrown in.

Just my .2p

 

[Guest]

Archived from groups: comp.security.firewalls,comp.security.misc (More info?)

In article <gk81h0dng0vfracke8ljnsmofdlqgfb1re@4ax.com>, robin@rg-
net.com says...
> On Fri, 30 Jul 2004 19:53:22 GMT, Leythos <void@nowhere.com> wrote:
>
> >
> >I have a new client that needs to access their 3 system network from
> >remote locations, the want to use PPTP inbound, terminating at the
> >firewall, to access the entire network. In most cases I would have
> >installed a WatchGuard 500 (since they are a very small office), but
> >that's too much money for their project.
> >
> >I've looked at the ZyWall units, but they don't say if the support users
> >connecting to the firewall directly (from remote locations) using PPTP
> >and then accessing the network.
> >
> >Anyone got real experience with a NON-PC based solution, must be an
> >appliance, that is under $500 and doesn't require proprietary VPN
> >software?
>
> Mark, Have you looked on ebay for reconditioned/used watchguard's?
>
> I recently picked up a FB III 700 for around 300GBP works like a dream
> and was in "as new" condition with a 20 seat MUVPN license thrown in.
>
> Just my .2p

Yes, I have, and I'm considering that option. The problem with ebay is
that the units don't come with a valid key, no warranty, and no live
security service. While I have the software, the licensing is a issue if
you want to install for customers - the Live Security license is $975
USD in most places.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: comp.security.firewalls,comp.security.misc (More info?)

On Wed, 04 Aug 2004 11:39:36 GMT, Leythos <void@nowhere.com> wrote:


>Yes, I have, and I'm considering that option. The problem with ebay is
>that the units don't come with a valid key, no warranty, and no live
>security service. While I have the software, the licensing is a issue if
>you want to install for customers - the Live Security license is $975
>USD in most places.
>
Yeah, that does pain me when I have to pay that.

But what do you actually need from the livesecurity?

I've not tried it, but is it not possible to download the latest
software from a valid subscription and update the non-subscribed FB
with it? Or does it check the serial number etc on install?

 

[Guest]

Archived from groups: comp.security.firewalls,comp.security.misc (More info?)

On Thu, 05 Aug 2004 10:34:19 +0100, Robin Grayson <robin@rg-net.com>
wrote:

<snip>

Sorry, maybe I should have read your post properly before replying!

 

[Guest]

Archived from groups: comp.security.firewalls,comp.security.misc (More info?)

In article <lgv3h0lhc0rbr1seisru3uvr6k91hgsbfa@4ax.com>, robin@rg-
net.com says...
> On Wed, 04 Aug 2004 11:39:36 GMT, Leythos <void@nowhere.com> wrote:
>
>
> >Yes, I have, and I'm considering that option. The problem with ebay is
> >that the units don't come with a valid key, no warranty, and no live
> >security service. While I have the software, the licensing is a issue if
> >you want to install for customers - the Live Security license is $975
> >USD in most places.
> >
> Yeah, that does pain me when I have to pay that.
>
> But what do you actually need from the livesecurity?
>
> I've not tried it, but is it not possible to download the latest
> software from a valid subscription and update the non-subscribed FB
> with it? Or does it check the serial number etc on install?

While you can easily use one subscription key/firmware to update many
units, it's not ethical or legal. They provide one key per box and that
means one $975 license per unit.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[jsmith4892002]

Archived from groups: alt.computer.security;,comp.security.firewalls,comp.security.misc (More info?)

I have a new client that needs to access their 3 system network from
remote locations, the want to use PPTP inbound, terminating at the
firewall, to access the entire network. In most cases I would have
installed a WatchGuard 500 (since they are a very small office), but
that's too much money for their project.

I've looked at the ZyWall units, but they don't say if the support users
connecting to the firewall directly (from remote locations) using PPTP
and then accessing the network.

Anyone got real experience with a NON-PC based solution, must be an
appliance, that is under $500 and doesn't require proprietary VPN
software?

Thanks,
Mark

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

You can still buy them...they've been discontinued, but I really like the SG series from Snapgear McAffee UTM....like the Mcafee UTM SG560U or SG310U. Supports PPTP, IPSec and is really reasonably priced. You can still find them, but they are getting scarce.