Firewall recommendation

Posted on 2006-06-09
Medium Priority
Last Modified: 2013-11-16
I am looking into getting a new Firewall.
the 2 that I have been recommended are Watchgaurd firebox and CELESTIX MSA2020 ISA 2004 (Microsoft ISA Server Appliance)
Does anybody have any good reasons why I should choose one over the other?

Question by:rbunn
LVL 37

Expert Comment

ID: 16873144
it is a simple Q but hard to answer because the real answer actually depends on your specific requirements which was not clearly given in your Q. do not compare products before clarifying your actual requirements. that will make no sense.

please introduce your particular situation and requirements at first. thanks.

Author Comment

ID: 16873218
The main purpose of getting this firewall is to give us some sort of failover device should our primary firewall go down.
The firebox would be configured basically the same way our current firewall is configured, and would live on the shelf until needed.
The ISA server would be configured to work as a web caching deivce and be put in place to utilize the features it offers.
Should the main firewall go down I would have an image to flash onto the ISA appliance that would be basically the same as our current firewall.
i know that the best way to do this would probably be to get another firewall like the one we have and configure them as a cluster or H/L.  This method would be 2-3 times more expensive then going with either of the 2 methods that I am looking at though.

Accepted Solution

norgan earned 160 total points
ID: 16874977
i would choose juniper over both, netscreens are great and used by many isp's
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

LVL 57

Assisted Solution

giltjr earned 140 total points
ID: 16875362
I would suggest that you relook at the costs.  I have worked with a site that did this, against my recommendations, the found that in the end having to have two people that new two different firewalls that had different capabilities cost more.  Especially since they did not realize they were using some of the feature in their primary firewall that the "backup" did not have.  Primary got fried and they had services out of the water for a week while they waited for a new one to be delivered because the backup could not perform the same functions.

Assisted Solution

azmatm earned 140 total points
ID: 16875807
I would recommend you Microsoft ISA Server with SecureGUARD its a best tested solution for data security. I would also recommend you to use customised security settings on your windows box, You can secure windows without any firewall ( best would be win2k3).

Expert Comment

ID: 16875973

Two words...
Firewall NOD32


Expert Comment

ID: 16881208
Yea that would be great but just one problem.  Eset does not create firewalls, they only create the antivirus program NOD32.

Both firewalls are good, but it comes down to price and knowledge.  From what I’ve seen the Watchguard Firebox is more readily available and cheaper than the CELESTIX MSA2020 ISA 2004.  However, the Watchguard Firebox Error logs are a bit difficult to read unless you can read Unix system logs.  Besides that, the Watchguard Firebox is easy to use.  The CELESTIX MSA2020 ISA 2004’s web management is not so good, and its fairly easy to use.  They both have plenty of Ethernet ports.  As a result, I would recommend Watchguard Firebox over the CELESTIX MSA2020 ISA 2004.


Expert Comment

ID: 16881516

I don't know about that...
But i have Symantec Norton Internet Security 2006
and i have NOD32 which workslike Antivirus and Firewall
and even block more attacks than Internet Security  2006


Assisted Solution

Dazm earned 140 total points
ID: 16881535

But yeah... what you said is true, is kind more like antivirus than a firewall
but some how NOD32 block a lot of malicious web script web's you visit regularly.


Expert Comment

ID: 16881543

You also may want to try Kaspersky Anti-Hacker Firewall.
it block more things than any other firewall on the market : )


Expert Comment

ID: 16884380
Hi rbunn

I would second the vote for using the same kit for failover that you already have in production - this will ensure you face no issues with different configs, unsupported features etc should you need to fail over.  The need for different skillsets / knowledge of more than one firewall will also be removed.

To save costs you could replicate your existing config onto an identical cold standby rather than configuring them as an HA pair.

If you must go with the above options from what you have said the ISA solution will offer you better value as you will be able to make use of it's proxying / web caching features in the mean time.  Having had some experience with watchguard appliances previously that option is likely to be slightly easier to configure than the ISA solution.



Expert Comment

ID: 16885593
Netveda is the firewall you want..

This is not for your average user..this is a really nice professional verison for free...
LVL 12

Assisted Solution

NetAdmin2436 earned 140 total points
ID: 16891390
...just my 2 cents (i can't afford anymore money than that) I can't speak for the other firewalls mentioned...

You won't get people to agree on a common firewall. giltjr has a good point that two different firewalls WILL have different capabilities. When the time comes that the first goes down...you may spend lots more time tweaking the second to adopt to your needs. You many have the second configured to "work" initially. Basic stuff may still work, but little things like .PDF's coming in through email, or an email size limit, or downloading exe's through http may not work initially....hence, more configuration is needed on a backup firewall that you may miss. With that said, your 'primary' firewall should be the more granular (complicated/better...more control basically) firewall. Then if the primary goes down, you can put in the secondary one with still 'good' protection and feel safe for a few days/weeks until you get the primary back up. You may want to keep your 'secondary' firewall running for a few weeks initially to work out all the kinks.

Microsoft ISA... Are all your other client computers running microsoft? it's of my opinion that protecting MICROSOFT with a MICOROST firewall is rather short sighted. The same is true for the opposite.... Hence, it is also of my opinion that you want a completly different platform safegaurding your network.  

I have a watchgaurd X500 on my network. For the most part I like i and am glad i have it now. Watchgaurds are apart of the new UTM (unified Threat Management) devices that are a rather 'stop all' firewall. With annual subscriptions to the some of the following: They can block viruses, spam, and have intrution prevention that stop all that stuff at the gates! They don't enter your network at all! Nice! This free's up your email server, FTP server, web server, ect...to do it's job without worrying about that crap (still have protection on them servers in case). Unless your a expert at firewalls, there is a learning curve that comes with watchgaurd. So you want to make sure you are prepared in case your primary goes down. As mentioned, the watchgaurd has extra 'optional' ports that are available with the fireware OS (yes, an initial one time extra cost) I believe mine has 5 optional configurable ports (DMZ for FTP, SMTP, web server..ect..) That's nice so you can have 'special' rules for your public servers to try and lock them down.

May i ask what your other firewall is?

Hope this helps
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 140 total points
ID: 16891463
You can use two identical cisco pixen and have stateful failover, no dropped sessions, no apparent disruption... using more than one brand to me makes no sense, your forcing yourself to have two differetn syntax's and perhaps rules to remember... with cisco's the firewall reads the ACL from top to bottom, in the order they are listed, some firewalls simply search the list for a match... little things like that can come back an bite you if your not careful, while one firewall was doing it's job, when it failed and the other took over, you forgot some minute detail or didn't account for this and that, and now the primary firewall is behaving different than it should... I've seen it time and time again.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd8040c5b5.html I think any of the 500 series firewalls allow you to do stateful failover... but i'm not positive...
LVL 13

Assisted Solution

hstiles earned 140 total points
ID: 16893827
If this device is supposed to act as a stop-gap whilst your main firewall is rebuilt/replaced, then I would reccomend the firebox for the following reasons:

1) configuration is a breeze
2) The proxies are very powerful - the http proxy and web blocker make for a very secure environment
3) UTM.  The Firebox X core and peak devices running Fireware support gateway SMTP and HTTP antivirus, spamblocking, web blocker and IDS/IPS.  Some of these features cost on an annual subscription basis, but there is a lot of extra security on offer
4) Relatively inexpensive hardware.

Your business might be able to tolerate highly restricted web access whilst your main firewall was replaced.  I would rather err on the side of too much rather than too little security.

With reference to point 4, you might find that you buy a second Firebox and set up a HA pair.
LVL 57

Expert Comment

ID: 16894597
I still say that if you are using brand B firewall to backup your brand A firewall you are doing nothing but asking for trouble.  

How many people here would recommend using Linux as a backup to your Windows Domain Controllers and file servers because it is less expensive to have Linux boxes sitting there doing nothing when compared to setting up Window's clusters?  It would be a nightmare to try and get a Linux envorment setup and keep in sync with a Windows AD and file server world and it a whole new skill set to learn.  

It may seem less expensive until the day your production firewall falls over and it takes a day, or a week, or a month, to get it replaced and you find out that there are 100 changes you need to make to get the backup firewall to take over, and there are functions that your old firewall did that the backup does not do and now you have lost the ability for work to be done.

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

You do not need to be a security expert to make the RIGHT security. You just need some 3D guidance, to help lay out an action plan to secure your business operations. It does not happen overnight. You just need to start now and do the first thin…
A question that many companies need to answer until May 25th of 2018... Is your company ready for GDPR?
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question