Firewall recommendation needed (appliance)

I need a hardware firewall that:

1. Can support 2 WAN connections (1 cable, 30mbps, and 1 DSL) without a throughput slowdown
2. VPN connectivity that is easy to install, rock-solid reliable, and doesn't depend on anyhtign else (like integration with windows vpn or something)
3. Great reporting for intrusion attempts, protection, and traffic flow

I am looking at a sonicwall pro 3060, but it'll cost $5000 (firewall+install)+ $1500 per year with upgrades.  I was looking to spend about $4000 max with little or no maintenence fees.
LVL 8
npinfotechAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

jabiiiCommented:
0
npinfotechAuthor Commented:
Thanks for the suggestion.  How is Juniper's support?
0
jabiiiCommented:
I have a Few Juniper products, 99% of the time I don't have to contact support, most of the information I can get on my own playing on the box, or through their online knowledge base, I liked their old KB better but hey...  
But they are good at responding to you, if you do open a Ticket with them, and you can check all the notes out online.

Let's put it this way, I play with Cisco and Juniper and Sidewinders all day. I would Pick in order, Sidewinder (if you have alot of $$) then Juniper, and a distant 3rd would be Cisco, but I know alot of people here would disagree :)

There are allot of people here who can help with Cisco, as well os other places. Not to many Juniper n3rds yet.
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

lrmooreCommented:
I like Cisco PIX which is being phased out with the new ASA5500 product line. Sweet appliance. Basic appliance can be had for well under $4000
Cisco's support is world-class 24x7, but not without a maintenance fee.
http://www.cisco.com/en/US/products/ps6120/index.html
0
jabiiiCommented:
There's one of those Cisco guys I warned you about :)
0
lrmooreCommented:
Yep, I'll admit to being a Cisco junkie. <8-}

I like the products, I know the products well, and I make a good living implementing their products.
I'll also admit that I have zero hands-on experience with Juniper, Sonicwall, or Sidewinder.
Like you said, there are plenty of Cisco experts hanging around these days and it's easy to get detailed help here at EE.
We don't see many Juniper or Sonicwall experts around and many of those questions go unanswered till cleanup crew deletes them.
Wonder why that is?
0
carl_legereCommented:
Cisco PIX, Cisco access router 1700 series and on up.
I only recommend Linksys for small underfunded networks and Cisco for serious configs.

Unless your desire to connect two pipes is for one in one out, No vendor will support connecing your device to several dissimlar internet connections since you won't have cooperation between the ISP's to make the return path from the internet redundant.

why allocate a budget of $4000 for a router, when you are going to be using unreliable broadband connectivity like DSL and Cable?  I prefer quality of quantity.

What is the ultimate hot setup you envision?
0
carl_legereCommented:
oh I also advocate ISA2000/2004 as a mid-range option
0
jabiiiCommented:
Actually, I jump in on every juniper question I find:), but ya I am one of a very few here.
But then again dang near every question here is related to cisco, and like 1 in 1000 might be Juniper. Could be Cisco is to complex, or Juniper's that easy, or just could be more people using them finding stuff.

Part of choosing your FW, is what kind of support you will be utilizing, whether it be the vendor, or coming here. Your familiarity with the product, cost, performance, etc etc. All of it needs weighed in on your decision.  That's why when people post here asking for a FW. the First thing most expert's respond with, ok, what is your price range, what architecture are you going to be implementing it with, bandwidth etc etc.

Here is a checklist, granted it's from Juniper so might be slighted, but will help you compare FW's for you.
https://www.juniper.net/solutions/literature/buyer_guide/710008.pdf

Here's some 3rd party studies of FW's.
http://www.cs.nmt.edu/~cs491_02/IA/firewall%20performance_files/0312rev.htm

2006 Products of the year
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1160468_tax299825,00.html?track=NL-20&ad=543466&adg=299807

2005
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1041739,00.html

You can also search here there are plenty of other threads like this one, choosing FW's and VPN's. comparing Cisco/Juniper/Sidewinder etc.
http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21704713.html
0
npinfotechAuthor Commented:
Wow, this is a better response than I anticipated.  Most of my questions do go unanswered these days...

Jbaii: Are you a Juniper salesman?  If not, you should be!  Great info you've provided.  I'm waiting for Juniper sales to get back to me as we speak.

lrmoore: what's the typical maintnence fee/fee structure?  I am also waiting on Cisco reps to respond to my request.

carl_legere: From what the vendors are telling me, they can handle 2 Wan links.  My specific setup is that I dedicate 1 line (DSL) to an onsite mail server (the only way I can get a static IP).  The other line (cable) I use for everything else.  These connections have been very reliable so far, and our office is in an area where the weather really screws things up.

ENVISIONED SETUP:
1. I want both Wan connections protected through 1 firewall.
2. I want all incoming mail to go from dsl router ==> firewall ==> mail server.  I then want all outgoing mail to go from mail server ==> firewall ==> DSL Router.  This is critical.
3. I want all other traffic from any other Windows XP PC inside my network to go from the requesting machine ==>firewall ==> Cable router.  I want all incoming traffic (vpn, for example) to go from PC outside my network ==>Firewall ==>Internal Network location.  The cable router will be broadcasting
4. I want the firewall to have VPN capability that is easy to setup and reliable.  I want users to be able to work from their homes securely.
5. I want reporting that is robust and that I can understand.  Granularity is a definite plus, but if I can get general stats about bandwidth usage, intrusion attemps, and spoecific user requests to the Internet, I'd be happy.
0
npinfotechAuthor Commented:
Here is another question I have about the physical location of my current firewall.  Here is the hypothetical:

I have two routers connecting to my individual wan links.  I connect both of them into 1 switch.  Then I connect the switch into a firewall.  Then I plug the firewall into a switch which connects to my internal network.  My lame attampt at a diagram is below:

Router 1 (DSL) ==>Switch 1==>Firewall 1 ==>internal network 1
Router 2(Cable) ==>Switch 1 ==>Firewall 1==>internal Network 1

Lets say I have the firewall setup to send all requests through to "router 1" (my firewall has a setting to define only 1 wan link).  Now, I set up a windows XP client to use "router2" as a gateway.  I have port 21 blocked at the firewall, both ways.

Will the firewall block the cleints request for port 21 on the internet, even though the firewall is configured to use "router 1"?  Will the firewall block requests for port 21 into my network that hit "router 2"?  Does this question make sense?
0
jabiiiCommented:
Take in to consideration like Lrmoore is a cisco guy with not much Juniper experience, I don't have much Cisco fireawall exp (other than dealing with dumb remote admins) so .. hopefully he will answer from that side :)

1) Juniper
2&3) should'nt be a problem (but hopefully you have an internal switch) The rules in Juniper are very easy, Hopefully you can see how easy. http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1901edb

4) again with Juniper it's very simple. I have sat people down in front of them and in less than 10 minutes where able to configure FW and VPN's policies.
5) let's put it this way, Product (and price) sidewinder > juniper, but I prefer juniper logs to sidewinder.
0
jabiiiCommented:
NP anyone of the sales guys get back w/ya yet?
Just curious what your leaning towards.
Jim
0
npinfotechAuthor Commented:
Nah man.  not yet.  I'll post when they do, for sure.
0
Keith AlabasterEnterprise ArchitectCommented:
The Sidewinders are good products (G2 upwards) and deal with content filtering too. They have one of the highest security ratings also in respect of certification. However, they have quite a few upgrades over a twelve month period. Their support is very good and they recently bought out Cyberguard so they are on the up still.

We don't get many questions on these though so I am not sure if it is because they are so good or that there are not as many as i thought out in the field.

0
npinfotechAuthor Commented:
ANyone have any opinions on fortinet (100-a or200-a) or symantec (1620 or 1660) appliances?
0
lrmooreCommented:
Fortinet spent $millions on fighting patent infringement in their AV engine and had to cease sales for a time. I think they've resolved that for now. I've heard that they are a real bugger to maintain, but do a good job. If you're looking for an all-in-one firewall/content filter/AV, I'd go with the Symantec appliance (unless you want to run with the big dogs and use Cisco ASA5500)
0
jabiiiCommented:
Keith I think it's because of the price tag :) I think you and I are among the very few here I think that use them :)

netscreen does the content filtering/av too
0
imreble1Commented:
Checkpoint??? lol I think we're missing a rep for them! It's a tad out of you price range but the best.They have a solid sofawear.com product. We deal in Juniper also, Good solid firewalls, agrees with jabii.


RDC
<Removed by GranMod>
0
npinfotechAuthor Commented:
I am having one hell of a time getting vendors to respond to my requests.  You'd think they'd be interested in selling something...
0
jabiiiCommented:
Did ya go here for JUniper?
https://www.juniper.net/howtobuy/
Thye have toll free #'s for their sales force and links to resellers.
JIm
0
npinfotechAuthor Commented:
The juniper reseller was horrible.  I had to deal with their tag team: salesperson + tech.  The tech didn't even sound like he knew what he was talking about.
0
jabiiiCommented:
Ya, I've had bad experiences with a couple resellers too, but if you let Juniper know they will slapem around for you.

Ya the level1 tech guys don't do anything with the licensing or sales, I've got a rep, I'll ask him for some good contacts for ya.
0
npinfotechAuthor Commented:
Sounds good.
0
jabiiiCommented:
NP who was the reseller you used?
0
npinfotechAuthor Commented:
IGX global
0
jabiiiCommented:
Let me see what I can find for you. sorry I'm slow. It's been a hell of couple months.
0
jabiiiCommented:
If this is personel, I'd just google it there are alot of resellers.

if for business (commercial), id recommend Onix
http://www.onixnet.com/
Contacts for commercial sales
800-664-9638
tim    x- 15
keith    x-11
0
npinfotechAuthor Commented:
will do.
0
imreble1Commented:
Sorry i haven't looked at this post lately. We are a reseller of Juniper. We have support-sell several different vendors. If you would like I can get you in contact with a guy I know in our sales dept.

 www.fishnetsecurity.com
RDC
0
npinfotechAuthor Commented:
Thanks.
0
jabiiiCommented:
*snicker* I want  my cut imreble1 :) jk
0
npinfotechAuthor Commented:
Fishnet quoted me $16,000.  I said I didn't have $16,000, and was looking to go up to $4000 max.  I haven't heard back from them in 5 ddays, and don't expect to...
0
jabiiiCommented:
for what the 200 series? you don't need that much. a 50 or 5 series would do you
0
npinfotechAuthor Commented:
They actually offered a checkpoint solution loaded onto a Nokia? appliance.
0
jabiiiCommented:
ask them specifically about the NS's. save your self some $$ :)
0
npinfotechAuthor Commented:
I'm about to dump the UTM requirement, as well as the Dual Wan requirement, and just ask for a Firewall with good SSL VPN capabilities.
0
jabiiiCommented:
Id' still say juniper :0
0
Keith AlabasterEnterprise ArchitectCommented:
And I'd go Cisco ASA
0
Pete LongTechnical ConsultantCommented:
>>or symantec (1620 or 1660) appliances

Yep Ive put in a lot of 1600 Series Symantecs I'm an SCTA - they are simple to set up and cheap - and failover is simple to set up on a 1660

All the cheaper Symantec Products are now no longer made (though there is still stock on shelves 300 and 400 series) Symantec are recommending Juniper box's to replace them.

Personally (Even though Im a reseller and Engineer) - I wouldnt buy Symantec - they are winding down hardware firewalls - they have stopped hardware development, and regardless of whats on their web site getting support for SGS products in 18 months will be a nightmare.

 - So Join the Cisco Revolution Brother!

The new baby ASA5505 - is the donkeys conkers
0
lrmooreCommented:
YES! Cisco is the king of the market!

>the donkeys conkers
Well put, Pete!
0
npinfotechAuthor Commented:
Thank you for all of the answers and suggestions.  I finally settled on a Symantec Gateway Security 1620 for both my DSL and Cable lines.  So far, it's been a lot less than stellar.  My issues so far (with expletives left out):

1. Connections to internal computers a mysteriously lost
2. It takes us forever to send and receive mail
3. Our Internet access keeps crapping out
4. Symantec Support is "hit-or-miss", but my experience is that they are mostly bad.  They seem to know their stuff, but somehow they can't seem to help me.  I've spend at least 15 hours of phone time alone with them, and I still can't get teh box to work right.  
5. Their "SGMI" GUI is slow as molasses.  

In all fairness, I do have a more complex setup than the average shop, but this is ridiculous.  What's worse is that unless I want to pay extra for 24x7 support, I have to take down a service during business hours to solve issues (a real problem).

I haven't even had a chance to test it's VPN capabilities.  The reporting on the device is decent though.
0
npinfotechAuthor Commented:
Damn, I spelled "expletive" wrong.
0
Keith AlabasterEnterprise ArchitectCommented:
Corrected :)
0
Pete LongTechnical ConsultantCommented:
>>. It takes us forever to send and receive mail

by default the 1620 has spam filtering and all the crap turned on (you get it for 30 days free)

>>Our Internet access keeps crapping out

use th DNS Deamon on the firewall:)

>>Symantec Support is "hit-or-miss", but my experience is that they are mostly bad.

If you get through to  SGS Support (in hollan they are very good usually - Ive had engineers working past midnight on clients firewalls?

>>Their "SGMI" GUI is slow as molasses.

make sure your at 3.0.1 and your Java is updated

>>I haven't even had a chance to test it's VPN capabilities

Easy M8 and dont forget you can deploy "Clientless VPN" with an SGS
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
npinfotechAuthor Commented:
Thanks to everyone who participated in the question here.  Your opinions were much appreciated, and very helpful.  I know where to go next time I need a recommendation!

0
Pete LongTechnical ConsultantCommented:
ThanQ
0
Keith AlabasterEnterprise ArchitectCommented:
:)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.