Solved

Firewall Choice - Cisco PIX 515 R vs. Watchguard 700 vs. alternative

Posted on 2002-05-31
15
6,302 Views
Last Modified: 2013-11-16
Hi all,

I have to find the cheapest possible decent firewall for a network of 400+ users.  The cost of the firewall is of major importance, because the already approved budget has only £600 allocated to the firewall which, everyone agrees, won't get us far.  So, I can only incur a very small loss on this.

At the moment, the options (because of cost) are Cisco PIX 515 Restricted and Watchguard 700.  They are very similar in price, but I need pointers from experience regarding following:

1. Performance comparison.
2. Ease of use / management.
3. VPN capabilities.

Kindly avoid quoting vendor websites as I've been through them thoroughly and Cisco does have the performance edge, but I need more qualitative information.

Also, if there are any other suggestions you may have, I'll be happy to hear them.

Thank you.
Nenadic
Also, if you have
0
Comment
Question by:Nenadic
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 3
  • +5
15 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 75 total points
ID: 7046780
A PIX515E R is still around the £2,500 mark, the Watchguard £2000.
I suggest you look at the Netscreen range - maybe a Netscreen-25 £3200.
A little more expensive, but easier to manage than the PIX and also includes basic traffic shaping.
I expect they'll go for the Watchguard based on price, but then again, very good product.
I think the only way you'll get them to spend more is to give them a firewall product which does have added extras / features - eg URL filtering, AV, VPN, traffic shaping and what have you, as playing around with the £600 can't be much fun for you !

0
 
LVL 12

Author Comment

by:Nenadic
ID: 7046798
The company I'm with now are providing the turnkey solution and my predecessor budgeted £600(!) for the firewall. So, we are aware of the extra cost.
I have costs for both PIX and Watchguard around £1,800 and they both have VPN.

I'm just worried that Watchguard 700 is not specced for 400+ users.

Have you worked with Netscreen-25 before? Is it is easy to administer? I will set it up to start off with, but the client may need to administer it later on and hasn't the desire to learn command-line. So, GUI is a must.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 7046977
A PIX515E R is still around the £2,500 mark, the Watchguard £2000.
I suggest you look at the Netscreen range - maybe a Netscreen-25 £3200.
A little more expensive, but easier to manage than the PIX and also includes basic traffic shaping.
I expect they'll go for the Watchguard based on price, but then again, very good product.
I think the only way you'll get them to spend more is to give them a firewall product which does have added extras / features - eg URL filtering, AV, VPN, traffic shaping and what have you, as playing around with the £600 can't be much fun for you !

0
SendBlaster Pro 4 - Bulk Email Sending Software

SendBlaster 4 Pro - Best Bulk Emailing Sending Software
Automatic Subscribe / Unsubscribe Processing
Great for Newsletters & Mass Mailings
Optional HTML & Text Composition
Integration with Google Features
Built in Spam Score Checking
Free Professional Templates - Feature Packed!

 
LVL 23

Expert Comment

by:Tim Holman
ID: 7046988
Difficult decision - they all come with GUIs, although the PIX one doesn't let you do anything too clever.
What would present the lowest running cost to the client, over, say 5 years ?
Take into account training requirements, hw/sw support, scalability.
List price on the PIX515E is £2,400.  Make sure your supplier isn't trying to get rid of his old PIX515 models !
If you want any pricing let me know - tim_holman@NOSPAMhotmail.com

0
 
LVL 12

Author Comment

by:Nenadic
ID: 7047239
No, it is the 515E. I think we are getting a good deal, because it comes with another £50K worth of switches from the same supplier.

I don't think that training is an option - no real interest.

I had a look at NetScreen's site and went over some reviews. It seems OK. But, I didn't manage to get the figures on the number of users and/or Internet connection speed that it's geared towards. Do you think it's OK for 400+ users and 2Mbps leased line?
0
 
LVL 3

Expert Comment

by:DVB
ID: 7048563
If your client can work without a GUI, may I suggest OpenBSD?
Pretty cheap, needs a simple PC and a skilled admin.
Performache wise, get good NICs and most of your problems are solved there.
VPNs come out of the box, and the docs are good.
The only thing wrt ease of use is that there are no GUIs AFAIK for this, but the configuration is entirely text file based, and well documented.
If your admin can handle text files, then you should have no problems at all.
0
 
LVL 12

Author Comment

by:Nenadic
ID: 7048592
GUI is a must.
0
 
LVL 3

Expert Comment

by:t1n0m3n
ID: 7052913
Tim Holman,
Have you used the PDM 2.01?
It is a big step forward for GUI and the PIX.
Much better than previous versions of the Pix Device Manager.
0
 
LVL 13

Expert Comment

by:hstiles
ID: 7087016
With regards to the spec of the Watchguard, the issue is less the number of users but the type of use.  If you're intending to make use of the HTTP proxy and application proxy plus support a number of VPN users, the Watchguard is going to fall short of the mark. Then again, so would the Cisco.

If you don't intend to hammer the firewall by using the Web blocker, then a Firebox 700 will do the job.  That said, it'll hardly be well prepped to grow with your needs
0
 
LVL 13

Expert Comment

by:hstiles
ID: 7087143
That said, I'd want to seriously consider the 1000 over the 700 as it'd represent a better investment.
0
 
LVL 13

Expert Comment

by:hstiles
ID: 7087208
I've been in 2 situations where I've replaced a NT firewall (Guardian and Firewall-1 v4) with a Watchguard Firebox and on both occasions the difference was astounding.  The Watchguard has a very intuitive UI, good monitoring capabilities and, if bandwidth is an issue, the web blocker facility is a good method of preventing staff from accessing objectionable material.  The SMTP proxy is also handy as a basic e-mail gateway as you can prevent simple spamming attempts or the delivery of potential viruses (i.e. vb? attachments).

The VPN capabilities of the Watchguard are also a strong point.  I've yet to get the MUVPN option working, but I've only just started.  PPTP from WIndows 98/ME and 2000 clients is a cinch.
0
 
LVL 1

Expert Comment

by:asweinstein
ID: 7091400
I wouldn't buy another PIX unless a customer demanded. Too hard to manage, difficult to monitor, terrible VPN support, etc... We have had much more success with Watchguard. Much easier to configure, real-time monitoring and the best logging around, includes much more than the PIX (SMTP and Web proxy, AV, VPN etc...). If you are going to have a lot of VPN users, consider the 1000, it has the additional VPN coprocessor. Also, the Netscreens are very fast, wire-speed for both VPN and web access. Configured through a WEB gui, but not as easy as WG. Also doesn't include the same tools as WG.
0
 
LVL 16

Assisted Solution

by:The--Captain
The--Captain earned 75 total points
ID: 7103149
Uggh - do yourself a favor and avoid watchguard - astaro is cheaper, more configurable, and more robust than anything I've seen from wacthguard or cisco.   You can circumvent the user limit via a NAT device, which should allow you to get much closer to your 600 pound budget than either of the aformentioned solutions.

In any csae, wrt astaro vs watchguard

1. Performance comparison.
Astaro wins on similar hardware

2. Ease of use / management.
I've yet to ever be confused by any aspect of the SSL web-gui (they also support SSH text logins)

3. VPN capabilities.

Built-in, no extra charge, both PoPToP and IPSEC

Also includes stateful packet inspection, email virus scanning, IDS, and a host of other features for which you usually must pay big $$...

Cheers,
-Jon


0
 
LVL 13

Expert Comment

by:hstiles
ID: 7118038
I would just like to point out that if you do consider The Captain's suggestion, you need to budget for a reasonable machine too.
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9709203
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts awarded to tim_holman and The--Captain.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Adnexus.net keeps getting hit from OpenDNS 12 90
What's API gateway/firewall & how it's used 10 77
Fraud Email 22 111
CertificateAuthority and Firefox 4 35
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

731 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question