Our forensic lab and other departments within our Government organization need their PC’s connected to our State’s network. We currently have the PC’s directly patched into a cisco router which is running a EZVPN connection from a Cisco ASA we have specifically for this. We like this setup because the PC is always connected to the states network not needing to use a remote client software like any connect.
The problem is these routers are going EOL soon and we would like a more cost efficient solution vs buying more routers that serve just this one purpose. Any ideas how we can go about a different solution? Should we move back to a AnyConnect profile and just tell the users they have to log into every time?
This is state government, law-enforcement and forensic investigation.
Low-cost should be tertiary criteria for evaluating new solutions.
Fully compliant security, aligned with State Standards (both operational standards & security requirements) should be your top-tier priority.
As an entity of public government you should qualify for TechSoup, so you can get rock-bottom pricing if your State Gov doesn’t already have a negotiated pricing agreement.
If you like the current Cisco solution, and you have a good support solution in place for that, stick with it.
If you’re not particularly happy with the Cisco solution, you might consider Palo Alto’s Prisma Access.
I work for a city and for our police department the state (AZ DPS) tells us what we need to do and how, which includes the VPN connection to them. Since you’re dealing with CJIS data there are definitely compliance concerns you need to worry about. I’d be shocked if your state didn’t have defined standards for this that you need to abide by.
an ASA isn’t required to do a site to site VPN. any firewall/router can do that.
tip: Don’t mix networks. Auditors get twitchy. so if you want to leverage existing networks, at least vlan all the CJIS pcs off, and then only let them out via the VPN. And make sure the LASO signs off on the solution change, auditors will check.
Maybe consult the states IT and engineering department instead of Reddit. Maybe follow some STIGs or ITSS standards. Maybe hire someone and not ask the same internet audience that might also be interested in access to this network.
Our police and county sheriff recently moved to Zscaler, it’s been great, plus the police admin handles most of it, we had to create some security policies, but it’s been hands off since deployment.
Generally, for government agencies a solution has to meet certain support criteria as well as vendor responsibilities. Open source might not meet that criteria I’m not sure. Usually you’ll also have to be on an approved vendors list so if you needed to replace the ASA and you didn’t want to go with the current vendor firewall you could go with a router like other people have said. As far as using any connect it’s probably down to management and auditor approval of whatever solution you want to propose.
Honestly, you need to consult documentation for what is allowed with respect to connection. If it were me? I’d just buy a router not EOL and continue to leverage the same solution. I’ve learned with respect to DOJ and state, don’t try and get cute with a solution that’s outside of, or more advanced than what they have implemented. It’s not worth the headache.
You’ll probably get a number of opinions from all ends of the spectrum on the list below. As I always say when making recommendations: do what works for you.
WatchGuard: Historically has been a price leader when it comes to all the next-generation firewalls out there. They get you on all the other services, though, and when it comes time to renew subscriptions, it’s almost always better to just get another WatchGuard price-wise. We use these at my current employer, and haven’t had any issues with their site-to-site VPN (they call it Branch Office VPN or BOVPN).
SonicWall: I’ve personally haven’t had good experiences with these (it might be because I’ve dealt with a lot of undersized models at a time where Internet speeds were increasing dramatically). Others have had good experiences.
Fortinet: I consider this the middle ground between WatchGuard and SonicWall
Palo Alto: Often considered the “Cadillac” of next-gen appliances.
Meraki: Another one that people love. Only problem is that if you let your subscriptions expire, basic functionally stops working as well! (Unless that’s changed over the past few years).
Have you considered a hardwired vpn ? Aruba aps have this function. Many business use this for confidential work from home solutions.
Meraki -Cisco easy- has same deal.
This would pass you compliance checks and reduce costs while being able to scale HA pairs etc…
Why not a collapsed core solution with a firewall?
Just switches as access and connect them to distribution switch. From then everything towards the firewall.
A firepower firewall could possibly continue to support the vpn connection. But I would work with the state police service desk to get the recommended upgrade to not screw yourself. If they say don’t touch the thing, don’t try to solution it.
Point to point vpn is what you should be using from you HQ to theirs. You can vpn in from the cars or other mobile areas with whatever other vpn solution you want, but cops are simple, you are better off with an always on vpn solution which you could do with AnyConnect and firepower.
A solution that I put in place years ago was to utilize an always on type vpn solution into hq use terminal services for entries into their database as well as run queries on software that would then query the state police (things like running plates, checking for warrants, and other stuff not on the local network). This was in the 2002-2011 time frame when I had “access”. Lot of things have changed since then.
Good luck but don’t fight old technology without support from your partners/vendors. If they lose communication due to your mistake, it is your job on the line.
This is likely different in every state, but I know in mine that if you’re connecting to the state then they’re the ones configuring and supporting the router. Same goes for the county level - even if you’re a fire department the county will specify this device. With that in mind -
EOL for gov’t is not necessarily the same as EOL for commercial use. The gov’t may pay Cisco for continued to support.
I’d talk to the guy on the other end of that VPN tunnel and see what options you have.
What’s wrong with IPSec? Tried, true, link the networks, set up rules what can access what. Solvable reliably and securely with some Netgate pfSense appliances with ease for basically no money.
Obviously I’m a bit squicked by the fact that something that literally handles highly classified information is nickel and diming the basic security solutions… I mean, there’s gotta be some standards specified for this shit already, right? Right?
No this isn’t how forensics teams do IT, they use state of the art technology and implementation because each forensic scientist is also a world class hacker. I’ve watched NCIS.