[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Firewall recommendation needed (appliance)

Posted on 2006-04-12
50
Medium Priority
?
813 Views
Last Modified: 2013-11-16
I need a hardware firewall that:

1. Can support 2 WAN connections (1 cable, 30mbps, and 1 DSL) without a throughput slowdown
2. VPN connectivity that is easy to install, rock-solid reliable, and doesn't depend on anyhtign else (like integration with windows vpn or something)
3. Great reporting for intrusion attempts, protection, and traffic flow

I am looking at a sonicwall pro 3060, but it'll cost $5000 (firewall+install)+ $1500 per year with upgrades.  I was looking to spend about $4000 max with little or no maintenence fees.
0
Comment
Question by:npinfotech
  • 17
  • 16
  • 4
  • +4
48 Comments
 
LVL 9

Assisted Solution

by:jabiii
jabiii earned 336 total points
ID: 16439970
0
 
LVL 8

Author Comment

by:npinfotech
ID: 16440066
Thanks for the suggestion.  How is Juniper's support?
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16440128
I have a Few Juniper products, 99% of the time I don't have to contact support, most of the information I can get on my own playing on the box, or through their online knowledge base, I liked their old KB better but hey...  
But they are good at responding to you, if you do open a Ticket with them, and you can check all the notes out online.

Let's put it this way, I play with Cisco and Juniper and Sidewinders all day. I would Pick in order, Sidewinder (if you have alot of $$) then Juniper, and a distant 3rd would be Cisco, but I know alot of people here would disagree :)

There are allot of people here who can help with Cisco, as well os other places. Not to many Juniper n3rds yet.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
LVL 79

Assisted Solution

by:lrmoore
lrmoore earned 332 total points
ID: 16440224
I like Cisco PIX which is being phased out with the new ASA5500 product line. Sweet appliance. Basic appliance can be had for well under $4000
Cisco's support is world-class 24x7, but not without a maintenance fee.
http://www.cisco.com/en/US/products/ps6120/index.html
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16440742
There's one of those Cisco guys I warned you about :)
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16441641
Yep, I'll admit to being a Cisco junkie. <8-}

I like the products, I know the products well, and I make a good living implementing their products.
I'll also admit that I have zero hands-on experience with Juniper, Sonicwall, or Sidewinder.
Like you said, there are plenty of Cisco experts hanging around these days and it's easy to get detailed help here at EE.
We don't see many Juniper or Sonicwall experts around and many of those questions go unanswered till cleanup crew deletes them.
Wonder why that is?
0
 
LVL 18

Assisted Solution

by:carl_legere
carl_legere earned 332 total points
ID: 16442410
Cisco PIX, Cisco access router 1700 series and on up.
I only recommend Linksys for small underfunded networks and Cisco for serious configs.

Unless your desire to connect two pipes is for one in one out, No vendor will support connecing your device to several dissimlar internet connections since you won't have cooperation between the ISP's to make the return path from the internet redundant.

why allocate a budget of $4000 for a router, when you are going to be using unreliable broadband connectivity like DSL and Cable?  I prefer quality of quantity.

What is the ultimate hot setup you envision?
0
 
LVL 18

Expert Comment

by:carl_legere
ID: 16442417
oh I also advocate ISA2000/2004 as a mid-range option
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16445318
Actually, I jump in on every juniper question I find:), but ya I am one of a very few here.
But then again dang near every question here is related to cisco, and like 1 in 1000 might be Juniper. Could be Cisco is to complex, or Juniper's that easy, or just could be more people using them finding stuff.

Part of choosing your FW, is what kind of support you will be utilizing, whether it be the vendor, or coming here. Your familiarity with the product, cost, performance, etc etc. All of it needs weighed in on your decision.  That's why when people post here asking for a FW. the First thing most expert's respond with, ok, what is your price range, what architecture are you going to be implementing it with, bandwidth etc etc.

Here is a checklist, granted it's from Juniper so might be slighted, but will help you compare FW's for you.
https://www.juniper.net/solutions/literature/buyer_guide/710008.pdf

Here's some 3rd party studies of FW's.
http://www.cs.nmt.edu/~cs491_02/IA/firewall%20performance_files/0312rev.htm

2006 Products of the year
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1160468_tax299825,00.html?track=NL-20&ad=543466&adg=299807

2005
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1041739,00.html

You can also search here there are plenty of other threads like this one, choosing FW's and VPN's. comparing Cisco/Juniper/Sidewinder etc.
http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21704713.html
0
 
LVL 8

Author Comment

by:npinfotech
ID: 16448116
Wow, this is a better response than I anticipated.  Most of my questions do go unanswered these days...

Jbaii: Are you a Juniper salesman?  If not, you should be!  Great info you've provided.  I'm waiting for Juniper sales to get back to me as we speak.

lrmoore: what's the typical maintnence fee/fee structure?  I am also waiting on Cisco reps to respond to my request.

carl_legere: From what the vendors are telling me, they can handle 2 Wan links.  My specific setup is that I dedicate 1 line (DSL) to an onsite mail server (the only way I can get a static IP).  The other line (cable) I use for everything else.  These connections have been very reliable so far, and our office is in an area where the weather really screws things up.

ENVISIONED SETUP:
1. I want both Wan connections protected through 1 firewall.
2. I want all incoming mail to go from dsl router ==> firewall ==> mail server.  I then want all outgoing mail to go from mail server ==> firewall ==> DSL Router.  This is critical.
3. I want all other traffic from any other Windows XP PC inside my network to go from the requesting machine ==>firewall ==> Cable router.  I want all incoming traffic (vpn, for example) to go from PC outside my network ==>Firewall ==>Internal Network location.  The cable router will be broadcasting
4. I want the firewall to have VPN capability that is easy to setup and reliable.  I want users to be able to work from their homes securely.
5. I want reporting that is robust and that I can understand.  Granularity is a definite plus, but if I can get general stats about bandwidth usage, intrusion attemps, and spoecific user requests to the Internet, I'd be happy.
0
 
LVL 8

Author Comment

by:npinfotech
ID: 16448125
Here is another question I have about the physical location of my current firewall.  Here is the hypothetical:

I have two routers connecting to my individual wan links.  I connect both of them into 1 switch.  Then I connect the switch into a firewall.  Then I plug the firewall into a switch which connects to my internal network.  My lame attampt at a diagram is below:

Router 1 (DSL) ==>Switch 1==>Firewall 1 ==>internal network 1
Router 2(Cable) ==>Switch 1 ==>Firewall 1==>internal Network 1

Lets say I have the firewall setup to send all requests through to "router 1" (my firewall has a setting to define only 1 wan link).  Now, I set up a windows XP client to use "router2" as a gateway.  I have port 21 blocked at the firewall, both ways.

Will the firewall block the cleints request for port 21 on the internet, even though the firewall is configured to use "router 1"?  Will the firewall block requests for port 21 into my network that hit "router 2"?  Does this question make sense?
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16448211
Take in to consideration like Lrmoore is a cisco guy with not much Juniper experience, I don't have much Cisco fireawall exp (other than dealing with dumb remote admins) so .. hopefully he will answer from that side :)

1) Juniper
2&3) should'nt be a problem (but hopefully you have an internal switch) The rules in Juniper are very easy, Hopefully you can see how easy. http://kb.juniper.net/CUSTOMERSERVICE/index?page=kbdetail&record_id=0244022611e8310108012c3c1901edb

4) again with Juniper it's very simple. I have sat people down in front of them and in less than 10 minutes where able to configure FW and VPN's policies.
5) let's put it this way, Product (and price) sidewinder > juniper, but I prefer juniper logs to sidewinder.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16455178
NP anyone of the sales guys get back w/ya yet?
Just curious what your leaning towards.
Jim
0
 
LVL 8

Author Comment

by:npinfotech
ID: 16455214
Nah man.  not yet.  I'll post when they do, for sure.
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 332 total points
ID: 16460999
The Sidewinders are good products (G2 upwards) and deal with content filtering too. They have one of the highest security ratings also in respect of certification. However, they have quite a few upgrades over a twelve month period. Their support is very good and they recently bought out Cyberguard so they are on the up still.

We don't get many questions on these though so I am not sure if it is because they are so good or that there are not as many as i thought out in the field.

0
 
LVL 8

Author Comment

by:npinfotech
ID: 16461485
ANyone have any opinions on fortinet (100-a or200-a) or symantec (1620 or 1660) appliances?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 16461514
Fortinet spent $millions on fighting patent infringement in their AV engine and had to cease sales for a time. I think they've resolved that for now. I've heard that they are a real bugger to maintain, but do a good job. If you're looking for an all-in-one firewall/content filter/AV, I'd go with the Symantec appliance (unless you want to run with the big dogs and use Cisco ASA5500)
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16468954
Keith I think it's because of the price tag :) I think you and I are among the very few here I think that use them :)

netscreen does the content filtering/av too
0
 
LVL 4

Assisted Solution

by:imreble1
imreble1 earned 332 total points
ID: 16513133
Checkpoint??? lol I think we're missing a rep for them! It's a tad out of you price range but the best.They have a solid sofawear.com product. We deal in Juniper also, Good solid firewalls, agrees with jabii.


RDC
<Removed by GranMod>
0
 
LVL 8

Author Comment

by:npinfotech
ID: 16629891
I am having one hell of a time getting vendors to respond to my requests.  You'd think they'd be interested in selling something...
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16630006
Did ya go here for JUniper?
https://www.juniper.net/howtobuy/
Thye have toll free #'s for their sales force and links to resellers.
JIm
0
 
LVL 8

Author Comment

by:npinfotech
ID: 16630319
The juniper reseller was horrible.  I had to deal with their tag team: salesperson + tech.  The tech didn't even sound like he knew what he was talking about.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16630360
Ya, I've had bad experiences with a couple resellers too, but if you let Juniper know they will slapem around for you.

Ya the level1 tech guys don't do anything with the licensing or sales, I've got a rep, I'll ask him for some good contacts for ya.
0
 
LVL 8

Author Comment

by:npinfotech
ID: 16630374
Sounds good.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16733903
NP who was the reseller you used?
0
 
LVL 8

Author Comment

by:npinfotech
ID: 16736547
IGX global
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16736776
Let me see what I can find for you. sorry I'm slow. It's been a hell of couple months.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16737576
If this is personel, I'd just google it there are alot of resellers.

if for business (commercial), id recommend Onix
http://www.onixnet.com/
Contacts for commercial sales
800-664-9638
tim    x- 15
keith    x-11
0
 
LVL 8

Author Comment

by:npinfotech
ID: 16737888
will do.
0
 
LVL 4

Expert Comment

by:imreble1
ID: 16737941
Sorry i haven't looked at this post lately. We are a reseller of Juniper. We have support-sell several different vendors. If you would like I can get you in contact with a guy I know in our sales dept.

 www.fishnetsecurity.com
RDC
0
 
LVL 8

Author Comment

by:npinfotech
ID: 16738091
Thanks.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16738103
*snicker* I want  my cut imreble1 :) jk
0
 
LVL 8

Author Comment

by:npinfotech
ID: 16888209
Fishnet quoted me $16,000.  I said I didn't have $16,000, and was looking to go up to $4000 max.  I haven't heard back from them in 5 ddays, and don't expect to...
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16888252
for what the 200 series? you don't need that much. a 50 or 5 series would do you
0
 
LVL 8

Author Comment

by:npinfotech
ID: 16888281
They actually offered a checkpoint solution loaded onto a Nokia? appliance.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16888291
ask them specifically about the NS's. save your self some $$ :)
0
 
LVL 8

Author Comment

by:npinfotech
ID: 16888319
I'm about to dump the UTM requirement, as well as the Dual Wan requirement, and just ask for a Firewall with good SSL VPN capabilities.
0
 
LVL 9

Expert Comment

by:jabiii
ID: 16888357
Id' still say juniper :0
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16891835
And I'd go Cisco ASA
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 18047436
>>or symantec (1620 or 1660) appliances

Yep Ive put in a lot of 1600 Series Symantecs I'm an SCTA - they are simple to set up and cheap - and failover is simple to set up on a 1660

All the cheaper Symantec Products are now no longer made (though there is still stock on shelves 300 and 400 series) Symantec are recommending Juniper box's to replace them.

Personally (Even though Im a reseller and Engineer) - I wouldnt buy Symantec - they are winding down hardware firewalls - they have stopped hardware development, and regardless of whats on their web site getting support for SGS products in 18 months will be a nightmare.

 - So Join the Cisco Revolution Brother!

The new baby ASA5505 - is the donkeys conkers
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 18049510
YES! Cisco is the king of the market!

>the donkeys conkers
Well put, Pete!
0
 
LVL 8

Author Comment

by:npinfotech
ID: 18224628
Thank you for all of the answers and suggestions.  I finally settled on a Symantec Gateway Security 1620 for both my DSL and Cable lines.  So far, it's been a lot less than stellar.  My issues so far (with expletives left out):

1. Connections to internal computers a mysteriously lost
2. It takes us forever to send and receive mail
3. Our Internet access keeps crapping out
4. Symantec Support is "hit-or-miss", but my experience is that they are mostly bad.  They seem to know their stuff, but somehow they can't seem to help me.  I've spend at least 15 hours of phone time alone with them, and I still can't get teh box to work right.  
5. Their "SGMI" GUI is slow as molasses.  

In all fairness, I do have a more complex setup than the average shop, but this is ridiculous.  What's worse is that unless I want to pay extra for 24x7 support, I have to take down a service during business hours to solve issues (a real problem).

I haven't even had a chance to test it's VPN capabilities.  The reporting on the device is decent though.
0
 
LVL 8

Author Comment

by:npinfotech
ID: 18224640
Damn, I spelled "expletive" wrong.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18224655
Corrected :)
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 336 total points
ID: 18227273
>>. It takes us forever to send and receive mail

by default the 1620 has spam filtering and all the crap turned on (you get it for 30 days free)

>>Our Internet access keeps crapping out

use th DNS Deamon on the firewall:)

>>Symantec Support is "hit-or-miss", but my experience is that they are mostly bad.

If you get through to  SGS Support (in hollan they are very good usually - Ive had engineers working past midnight on clients firewalls?

>>Their "SGMI" GUI is slow as molasses.

make sure your at 3.0.1 and your Java is updated

>>I haven't even had a chance to test it's VPN capabilities

Easy M8 and dont forget you can deploy "Clientless VPN" with an SGS
0
 
LVL 8

Author Comment

by:npinfotech
ID: 18386577
Thanks to everyone who participated in the question here.  Your opinions were much appreciated, and very helpful.  I know where to go next time I need a recommendation!

0
 
LVL 57

Expert Comment

by:Pete Long
ID: 18386906
ThanQ
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 18388184
:)
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question