Solved

Firewall Choice - Cisco PIX 515 R vs. Watchguard 700 vs. alternative

Posted on 2002-05-31
15
6,289 Views
Last Modified: 2013-11-16
Hi all,

I have to find the cheapest possible decent firewall for a network of 400+ users.  The cost of the firewall is of major importance, because the already approved budget has only £600 allocated to the firewall which, everyone agrees, won't get us far.  So, I can only incur a very small loss on this.

At the moment, the options (because of cost) are Cisco PIX 515 Restricted and Watchguard 700.  They are very similar in price, but I need pointers from experience regarding following:

1. Performance comparison.
2. Ease of use / management.
3. VPN capabilities.

Kindly avoid quoting vendor websites as I've been through them thoroughly and Cisco does have the performance edge, but I need more qualitative information.

Also, if there are any other suggestions you may have, I'll be happy to hear them.

Thank you.
Nenadic
Also, if you have
0
Comment
Question by:Nenadic
  • 4
  • 3
  • 3
  • +5
15 Comments
 
LVL 23

Accepted Solution

by:
Tim Holman earned 75 total points
Comment Utility
A PIX515E R is still around the £2,500 mark, the Watchguard £2000.
I suggest you look at the Netscreen range - maybe a Netscreen-25 £3200.
A little more expensive, but easier to manage than the PIX and also includes basic traffic shaping.
I expect they'll go for the Watchguard based on price, but then again, very good product.
I think the only way you'll get them to spend more is to give them a firewall product which does have added extras / features - eg URL filtering, AV, VPN, traffic shaping and what have you, as playing around with the £600 can't be much fun for you !

0
 
LVL 12

Author Comment

by:Nenadic
Comment Utility
The company I'm with now are providing the turnkey solution and my predecessor budgeted £600(!) for the firewall. So, we are aware of the extra cost.
I have costs for both PIX and Watchguard around £1,800 and they both have VPN.

I'm just worried that Watchguard 700 is not specced for 400+ users.

Have you worked with Netscreen-25 before? Is it is easy to administer? I will set it up to start off with, but the client may need to administer it later on and hasn't the desire to learn command-line. So, GUI is a must.
0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
A PIX515E R is still around the £2,500 mark, the Watchguard £2000.
I suggest you look at the Netscreen range - maybe a Netscreen-25 £3200.
A little more expensive, but easier to manage than the PIX and also includes basic traffic shaping.
I expect they'll go for the Watchguard based on price, but then again, very good product.
I think the only way you'll get them to spend more is to give them a firewall product which does have added extras / features - eg URL filtering, AV, VPN, traffic shaping and what have you, as playing around with the £600 can't be much fun for you !

0
 
LVL 23

Expert Comment

by:Tim Holman
Comment Utility
Difficult decision - they all come with GUIs, although the PIX one doesn't let you do anything too clever.
What would present the lowest running cost to the client, over, say 5 years ?
Take into account training requirements, hw/sw support, scalability.
List price on the PIX515E is £2,400.  Make sure your supplier isn't trying to get rid of his old PIX515 models !
If you want any pricing let me know - tim_holman@NOSPAMhotmail.com

0
 
LVL 12

Author Comment

by:Nenadic
Comment Utility
No, it is the 515E. I think we are getting a good deal, because it comes with another £50K worth of switches from the same supplier.

I don't think that training is an option - no real interest.

I had a look at NetScreen's site and went over some reviews. It seems OK. But, I didn't manage to get the figures on the number of users and/or Internet connection speed that it's geared towards. Do you think it's OK for 400+ users and 2Mbps leased line?
0
 
LVL 3

Expert Comment

by:DVB
Comment Utility
If your client can work without a GUI, may I suggest OpenBSD?
Pretty cheap, needs a simple PC and a skilled admin.
Performache wise, get good NICs and most of your problems are solved there.
VPNs come out of the box, and the docs are good.
The only thing wrt ease of use is that there are no GUIs AFAIK for this, but the configuration is entirely text file based, and well documented.
If your admin can handle text files, then you should have no problems at all.
0
 
LVL 12

Author Comment

by:Nenadic
Comment Utility
GUI is a must.
0
Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 3

Expert Comment

by:t1n0m3n
Comment Utility
Tim Holman,
Have you used the PDM 2.01?
It is a big step forward for GUI and the PIX.
Much better than previous versions of the Pix Device Manager.
0
 
LVL 13

Expert Comment

by:hstiles
Comment Utility
With regards to the spec of the Watchguard, the issue is less the number of users but the type of use.  If you're intending to make use of the HTTP proxy and application proxy plus support a number of VPN users, the Watchguard is going to fall short of the mark. Then again, so would the Cisco.

If you don't intend to hammer the firewall by using the Web blocker, then a Firebox 700 will do the job.  That said, it'll hardly be well prepped to grow with your needs
0
 
LVL 13

Expert Comment

by:hstiles
Comment Utility
That said, I'd want to seriously consider the 1000 over the 700 as it'd represent a better investment.
0
 
LVL 13

Expert Comment

by:hstiles
Comment Utility
I've been in 2 situations where I've replaced a NT firewall (Guardian and Firewall-1 v4) with a Watchguard Firebox and on both occasions the difference was astounding.  The Watchguard has a very intuitive UI, good monitoring capabilities and, if bandwidth is an issue, the web blocker facility is a good method of preventing staff from accessing objectionable material.  The SMTP proxy is also handy as a basic e-mail gateway as you can prevent simple spamming attempts or the delivery of potential viruses (i.e. vb? attachments).

The VPN capabilities of the Watchguard are also a strong point.  I've yet to get the MUVPN option working, but I've only just started.  PPTP from WIndows 98/ME and 2000 clients is a cinch.
0
 
LVL 1

Expert Comment

by:asweinstein
Comment Utility
I wouldn't buy another PIX unless a customer demanded. Too hard to manage, difficult to monitor, terrible VPN support, etc... We have had much more success with Watchguard. Much easier to configure, real-time monitoring and the best logging around, includes much more than the PIX (SMTP and Web proxy, AV, VPN etc...). If you are going to have a lot of VPN users, consider the 1000, it has the additional VPN coprocessor. Also, the Netscreens are very fast, wire-speed for both VPN and web access. Configured through a WEB gui, but not as easy as WG. Also doesn't include the same tools as WG.
0
 
LVL 16

Assisted Solution

by:The--Captain
The--Captain earned 75 total points
Comment Utility
Uggh - do yourself a favor and avoid watchguard - astaro is cheaper, more configurable, and more robust than anything I've seen from wacthguard or cisco.   You can circumvent the user limit via a NAT device, which should allow you to get much closer to your 600 pound budget than either of the aformentioned solutions.

In any csae, wrt astaro vs watchguard

1. Performance comparison.
Astaro wins on similar hardware

2. Ease of use / management.
I've yet to ever be confused by any aspect of the SSL web-gui (they also support SSH text logins)

3. VPN capabilities.

Built-in, no extra charge, both PoPToP and IPSEC

Also includes stateful packet inspection, email virus scanning, IDS, and a host of other features for which you usually must pay big $$...

Cheers,
-Jon


0
 
LVL 13

Expert Comment

by:hstiles
Comment Utility
I would just like to point out that if you do consider The Captain's suggestion, you need to budget for a reasonable machine too.
0
 
LVL 5

Expert Comment

by:zenlion420
Comment Utility
Hey people,

No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts awarded to tim_holman and The--Captain.
Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Zenlion420
EE Page Editor
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now