Community Pick: Many members of our community have endorsed this article.

Great Walls of Fire!

Bob StoneIT Guru
CERTIFIED EXPERT
Published:
I recently had the displeasure of buying a new firewall at one of the buildings I play Sys Admin at. I had to get a better firewall than the cheap one that I had there since I was reconnecting the main office to the satellite office via point-to-point wireless. It didn’t seem to make a lot of sense to me to have a fancy high end firewall at the main office, then basically open up a back door to it by leaving a cheap one in place at the satellite office.

Tell me more ... no seriously
Whilst shopping around for a decent firewall at a reasonable price I found a common theme with the sales pitch. The emphasis seemed to be on the brand name and jargon. Then about halfway down the page in tiny print, that seems to get tinier every year now, they put the actual specs.

After you think you have found a real bargain, you find out in the tiny print at the bottom of the page that it only allows 5 users or some ridiculously low number. I would think that a highly valuable morsel of data like that would be right under the pretty picture of the product.

The cost of it all
Another annoying thing not uncommon to network hardware and software is the lack of a price tag on a lot of stuff. I guess it follows the old adage that "if you have to ask how much it costs, you can’t afford it" ... or some such nonsense. But I like knowing how much things cost in order to fairly compare similar products. Cost is a big factor to most businesses.

The people who are buying these things have their big boys pants already and are aware that such things cost a fair amount of money.

Is it too much to ask that they tell me what something costs without having to talk to some salesperson for sometimes up to 20 minutes? Most of the time the salespeople don’t actually know anything about the technical details of what they are selling.

Notice to companies that are trying to pry money from my tight fist – tell me how much it is when I ask and don't try to give me something like convoluted TCO (Total Cost of Ownership) sales pitch stuff or I will move on to the next one on the list. Trust me, I know how to do math on my own, I don't need a salesperson to educate me.

Doesn't impress me much
Another thing I should tell people that want to sell me a firewall, or any other high end computer stuff on the internet, it doesn't impress me when a site looks like it was made in 1997 as a college kid’s website class homework, nor does a ton of flash navigation. If I feel like I fell into a worm hole and ended up at the beginning of the internet tubes or like I just popped a video game into my console, I am not sticking around to decipher your site.

The basics
These are the things that I need to know in order to make an informed decision about a firewall. The sort of things should never be hidden at the bottom of the page in tiny print, nor should I have to call someone to find out.

1. How many concurrent users can it support with the default licensing that comes with the product. If it is unlimited, that is a big selling point. If it only comes with 5 user licenses, I need to know how much additional ones cost, or how little they cost (see, this could be a selling point too).

2. The cost of the device. It is a key part of the decision making process.

3. The number of physical WAN and LAN connections it supports. Though it may not seem like it , it is important to know how many ports are on the device so you know how much control you can have on your network with just the one device, also if you have or plan on having a secondary internet connection as a failover or for certain ports / IPs.

For example, my main server room has 2 internet connections, DSL and cable. The DSL one is solely for the use of the Exchange Server, except in the case of one or the other connections being down, then the firewall switches everything to the one that is up, then back when the connection is restored. If I had to replace that one for whatever reason, it would be very important to me to know that the new device had 2 WAN plug ins and could handle 2 connections with failover.

4. What sort of stuff can it do e.g.,;
        a. Can I manage the individual LAN ports or is that part just a simple switch?
        b. Can it be setup relatively easily with failover on the WAN connections?
        c. Does it come with at least setup support or does that cost extra?

Basically anything that will cost me money will play into Total Cost of Ownership and finding these things out shouldn't be hard or painful.

My end result
I spent days straining my eyes from reading small print and practically getting brain damage from trying to figure out  nearly indecipherable sites. I even broke down and called a salesperson or three to hear a mangled version of what I just read on their site, only to get sticker shock at the end of a long and sometimes painful sales pitch.

After all that, I decided that all I needed was a fairly simple firewall solution, so I ended up buying a refurbished 1U Compaq Proliant rack server for $250 and loaded it with the free open source Smoothwall firewall. That took me a few hours and was a minor headache, but nothing compared to the headache I endured when dealing with vendors that were more interested in selling to me than talking to me.

Even if vendors won't change their ways, I hope this helps you ask the right questions and get what you want without eyestrain or brain damage.  
 
7
4,645 Views
Bob StoneIT Guru
CERTIFIED EXPERT

Comments (9)

Commented:
A little late to the party, but your insight has been very helpful.
Bob StoneIT Guru
CERTIFIED EXPERT

Author

Commented:
Glad to hear that it has been helpful. Thanks =o)

Commented:
this is very helpful
In my opinion if you ended up spending $250.00 on an EOL server to run your firewall you were never serious about the endeavor.

This is exactly why enterprise gear is not sold as a commodity.

All of the major vendors sell their equipment through highly qualified channel partners.  Anything else is grey market.  These partners will insure that the equipment is installed properly and performing to specification.

IMHO choosing a channel partner is more important than the actual hardware that is being installed.  

Do you not have a relationship with a vendor partner?  

It's easy to bash on Cisco, Juniper et al.  To say the least they set high barriers to entry.

If you got what you wanted out of the recon gear and Open Source firewall more power to you, however it carries significant business risks since no entity is accountable for the product.  

Bob StoneIT Guru
CERTIFIED EXPERT

Author

Commented:
I do have a relationship with several vendors and have with numerous vendors in the past. Unfortunately vendors require you to go through a reseller. When I deal with a reseller most generally it is one of them making me jump through hoops repeatedly, seemingly for their amusement at times. Resellers come and go all the time. The superstar reseller who could get anything fast, cheap, and easy last year is out of business now.

As for dealing directly with vendors, that doesn't happen because they don't want to talk to peon IT people like me. I can't even renew enterprise AV without finding a new reseller (again) because the one I used last year bounces every email and the phone is routed to operator that tells me they vacated the offices 6 months ago with no forwarding.  

I currently have several Cisco firewalls and a very nice (read: damn expensive) SonicWall firewall. I have had appliances by Juniper, Avaya and a few other obscure names only an old school IT person would recognize. The fact that I used recon hardware and OpenSource software to seal a potential hole in a remote office doesn't mean I used bubble gum and baling wire. Contrary to what big name vendors think, experienced IT people can build their own stuff that actually works. Also  OpenSource doesn't mean it is like Swiss cheese that any script kiddie can poke into. It wasn't that long ago that Cisco firewalls had a huge TCP vulnerability that allowed numerous break-ins.

Truth is, nothing is 100% safe, and anyone who thinks that a shiny nameplate makes you safe is a fool.

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.