Firewall recommendation needed (appliance)
I need a hardware firewall that:
1. Can support 2 WAN connections (1 cable, 30mbps, and 1 DSL) without a throughput slowdown
2. VPN connectivity that is easy to install, rock-solid reliable, and doesn't depend on anyhtign else (like integration with windows vpn or something)
3. Great reporting for intrusion attempts, protection, and traffic flow
I am looking at a sonicwall pro 3060, but it'll cost $5000 (firewall+install)+ $1500 per year with upgrades. I was looking to spend about $4000 max with little or no maintenence fees.
1. Can support 2 WAN connections (1 cable, 30mbps, and 1 DSL) without a throughput slowdown
2. VPN connectivity that is easy to install, rock-solid reliable, and doesn't depend on anyhtign else (like integration with windows vpn or something)
3. Great reporting for intrusion attempts, protection, and traffic flow
I am looking at a sonicwall pro 3060, but it'll cost $5000 (firewall+install)+ $1500 per year with upgrades. I was looking to spend about $4000 max with little or no maintenence fees.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have a Few Juniper products, 99% of the time I don't have to contact support, most of the information I can get on my own playing on the box, or through their online knowledge base, I liked their old KB better but hey...
But they are good at responding to you, if you do open a Ticket with them, and you can check all the notes out online.
Let's put it this way, I play with Cisco and Juniper and Sidewinders all day. I would Pick in order, Sidewinder (if you have alot of $$) then Juniper, and a distant 3rd would be Cisco, but I know alot of people here would disagree :)
There are allot of people here who can help with Cisco, as well os other places. Not to many Juniper n3rds yet.
But they are good at responding to you, if you do open a Ticket with them, and you can check all the notes out online.
Let's put it this way, I play with Cisco and Juniper and Sidewinders all day. I would Pick in order, Sidewinder (if you have alot of $$) then Juniper, and a distant 3rd would be Cisco, but I know alot of people here would disagree :)
There are allot of people here who can help with Cisco, as well os other places. Not to many Juniper n3rds yet.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There's one of those Cisco guys I warned you about :)
Yep, I'll admit to being a Cisco junkie. <8-}
I like the products, I know the products well, and I make a good living implementing their products.
I'll also admit that I have zero hands-on experience with Juniper, Sonicwall, or Sidewinder.
Like you said, there are plenty of Cisco experts hanging around these days and it's easy to get detailed help here at EE.
We don't see many Juniper or Sonicwall experts around and many of those questions go unanswered till cleanup crew deletes them.
Wonder why that is?
I like the products, I know the products well, and I make a good living implementing their products.
I'll also admit that I have zero hands-on experience with Juniper, Sonicwall, or Sidewinder.
Like you said, there are plenty of Cisco experts hanging around these days and it's easy to get detailed help here at EE.
We don't see many Juniper or Sonicwall experts around and many of those questions go unanswered till cleanup crew deletes them.
Wonder why that is?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
oh I also advocate ISA2000/2004 as a mid-range option
Actually, I jump in on every juniper question I find:), but ya I am one of a very few here.
But then again dang near every question here is related to cisco, and like 1 in 1000 might be Juniper. Could be Cisco is to complex, or Juniper's that easy, or just could be more people using them finding stuff.
Part of choosing your FW, is what kind of support you will be utilizing, whether it be the vendor, or coming here. Your familiarity with the product, cost, performance, etc etc. All of it needs weighed in on your decision. That's why when people post here asking for a FW. the First thing most expert's respond with, ok, what is your price range, what architecture are you going to be implementing it with, bandwidth etc etc.
Here is a checklist, granted it's from Juniper so might be slighted, but will help you compare FW's for you.
https://www.juniper.net/solutions/literature/buyer_guide/710008.pdf
Here's some 3rd party studies of FW's.
http://www.cs.nmt.edu/~cs491_02/IA/firewall%20performance_files/0312rev.htm
2006 Products of the year
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1160468_tax299825,00.html?track=NL-20&ad=543466&adg=299807
2005
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1041739,00.html
You can also search here there are plenty of other threads like this one, choosing FW's and VPN's. comparing Cisco/Juniper/Sidewinder etc.
https://www.experts-exchange.com/questions/21704713/VPN-Recommendation.html
But then again dang near every question here is related to cisco, and like 1 in 1000 might be Juniper. Could be Cisco is to complex, or Juniper's that easy, or just could be more people using them finding stuff.
Part of choosing your FW, is what kind of support you will be utilizing, whether it be the vendor, or coming here. Your familiarity with the product, cost, performance, etc etc. All of it needs weighed in on your decision. That's why when people post here asking for a FW. the First thing most expert's respond with, ok, what is your price range, what architecture are you going to be implementing it with, bandwidth etc etc.
Here is a checklist, granted it's from Juniper so might be slighted, but will help you compare FW's for you.
https://www.juniper.net/solutions/literature/buyer_guide/710008.pdf
Here's some 3rd party studies of FW's.
http://www.cs.nmt.edu/~cs491_02/IA/firewall%20performance_files/0312rev.htm
2006 Products of the year
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1160468_tax299825,00.html?track=NL-20&ad=543466&adg=299807
2005
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1041739,00.html
You can also search here there are plenty of other threads like this one, choosing FW's and VPN's. comparing Cisco/Juniper/Sidewinder etc.
https://www.experts-exchange.com/questions/21704713/VPN-Recommendation.html
ASKER
Wow, this is a better response than I anticipated. Most of my questions do go unanswered these days...
Jbaii: Are you a Juniper salesman? If not, you should be! Great info you've provided. I'm waiting for Juniper sales to get back to me as we speak.
lrmoore: what's the typical maintnence fee/fee structure? I am also waiting on Cisco reps to respond to my request.
carl_legere: From what the vendors are telling me, they can handle 2 Wan links. My specific setup is that I dedicate 1 line (DSL) to an onsite mail server (the only way I can get a static IP). The other line (cable) I use for everything else. These connections have been very reliable so far, and our office is in an area where the weather really screws things up.
ENVISIONED SETUP:
1. I want both Wan connections protected through 1 firewall.
2. I want all incoming mail to go from dsl router ==> firewall ==> mail server. I then want all outgoing mail to go from mail server ==> firewall ==> DSL Router. This is critical.
3. I want all other traffic from any other Windows XP PC inside my network to go from the requesting machine ==>firewall ==> Cable router. I want all incoming traffic (vpn, for example) to go from PC outside my network ==>Firewall ==>Internal Network location. The cable router will be broadcasting
4. I want the firewall to have VPN capability that is easy to setup and reliable. I want users to be able to work from their homes securely.
5. I want reporting that is robust and that I can understand. Granularity is a definite plus, but if I can get general stats about bandwidth usage, intrusion attemps, and spoecific user requests to the Internet, I'd be happy.
Jbaii: Are you a Juniper salesman? If not, you should be! Great info you've provided. I'm waiting for Juniper sales to get back to me as we speak.
lrmoore: what's the typical maintnence fee/fee structure? I am also waiting on Cisco reps to respond to my request.
carl_legere: From what the vendors are telling me, they can handle 2 Wan links. My specific setup is that I dedicate 1 line (DSL) to an onsite mail server (the only way I can get a static IP). The other line (cable) I use for everything else. These connections have been very reliable so far, and our office is in an area where the weather really screws things up.
ENVISIONED SETUP:
1. I want both Wan connections protected through 1 firewall.
2. I want all incoming mail to go from dsl router ==> firewall ==> mail server. I then want all outgoing mail to go from mail server ==> firewall ==> DSL Router. This is critical.
3. I want all other traffic from any other Windows XP PC inside my network to go from the requesting machine ==>firewall ==> Cable router. I want all incoming traffic (vpn, for example) to go from PC outside my network ==>Firewall ==>Internal Network location. The cable router will be broadcasting
4. I want the firewall to have VPN capability that is easy to setup and reliable. I want users to be able to work from their homes securely.
5. I want reporting that is robust and that I can understand. Granularity is a definite plus, but if I can get general stats about bandwidth usage, intrusion attemps, and spoecific user requests to the Internet, I'd be happy.
ASKER
Here is another question I have about the physical location of my current firewall. Here is the hypothetical:
I have two routers connecting to my individual wan links. I connect both of them into 1 switch. Then I connect the switch into a firewall. Then I plug the firewall into a switch which connects to my internal network. My lame attampt at a diagram is below:
Router 1 (DSL) ==>Switch 1==>Firewall 1 ==>internal network 1
Router 2(Cable) ==>Switch 1 ==>Firewall 1==>internal Network 1
Lets say I have the firewall setup to send all requests through to "router 1" (my firewall has a setting to define only 1 wan link). Now, I set up a windows XP client to use "router2" as a gateway. I have port 21 blocked at the firewall, both ways.
Will the firewall block the cleints request for port 21 on the internet, even though the firewall is configured to use "router 1"? Will the firewall block requests for port 21 into my network that hit "router 2"? Does this question make sense?
I have two routers connecting to my individual wan links. I connect both of them into 1 switch. Then I connect the switch into a firewall. Then I plug the firewall into a switch which connects to my internal network. My lame attampt at a diagram is below:
Router 1 (DSL) ==>Switch 1==>Firewall 1 ==>internal network 1
Router 2(Cable) ==>Switch 1 ==>Firewall 1==>internal Network 1
Lets say I have the firewall setup to send all requests through to "router 1" (my firewall has a setting to define only 1 wan link). Now, I set up a windows XP client to use "router2" as a gateway. I have port 21 blocked at the firewall, both ways.
Will the firewall block the cleints request for port 21 on the internet, even though the firewall is configured to use "router 1"? Will the firewall block requests for port 21 into my network that hit "router 2"? Does this question make sense?
Take in to consideration like Lrmoore is a cisco guy with not much Juniper experience, I don't have much Cisco fireawall exp (other than dealing with dumb remote admins) so .. hopefully he will answer from that side :)
1) Juniper
2&3) should'nt be a problem (but hopefully you have an internal switch) The rules in Juniper are very easy, Hopefully you can see how easy. http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1901edb
4) again with Juniper it's very simple. I have sat people down in front of them and in less than 10 minutes where able to configure FW and VPN's policies.
5) let's put it this way, Product (and price) sidewinder > juniper, but I prefer juniper logs to sidewinder.
1) Juniper
2&3) should'nt be a problem (but hopefully you have an internal switch) The rules in Juniper are very easy, Hopefully you can see how easy. http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1901edb
4) again with Juniper it's very simple. I have sat people down in front of them and in less than 10 minutes where able to configure FW and VPN's policies.
5) let's put it this way, Product (and price) sidewinder > juniper, but I prefer juniper logs to sidewinder.
NP anyone of the sales guys get back w/ya yet?
Just curious what your leaning towards.
Jim
Just curious what your leaning towards.
Jim
ASKER
Nah man. not yet. I'll post when they do, for sure.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
ANyone have any opinions on fortinet (100-a or200-a) or symantec (1620 or 1660) appliances?
Fortinet spent $millions on fighting patent infringement in their AV engine and had to cease sales for a time. I think they've resolved that for now. I've heard that they are a real bugger to maintain, but do a good job. If you're looking for an all-in-one firewall/content filter/AV, I'd go with the Symantec appliance (unless you want to run with the big dogs and use Cisco ASA5500)
Keith I think it's because of the price tag :) I think you and I are among the very few here I think that use them :)
netscreen does the content filtering/av too
netscreen does the content filtering/av too
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am having one hell of a time getting vendors to respond to my requests. You'd think they'd be interested in selling something...
Did ya go here for JUniper?
https://www.juniper.net/howtobuy/
Thye have toll free #'s for their sales force and links to resellers.
JIm
https://www.juniper.net/howtobuy/
Thye have toll free #'s for their sales force and links to resellers.
JIm
ASKER
The juniper reseller was horrible. I had to deal with their tag team: salesperson + tech. The tech didn't even sound like he knew what he was talking about.
Ya, I've had bad experiences with a couple resellers too, but if you let Juniper know they will slapem around for you.
Ya the level1 tech guys don't do anything with the licensing or sales, I've got a rep, I'll ask him for some good contacts for ya.
Ya the level1 tech guys don't do anything with the licensing or sales, I've got a rep, I'll ask him for some good contacts for ya.
ASKER
Sounds good.
NP who was the reseller you used?
ASKER
IGX global
Let me see what I can find for you. sorry I'm slow. It's been a hell of couple months.
If this is personel, I'd just google it there are alot of resellers.
if for business (commercial), id recommend Onix
http://www.onixnet.com/
Contacts for commercial sales
800-664-9638
tim x- 15
keith x-11
if for business (commercial), id recommend Onix
http://www.onixnet.com/
Contacts for commercial sales
800-664-9638
tim x- 15
keith x-11
ASKER
will do.
Sorry i haven't looked at this post lately. We are a reseller of Juniper. We have support-sell several different vendors. If you would like I can get you in contact with a guy I know in our sales dept.
www.fishnetsecurity.com
RDC
www.fishnetsecurity.com
RDC
ASKER
Thanks.
*snicker* I want my cut imreble1 :) jk
ASKER
Fishnet quoted me $16,000. I said I didn't have $16,000, and was looking to go up to $4000 max. I haven't heard back from them in 5 ddays, and don't expect to...
for what the 200 series? you don't need that much. a 50 or 5 series would do you
ASKER
They actually offered a checkpoint solution loaded onto a Nokia? appliance.
ask them specifically about the NS's. save your self some $$ :)
ASKER
I'm about to dump the UTM requirement, as well as the Dual Wan requirement, and just ask for a Firewall with good SSL VPN capabilities.
Id' still say juniper :0
And I'd go Cisco ASA
>>or symantec (1620 or 1660) appliances
Yep Ive put in a lot of 1600 Series Symantecs I'm an SCTA - they are simple to set up and cheap - and failover is simple to set up on a 1660
All the cheaper Symantec Products are now no longer made (though there is still stock on shelves 300 and 400 series) Symantec are recommending Juniper box's to replace them.
Personally (Even though Im a reseller and Engineer) - I wouldnt buy Symantec - they are winding down hardware firewalls - they have stopped hardware development, and regardless of whats on their web site getting support for SGS products in 18 months will be a nightmare.
- So Join the Cisco Revolution Brother!
The new baby ASA5505 - is the donkeys conkers
Yep Ive put in a lot of 1600 Series Symantecs I'm an SCTA - they are simple to set up and cheap - and failover is simple to set up on a 1660
All the cheaper Symantec Products are now no longer made (though there is still stock on shelves 300 and 400 series) Symantec are recommending Juniper box's to replace them.
Personally (Even though Im a reseller and Engineer) - I wouldnt buy Symantec - they are winding down hardware firewalls - they have stopped hardware development, and regardless of whats on their web site getting support for SGS products in 18 months will be a nightmare.
- So Join the Cisco Revolution Brother!
The new baby ASA5505 - is the donkeys conkers
YES! Cisco is the king of the market!
>the donkeys conkers
Well put, Pete!
>the donkeys conkers
Well put, Pete!
ASKER
Thank you for all of the answers and suggestions. I finally settled on a Symantec Gateway Security 1620 for both my DSL and Cable lines. So far, it's been a lot less than stellar. My issues so far (with expletives left out):
1. Connections to internal computers a mysteriously lost
2. It takes us forever to send and receive mail
3. Our Internet access keeps crapping out
4. Symantec Support is "hit-or-miss", but my experience is that they are mostly bad. They seem to know their stuff, but somehow they can't seem to help me. I've spend at least 15 hours of phone time alone with them, and I still can't get teh box to work right.
5. Their "SGMI" GUI is slow as molasses.
In all fairness, I do have a more complex setup than the average shop, but this is ridiculous. What's worse is that unless I want to pay extra for 24x7 support, I have to take down a service during business hours to solve issues (a real problem).
I haven't even had a chance to test it's VPN capabilities. The reporting on the device is decent though.
1. Connections to internal computers a mysteriously lost
2. It takes us forever to send and receive mail
3. Our Internet access keeps crapping out
4. Symantec Support is "hit-or-miss", but my experience is that they are mostly bad. They seem to know their stuff, but somehow they can't seem to help me. I've spend at least 15 hours of phone time alone with them, and I still can't get teh box to work right.
5. Their "SGMI" GUI is slow as molasses.
In all fairness, I do have a more complex setup than the average shop, but this is ridiculous. What's worse is that unless I want to pay extra for 24x7 support, I have to take down a service during business hours to solve issues (a real problem).
I haven't even had a chance to test it's VPN capabilities. The reporting on the device is decent though.
ASKER
Damn, I spelled "expletive" wrong.
Corrected :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks to everyone who participated in the question here. Your opinions were much appreciated, and very helpful. I know where to go next time I need a recommendation!
ThanQ
ASKER