• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 264
  • Last Modified:

Firewall recomendation

Hi, we're in the process of upgrading our network and looking for a firewall device. Behind the firewall will be a:  mail/internet server, VPN server (75 concurrent users), video conferencing unit, 100 user LAN. I've checked out the Sonicwall 2040, 3060, Watchguard Firebox x700, and Cisco Pix 515e. We would like all to be accessed through 1 T1 circuit but would consider a second if needed. Has anyone had any experience with these products and can make a recommendation?

Thanks
Tim
0
timothyking
Asked:
timothyking
  • 4
  • 4
  • 3
  • +4
1 Solution
 
grbladesCommented:
They are all good products. The PIX is probably the most commonly used firewall and there are lots of us here with experience of using it.
Do you have the VPN server already?
0
 
TannerManCommented:
I know price is always a big factor, but I prefer MS Internet Security and Acceleration Server (ISA). I wish I could comment on your choices, but have no experience. I currently manage 5 gateway to gateway VPN networks utilizing ISA on each end as well as 2 other ISA servers for Internet connectivity/browsing/web server hosting.

I came from the very expensive Checkpoint Firewall to ISA and love it.
0
 
lrmooreCommented:
I prefer the PIX, but your problem is going to be the Video conferencing. There is no Quality of Service capabilities on the PIX. You also need an additional router to terminate the T1. You might want to look into the new Cisco security router like the 2800 series. It has all the firewall features, VPN capabilities, can take the T1 directly (with WIC DSU), can be a voice gateway if/when you need it, can take a 2nd (or 3d, or 4th, etc) T1 when you're ready and need it.

http://www.cisco.com/en/US/products/ps5854/index.html
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
I used Symantec SGS at my last job and 9 units at this one, but I just changed over to Watchguard.  I like the extra layer of protection above the deep packet inspection that most of the others do.  It will stop some malicious code that the others won't.  There is a video on their site that shows some of this.

  I had exactly the same finalists, although I also had a Symantec 5440 in there, but none seemed to do the job like the Watchguard Solution.  They were also very reasonably priced too.

I liked the Watchguard x700, but wanted the expandibility of the extra 3 port upgrade.  CDW was running the x1000 with a free 3 port upgrade, so I went with the 1000, but either way, you would be covered.  I'm now running an x1000, 4 x15's and 5 x 5's to connect the city with fire, police, utilities and public services.

I've got experience with the PIX, Symantec and have worked on a 2040 before.  My vote is for the Watchguard.  I believe you will be better protected, especially right out of the box.
0
 
timothykingAuthor Commented:
We do have a VPN server in place. The Video conferencing is used on the average of about once a week for 2-3 hours. Do you need a dedicated port for each device/server behind the firewall? How is a DMZ setup? Does the dmz port connect to a switch with device/servers coming off it?

Thanks
0
 
grbladesCommented:
You only need a dedicated port on the firewall for each group of servers you wish the firewall to protect traffic going between. Therefore a PIX 515-R-DMZ has 3 interfaces for the internet, internal network and DMZ.

You would connect the DMZ to its own dedicated switch (never use vlan separation) and then to the servers you wish to me in the DMZ. This would normally be your webservers and possibly your mail server.

The reason why I asked about the VPN is that the PIX has VPN capabilities itself and you can define exactly which servers each user is permitted to access. However as you already have your own VPN you can just redirect all VPN traffic to it and continue using it.
0
 
timothykingAuthor Commented:
What would be the use of 6 ports on a firewall? No DMZ port? Could a network admin setup the PIX relatively easy or would a Cisco engineer be needed?

Thanks
0
 
grbladesCommented:
With 6 ports you would effectivly have 4 DMZ ports.

If you ran your own website you could have the webserver and database on different ports to offer protection between the webserver and the credit card details on the database. You might have leased lines or frame relay etc... to remote sites that you wish to be able to control access between them and your site. Basically if you wish the firewall to control access between two computers they need to be on different ports on the firewall.
0
 
gonzal13RetiredCommented:
Here is another corporate program

http://www.sygate.com/
0
 
JConchieCommented:
A vote here for the Sonicwall.....very reliable, very easy admin interface....solid VPN connections both firewall-to-firewall  and from remote users and roadwarriors using the software Global client.  Low maintaince and good tech support.   We are running six of them in different offices....and about a dozen global clients.
0
 
timothykingAuthor Commented:
Which model Sonicwall would you recommend for my setup?

Thanks
0
 
JConchieCommented:
We are running a older Pro 230 on one T1, which handles our servers and vpn connections, and a 2040 on the other T1, for general main office user access to the internet.  Very happy with both.  Running several different sohos in branch offices.

The 2040 is more than adequate for a 75-100 user setup....and can be scaled up for many more users.  Nice part is that you only get as many vpn licenses as you need....and can add to as you grow.

If you want to add an extra T1, either for added bandwidth, or for failure rollover, without adding a second firewall, I would look at the 3060
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
6 ports, well I use 1 for 1 Wan Interface, 1 for a backup WAN interface, 1 interface to another internal network (Lake County), 1 for the Internal network and I have 2 left for test or development networks.

Being a Cisco CCNA, I can tell you that the PIX is probably the harder of them to setup.  Most Cisco people prefer the command line and the GUI isn't up to the same level as the Sonic Wall, Symantec or Watchguard.  That's not to say in any way that the Pix is not a great firewall.
0
 
timothykingAuthor Commented:
Does anyone have any info on Foritnet? The name isn't big but I saw that thay won some awards recently.

Thanks
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Never heard of it.
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
Having dealt with alot of hardware and firewalls, I would stick with more of the major players.
0

Featured Post

New feature and membership benefit!

New feature! Upgrade and increase expert visibility of your issues with Priority Questions.

  • 4
  • 4
  • 3
  • +4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now