[Last Call] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 443
  • Last Modified:

Firewall Comparison

I am looking for any good reviews or comparisons of firewalls that include the Cisco pix compared to other vendors.  i am thinking of Implementing a PIX and i have mixed feelings from what i am reading.  I am currently using a SonicWAll device.  I do know my way around IOS.

1 Solution
I guess without requirements, it's hard to say.

But in my experience:

1) pix is fine. I like pix. unless you need to manage a boatload of them. I like that they seem pretty straighforward.

2) checkpoint seems pretty good, especially if you've got lots of firewalls. In some ways it does seem exceedingly complicated and I don't like that the logs are all part of the database/gui (i like to be able to grep/tail my logs :) ) . There are aspects of checkpoint that make it seem very easy, but it's really an amazingly complex piece of software. Take Nokia hardware over Alteon if you go this route. note this is a multivendor thing, but Checkpoint does have a hardened linux SecurePlatform if you want to run it on your own intel hardware.

3) Netscreen makes a very nice product, although it's been years since I've played with them (pre-juniper ownership) and I'm mostly spewing based on freinds/peers who use them. Integrated hardware/software...i.e. one vendor :)

How much traffic do you plan on passing? how many firewalls are you planning to deploy? Are you going to be doing failover clusters? active-active? fw sandwiches with firewall load-balancing? Do you need them to do dynamic routing? Is your boss gonna have to go home to change his underwear when you tell him you need $95k for a pair of firewalls? Would you do openbsd? might something like http://www.fwbuilder.org/ make linux/bsd/iptables more palatable?

all fat to chew on.

I'm sure this just made your decision more difficult, but I think it's important to try and determine what it is ecactly about the sonicwall that's not cutting it.

So, start with a reason to get a new one and then start picking about what your real requirements are. Once you're there, it makes providing more meaningful advice easier :)

Have fun!

andreacadiaAuthor Commented:
well the reason i am getting a new one is because the sonic wall has been malfunctioning.  So my next step is determine if i want to stick with sonic wall or give a PIX a shot.  I am a solid follower of Cisco but i never configured or dealt with a PIX before.  I was just lookin for some feedback or insight.
I concur with pedrow.  Although the PIX is nice, it's not quite IOS, and the subtle differences have a reputation for tripping up the unwary.  For an enterprise-class step up from a Sonic Wall, I'd recommend NetScreen -- although again, my direct experience is pre-Juniper.

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

I like the Cisco PIX, but sometimes you’re better off not trying to recreate the wheel so to say. Your already familiar with the Sonic firewall, it seems to have been doing them job until the hardware started to go south, so I’d just get anther one and keep the old one around as an emergency backup. That way you will have the least possible interruption implementing the new firewall, and you can spend more time on fine tuning the new firewall instead of trying to learn how to configure it.    

I have nothing against learning something new, but with the old one on it’s way out already, I’d rather take the quick way out in case it goes completely south on you. Now if the old one was still working fine. I’d be more inclined to say look at other options since you could rely on the old firewall until you have everything figured out, but the old one is dying, and if it dies before you are ready you are in trouble, so I'd take the safe route on this one.    
andreacadiaAuthor Commented:
that makes sense, but i have have backs of backs in my network so the i have a fully functional low end firewall that is running in the mean time.  To be honest i have been wanting to get familiar with the PIX for while and this looks like my chance.  I was hoping to find some sort of ultimate review of firewalls compared side by side and ranked just to get an idea of how th PIX fares against the other contenders in the market.  What would you say the most popular corporate firewall is?
From my perspective Checkpoint, PIX, and Sonic are the most common, but open source Linux firewall solutions are not uncommon either. I find a lot of people are rather passionate about their favored firewall solution, but to me what is more important is not so much what firewall you have, it’s how it’s setup that really counts. The simple truth is a mediocre firewall that is set up expertly will be more secure than the most expensive firewall if it isn’t well implemented.

At the same time I see the hardening of hosts as a greater priority these days than having the baldest firewall made. A lot of people think having a firewall is like a suit of armor for your network, but it’s really more like having a big heavy shield. As long as you are being attacked head on, there is little that can get though it, but if someone sneaks up behind you it provides little protection.

In the last couple of years attacks from the inside of the network using Trojans have become the biggest security risk in my opinion. Firewalls can mitigate some of this growing threat, there is only so much they can do, and with the majority of networks security models being hard and crunchy on the outside and soft and chewy on the inside, once a Trojan makes it inside it runs wild.

For over five years I have been running a little experiment with two Windows servers, they are on the Internet with no firewall protection at all, fully exposed. The objective was to see how secure I could keep them by following good security practices. Like strong passwords, religiously keeping patches and the antivirus up to date, renaming the administration and guest accounts, and responding in a timely fashion to new security issues. So far after 5 years of nearly nonstop attacks on them no one had broken into them.

I have implemented as much of this as I can for my inside hosts, but the users on my network keep me from implementing things like a password policy as strong as I would like. Yet I have added some cleaver twist’s into the mix, like internal firewalls, limiting access internet access by the servers to only those things they need access to, like my antivirus provider. Phony administrator and guest accounts that I monitor for attempts to log onto, I discovered a couple of unknown at the time Trojans this way not long ago had infected some of the workstations, dam them users and the crap they download off the internet, I tried to put a stop to it, but they cried like banshees and management sided with them.

Anyway I think this give you an idea of why I am not so hot for this or that firewall. As I clearly see them as just a small, but important part network security. You want one, but you really need to secure the whole of your network as if you didn’t have one if you want a really secure network, since threats from the inside are just as dangerous as those from the outside. So don’t make the mistake of thinking that a firewall is a cure all that all too many people are doing these days.  
andreacadiaAuthor Commented:
How's the GUI on the PIX?
I never use it myself, but it does look pretty slick to me, but take a look at it your self in the manual for CISCO PIX DEVICE MANAGER which is included with all PIX's since PIX OS Version 6.2.

One thing I always like to do before I buy something expensive new is get the manual for it and go over it. More than once it has impacted my buying. Sometimes after going over the manual it’s like wow, this is exactly what I need, but other times if find something that makes me glad I didn’t just buy it to latter learn it’s not quite what I had expected.


Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now