Solved

Firewall recommendation

Posted on 2006-06-09
18
1,770 Views
Last Modified: 2013-11-16
I am looking into getting a new Firewall.
the 2 that I have been recommended are Watchgaurd firebox and CELESTIX MSA2020 ISA 2004 (Microsoft ISA Server Appliance)
Does anybody have any good reasons why I should choose one over the other?

thanks
0
Comment
Question by:rbunn
18 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
Comment Utility
it is a simple Q but hard to answer because the real answer actually depends on your specific requirements which was not clearly given in your Q. do not compare products before clarifying your actual requirements. that will make no sense.

please introduce your particular situation and requirements at first. thanks.
0
 
LVL 1

Author Comment

by:rbunn
Comment Utility
Well,  
The main purpose of getting this firewall is to give us some sort of failover device should our primary firewall go down.
The firebox would be configured basically the same way our current firewall is configured, and would live on the shelf until needed.
The ISA server would be configured to work as a web caching deivce and be put in place to utilize the features it offers.
Should the main firewall go down I would have an image to flash onto the ISA appliance that would be basically the same as our current firewall.
i know that the best way to do this would probably be to get another firewall like the one we have and configure them as a cluster or H/L.  This method would be 2-3 times more expensive then going with either of the 2 methods that I am looking at though.
0
 
LVL 3

Accepted Solution

by:
norgan earned 40 total points
Comment Utility
i would choose juniper over both, netscreens are great and used by many isp's
0
 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 35 total points
Comment Utility
I would suggest that you relook at the costs.  I have worked with a site that did this, against my recommendations, the found that in the end having to have two people that new two different firewalls that had different capabilities cost more.  Especially since they did not realize they were using some of the feature in their primary firewall that the "backup" did not have.  Primary got fried and they had services out of the water for a week while they waited for a new one to be delivered because the backup could not perform the same functions.
0
 

Assisted Solution

by:azmatm
azmatm earned 35 total points
Comment Utility
I would recommend you Microsoft ISA Server with SecureGUARD its a best tested solution for data security. I would also recommend you to use customised security settings on your windows box, You can secure windows without any firewall ( best would be win2k3).
0
 
LVL 2

Expert Comment

by:Dazm
Comment Utility

Two words...
Firewall NOD32

0
 

Expert Comment

by:freshprince27
Comment Utility
Dazm,
Yea that would be great but just one problem.  Eset does not create firewalls, they only create the antivirus program NOD32.

Rbunn,
Both firewalls are good, but it comes down to price and knowledge.  From what I’ve seen the Watchguard Firebox is more readily available and cheaper than the CELESTIX MSA2020 ISA 2004.  However, the Watchguard Firebox Error logs are a bit difficult to read unless you can read Unix system logs.  Besides that, the Watchguard Firebox is easy to use.  The CELESTIX MSA2020 ISA 2004’s web management is not so good, and its fairly easy to use.  They both have plenty of Ethernet ports.  As a result, I would recommend Watchguard Firebox over the CELESTIX MSA2020 ISA 2004.

Thanks,
Freshprince27
0
 
LVL 2

Expert Comment

by:Dazm
Comment Utility

I don't know about that...
But i have Symantec Norton Internet Security 2006
and i have NOD32 which workslike Antivirus and Firewall
and even block more attacks than Internet Security  2006



0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 2

Assisted Solution

by:Dazm
Dazm earned 35 total points
Comment Utility

But yeah... what you said is true, is kind more like antivirus than a firewall
but some how NOD32 block a lot of malicious web script web's you visit regularly.

0
 
LVL 2

Expert Comment

by:Dazm
Comment Utility

You also may want to try Kaspersky Anti-Hacker Firewall.
it block more things than any other firewall on the market : )

0
 
LVL 5

Expert Comment

by:kevinf40
Comment Utility
Hi rbunn

I would second the vote for using the same kit for failover that you already have in production - this will ensure you face no issues with different configs, unsupported features etc should you need to fail over.  The need for different skillsets / knowledge of more than one firewall will also be removed.

To save costs you could replicate your existing config onto an identical cold standby rather than configuring them as an HA pair.

If you must go with the above options from what you have said the ISA solution will offer you better value as you will be able to make use of it's proxying / web caching features in the mean time.  Having had some experience with watchguard appliances previously that option is likely to be slightly easier to configure than the ISA solution.

cheers

Kevin
0
 
LVL 4

Expert Comment

by:xcromx
Comment Utility
Netveda is the firewall you want..

This is not for your average user..this is a really nice professional verison for free...
0
 
LVL 12

Assisted Solution

by:NetAdmin2436
NetAdmin2436 earned 35 total points
Comment Utility
...just my 2 cents (i can't afford anymore money than that) I can't speak for the other firewalls mentioned...

You won't get people to agree on a common firewall. giltjr has a good point that two different firewalls WILL have different capabilities. When the time comes that the first goes down...you may spend lots more time tweaking the second to adopt to your needs. You many have the second configured to "work" initially. Basic stuff may still work, but little things like .PDF's coming in through email, or an email size limit, or downloading exe's through http may not work initially....hence, more configuration is needed on a backup firewall that you may miss. With that said, your 'primary' firewall should be the more granular (complicated/better...more control basically) firewall. Then if the primary goes down, you can put in the secondary one with still 'good' protection and feel safe for a few days/weeks until you get the primary back up. You may want to keep your 'secondary' firewall running for a few weeks initially to work out all the kinks.

Microsoft ISA... Are all your other client computers running microsoft? it's of my opinion that protecting MICROSOFT with a MICOROST firewall is rather short sighted. The same is true for the opposite.... Hence, it is also of my opinion that you want a completly different platform safegaurding your network.  

I have a watchgaurd X500 on my network. For the most part I like i and am glad i have it now. Watchgaurds are apart of the new UTM (unified Threat Management) devices that are a rather 'stop all' firewall. With annual subscriptions to the some of the following: They can block viruses, spam, and have intrution prevention that stop all that stuff at the gates! They don't enter your network at all! Nice! This free's up your email server, FTP server, web server, ect...to do it's job without worrying about that crap (still have protection on them servers in case). Unless your a expert at firewalls, there is a learning curve that comes with watchgaurd. So you want to make sure you are prepared in case your primary goes down. As mentioned, the watchgaurd has extra 'optional' ports that are available with the fireware OS (yes, an initial one time extra cost) I believe mine has 5 optional configurable ports (DMZ for FTP, SMTP, web server..ect..) That's nice so you can have 'special' rules for your public servers to try and lock them down.

May i ask what your other firewall is?

Hope this helps
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 35 total points
Comment Utility
You can use two identical cisco pixen and have stateful failover, no dropped sessions, no apparent disruption... using more than one brand to me makes no sense, your forcing yourself to have two differetn syntax's and perhaps rules to remember... with cisco's the firewall reads the ACL from top to bottom, in the order they are listed, some firewalls simply search the list for a match... little things like that can come back an bite you if your not careful, while one firewall was doing it's job, when it failed and the other took over, you forgot some minute detail or didn't account for this and that, and now the primary firewall is behaving different than it should... I've seen it time and time again.

http://www.cisco.com/warp/public/110/failover.html
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd8040c5b5.html I think any of the 500 series firewalls allow you to do stateful failover... but i'm not positive...
-rich
0
 
LVL 13

Assisted Solution

by:hstiles
hstiles earned 35 total points
Comment Utility
If this device is supposed to act as a stop-gap whilst your main firewall is rebuilt/replaced, then I would reccomend the firebox for the following reasons:

1) configuration is a breeze
2) The proxies are very powerful - the http proxy and web blocker make for a very secure environment
3) UTM.  The Firebox X core and peak devices running Fireware support gateway SMTP and HTTP antivirus, spamblocking, web blocker and IDS/IPS.  Some of these features cost on an annual subscription basis, but there is a lot of extra security on offer
4) Relatively inexpensive hardware.

Your business might be able to tolerate highly restricted web access whilst your main firewall was replaced.  I would rather err on the side of too much rather than too little security.

With reference to point 4, you might find that you buy a second Firebox and set up a HA pair.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
I still say that if you are using brand B firewall to backup your brand A firewall you are doing nothing but asking for trouble.  

How many people here would recommend using Linux as a backup to your Windows Domain Controllers and file servers because it is less expensive to have Linux boxes sitting there doing nothing when compared to setting up Window's clusters?  It would be a nightmare to try and get a Linux envorment setup and keep in sync with a Windows AD and file server world and it a whole new skill set to learn.  

It may seem less expensive until the day your production firewall falls over and it takes a day, or a week, or a month, to get it replaced and you find out that there are 100 changes you need to make to get the backup firewall to take over, and there are functions that your old firewall did that the backup does not do and now you have lost the ability for work to be done.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now