Solved

Firewall Choice - Cisco PIX 515 R vs. Watchguard 700 vs. alternative

Posted on 2002-05-31
15
6,299 Views
Last Modified: 2013-11-16
Hi all,

I have to find the cheapest possible decent firewall for a network of 400+ users.  The cost of the firewall is of major importance, because the already approved budget has only £600 allocated to the firewall which, everyone agrees, won't get us far.  So, I can only incur a very small loss on this.

At the moment, the options (because of cost) are Cisco PIX 515 Restricted and Watchguard 700.  They are very similar in price, but I need pointers from experience regarding following:

1. Performance comparison.
2. Ease of use / management.
3. VPN capabilities.

Kindly avoid quoting vendor websites as I've been through them thoroughly and Cisco does have the performance edge, but I need more qualitative information.

Also, if there are any other suggestions you may have, I'll be happy to hear them.

Thank you.
Nenadic
Also, if you have
0
Comment
Question by:Nenadic
  • 4
  • 3
  • 3
  • +5
15 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 75 total points
ID: 7046780
A PIX515E R is still around the £2,500 mark, the Watchguard £2000.
I suggest you look at the Netscreen range - maybe a Netscreen-25 £3200.
A little more expensive, but easier to manage than the PIX and also includes basic traffic shaping.
I expect they'll go for the Watchguard based on price, but then again, very good product.
I think the only way you'll get them to spend more is to give them a firewall product which does have added extras / features - eg URL filtering, AV, VPN, traffic shaping and what have you, as playing around with the £600 can't be much fun for you !

0
 
LVL 12

Author Comment

by:Nenadic
ID: 7046798
The company I'm with now are providing the turnkey solution and my predecessor budgeted £600(!) for the firewall. So, we are aware of the extra cost.
I have costs for both PIX and Watchguard around £1,800 and they both have VPN.

I'm just worried that Watchguard 700 is not specced for 400+ users.

Have you worked with Netscreen-25 before? Is it is easy to administer? I will set it up to start off with, but the client may need to administer it later on and hasn't the desire to learn command-line. So, GUI is a must.
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 7046977
A PIX515E R is still around the £2,500 mark, the Watchguard £2000.
I suggest you look at the Netscreen range - maybe a Netscreen-25 £3200.
A little more expensive, but easier to manage than the PIX and also includes basic traffic shaping.
I expect they'll go for the Watchguard based on price, but then again, very good product.
I think the only way you'll get them to spend more is to give them a firewall product which does have added extras / features - eg URL filtering, AV, VPN, traffic shaping and what have you, as playing around with the £600 can't be much fun for you !

0
Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 7046988
Difficult decision - they all come with GUIs, although the PIX one doesn't let you do anything too clever.
What would present the lowest running cost to the client, over, say 5 years ?
Take into account training requirements, hw/sw support, scalability.
List price on the PIX515E is £2,400.  Make sure your supplier isn't trying to get rid of his old PIX515 models !
If you want any pricing let me know - tim_holman@NOSPAMhotmail.com

0
 
LVL 12

Author Comment

by:Nenadic
ID: 7047239
No, it is the 515E. I think we are getting a good deal, because it comes with another £50K worth of switches from the same supplier.

I don't think that training is an option - no real interest.

I had a look at NetScreen's site and went over some reviews. It seems OK. But, I didn't manage to get the figures on the number of users and/or Internet connection speed that it's geared towards. Do you think it's OK for 400+ users and 2Mbps leased line?
0
 
LVL 3

Expert Comment

by:DVB
ID: 7048563
If your client can work without a GUI, may I suggest OpenBSD?
Pretty cheap, needs a simple PC and a skilled admin.
Performache wise, get good NICs and most of your problems are solved there.
VPNs come out of the box, and the docs are good.
The only thing wrt ease of use is that there are no GUIs AFAIK for this, but the configuration is entirely text file based, and well documented.
If your admin can handle text files, then you should have no problems at all.
0
 
LVL 12

Author Comment

by:Nenadic
ID: 7048592
GUI is a must.
0
 
LVL 3

Expert Comment

by:t1n0m3n
ID: 7052913
Tim Holman,
Have you used the PDM 2.01?
It is a big step forward for GUI and the PIX.
Much better than previous versions of the Pix Device Manager.
0
 
LVL 13

Expert Comment

by:hstiles
ID: 7087016
With regards to the spec of the Watchguard, the issue is less the number of users but the type of use.  If you're intending to make use of the HTTP proxy and application proxy plus support a number of VPN users, the Watchguard is going to fall short of the mark. Then again, so would the Cisco.

If you don't intend to hammer the firewall by using the Web blocker, then a Firebox 700 will do the job.  That said, it'll hardly be well prepped to grow with your needs
0
 
LVL 13

Expert Comment

by:hstiles
ID: 7087143
That said, I'd want to seriously consider the 1000 over the 700 as it'd represent a better investment.
0
 
LVL 13

Expert Comment

by:hstiles
ID: 7087208
I've been in 2 situations where I've replaced a NT firewall (Guardian and Firewall-1 v4) with a Watchguard Firebox and on both occasions the difference was astounding.  The Watchguard has a very intuitive UI, good monitoring capabilities and, if bandwidth is an issue, the web blocker facility is a good method of preventing staff from accessing objectionable material.  The SMTP proxy is also handy as a basic e-mail gateway as you can prevent simple spamming attempts or the delivery of potential viruses (i.e. vb? attachments).

The VPN capabilities of the Watchguard are also a strong point.  I've yet to get the MUVPN option working, but I've only just started.  PPTP from WIndows 98/ME and 2000 clients is a cinch.
0
 
LVL 1

Expert Comment

by:asweinstein
ID: 7091400
I wouldn't buy another PIX unless a customer demanded. Too hard to manage, difficult to monitor, terrible VPN support, etc... We have had much more success with Watchguard. Much easier to configure, real-time monitoring and the best logging around, includes much more than the PIX (SMTP and Web proxy, AV, VPN etc...). If you are going to have a lot of VPN users, consider the 1000, it has the additional VPN coprocessor. Also, the Netscreens are very fast, wire-speed for both VPN and web access. Configured through a WEB gui, but not as easy as WG. Also doesn't include the same tools as WG.
0
 
LVL 16

Assisted Solution

by:The--Captain
The--Captain earned 75 total points
ID: 7103149
Uggh - do yourself a favor and avoid watchguard - astaro is cheaper, more configurable, and more robust than anything I've seen from wacthguard or cisco.   You can circumvent the user limit via a NAT device, which should allow you to get much closer to your 600 pound budget than either of the aformentioned solutions.

In any csae, wrt astaro vs watchguard

1. Performance comparison.
Astaro wins on similar hardware

2. Ease of use / management.
I've yet to ever be confused by any aspect of the SSL web-gui (they also support SSH text logins)

3. VPN capabilities.

Built-in, no extra charge, both PoPToP and IPSEC

Also includes stateful packet inspection, email virus scanning, IDS, and a host of other features for which you usually must pay big $$...

Cheers,
-Jon


0
 
LVL 13

Expert Comment

by:hstiles
ID: 7118038
I would just like to point out that if you do consider The Captain's suggestion, you need to budget for a reasonable machine too.
0
 
LVL 5

Expert Comment

by:zenlion420
ID: 9709203
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts awarded to tim_holman and The--Captain.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

Register Today - IoT Current and Future Threats

Are you prepared to protect your organization from current and future IoT Threats?  Join our Wi-Fi expert in episode three of our webinar series for a look at the current state of Wi-Fi IoT and what may lie ahead. Register for our live webinar on April 20th at 9 am PDT!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this increasingly digital world, security hacks are no longer just a threat, but a reality. As we've witnessed with Target's big identity hack 2013, Heartbleed in 2015, and now Cloudbleed, companies and their leaders need to prepare for the unthi…
If you are looking at this article, you have most likely been hit by some version of ransomware and are trying to find out if there is anything you can do, or what way you should react - READ ON!
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

685 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question