Need a firewall appliance recommendation for a small but growing business

Posted on 2006-05-04
Last Modified: 2013-11-16
Hi all,

I have been searching reviews of firewalls and the amount of info on small to mid-size office firewall appliances is huge.  So huge that it is hard to find the "good info".  Hopefully you all can help...

I am looking to replace an existing Sonicwall TZ170 firewall at my place of business.  Currently we have 26 employees and we are growing.  We expect to double in a year and hopefully double again in another year.  So I'd like to plan for an appliance that can easily support 100 active Internet users.  Our environment today is like this:

- Internet connectivity: 12 channels of a T1 (768kbps)
- VPN usage: Some use the Sonicwall client while others use OpenVPN (I think we'll end up using OpenVPN in the future for business reasons)
- Services hosted behind our firewall: Our public website, email, OpenVPN, and "our product" (which doesn't require much bandwidth)

At any given time we have about 2-4 incoming Sonicwall VPN users and 50 OpenVPN users.  Yes, we do have about 50 active OpenVPN sessions running most of the time.  This OpenVPN number is going to continue to grow (more rapidly than our employee growth for sure).

The Sonicwall has proved to be useful as a firewall, but poor as a VPN server.  It is unstable when it reaches about 10 VPN sessions.  This is partly why we were planning on phasing our its VPN capabilities and go to OpenVPN for everything.

So, this is what I would LIKE in a new firewall:

- WAN load balancing
     - Both for incoming and outgoing traffic (so I imagine this means it must support BGP routing)
     - It would also be nice if I could set up rules such that I can direct certain outgoing traffic to use one pipe primarily.  This would allow me to purchase a cheaper high-speed broadband connection and direct all internal users to browse the web and do FTP over it, leaving the T1 free for supporting the VPN users
- Support for at least 50 IP nodes to start and the ability to upgrade to more
- Failover support - I'd like a product that could be set up in some kind of high-availability mode so I can take one down for maintenance, if needed.
- Support for at least 15Mbps of Internet traffic
- Not overly expensive (I'd really like to keep this under $1,000 and definitely no more than $2,000)

I think that covers the basics of what I need.  I don't care as much about the ability to do Antivirus, Antispam, or anything of that jazz.  I just need a good, solid unit that can replace this TZ 170.

FYI - I have heard good things about the Netscreen-5GT, but I'm not sure if it definitely handles my WAN load balancing issue.

Thanks everyone!
Question by:masterbaker
    LVL 15

    Assisted Solution

    Frpm ypur requirements list, I wonder whether Hotbrick's appliance would meet your needs.

    The technical specs are:

    WAN Ports       2
    LAN Ports       4
    Maximum User Limits       253
    VPN Tunnels       
    Recommended Users       70
    Auto FDI/FDI-X       
    Load Balance / QoS       
    RAM       16
    FLASH       1 Mb
    Firewall Throughput       44 Mbps
    Concurrent Connections       100.000
    Transparent Mode       
    Network Address Translation       
    Dos, DDoS Protection       
    WEB Filter Blocking       
    Custom WEB blocking       
    Malicious Code Filtering       
    SPI Firewall       
    Firewall Rules       200
    User Groups       5
    Networking Support       
    VPN Client pass through       
    PPPoE Support       
    L2TP Support       
    DHCP Client       
    Static IP       
    Managment Method       Web
    Remote Managment       Web w/ port choice
    SNMP Management       V.2, MIB 2
    E-mail alert       
    IP-Sec VPN       
    Encryption Methods       DES/3DES/AES
    Prevent Replay Attacks       
    Other Features       
    Price       US$ 219.00
    and you can read the balance of the description on that page.
    LVL 15

    Expert Comment

    They have other models that offer more VPN tunnels, if needed.
    LVL 9

    Accepted Solution

    LVL 13

    Author Comment

    To Davidis99 - Thanks for the link to the Hotbrick product.  I think this could do the job, but the company doesn't seem as "established" as I'd like.  I'd like to get something that is known industry-wide and has a good upgrade path.  The price is sure good though!

    To Jabiii - Thanks for all of the info there.  I think I am leaning toward the Netscreen products.  The 5GT seems like a good, entry level solution for us.  I have been having a hard time finding out exactly which model to get.  Do you know what you get with the Extended feature set?  I can't seem to find anything on their website that explicity says what you get with the standard "Plus" version and what you get with the "Extended" version.

    Thanks to both of you!

    LVL 9

    Expert Comment

    Check this out.
    Other differences between the plus and extended are found on the data sheet.
    Let me know if that helps.
    LVL 9

    Expert Comment

    License Options
    The NetScreen-5GT Series is available in licensing options to support different numbers
    of users.
    Licensing Options                      Description
    10 user Product license             Limits capacity to 10 concurrent users
    Plus Product license                  Increases capacity to an unlimited number of users
    Extended Product license          Increases sessions and VPN tunnel capacities to 4000 and 25 respectively. Adds a DMZ zone and HA lite (no session synchronization)
    LVL 13

    Author Comment

    Before I close this out, do you guys have any experience with Symantec firewall appliance products?  I was looking at either the SGS 460R or the 1620.


    LVL 9

    Expert Comment

    Nope sorry.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Join & Write a Comment

    Suggested Solutions

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now