?
Solved

Firewall recommendation

Posted on 2006-06-09
18
Medium Priority
?
1,783 Views
Last Modified: 2013-11-16
I am looking into getting a new Firewall.
the 2 that I have been recommended are Watchgaurd firebox and CELESTIX MSA2020 ISA 2004 (Microsoft ISA Server Appliance)
Does anybody have any good reasons why I should choose one over the other?

thanks
0
Comment
Question by:rbunn
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
18 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 16873144
it is a simple Q but hard to answer because the real answer actually depends on your specific requirements which was not clearly given in your Q. do not compare products before clarifying your actual requirements. that will make no sense.

please introduce your particular situation and requirements at first. thanks.
0
 
LVL 1

Author Comment

by:rbunn
ID: 16873218
Well,  
The main purpose of getting this firewall is to give us some sort of failover device should our primary firewall go down.
The firebox would be configured basically the same way our current firewall is configured, and would live on the shelf until needed.
The ISA server would be configured to work as a web caching deivce and be put in place to utilize the features it offers.
Should the main firewall go down I would have an image to flash onto the ISA appliance that would be basically the same as our current firewall.
i know that the best way to do this would probably be to get another firewall like the one we have and configure them as a cluster or H/L.  This method would be 2-3 times more expensive then going with either of the 2 methods that I am looking at though.
0
 
LVL 3

Accepted Solution

by:
norgan earned 160 total points
ID: 16874977
i would choose juniper over both, netscreens are great and used by many isp's
0
WatchGuard's M Series Appliances - Miecom Approved

WatchGuard's newest M series appliances were put to the test by Miercom.  We had great results and outperformed all of our competitors in both stateless and stateful traffic throghput scenarios! Ready to see how your UTM appliance stacked up? Download the Miercom Report!

 
LVL 57

Assisted Solution

by:giltjr
giltjr earned 140 total points
ID: 16875362
I would suggest that you relook at the costs.  I have worked with a site that did this, against my recommendations, the found that in the end having to have two people that new two different firewalls that had different capabilities cost more.  Especially since they did not realize they were using some of the feature in their primary firewall that the "backup" did not have.  Primary got fried and they had services out of the water for a week while they waited for a new one to be delivered because the backup could not perform the same functions.
0
 

Assisted Solution

by:azmatm
azmatm earned 140 total points
ID: 16875807
I would recommend you Microsoft ISA Server with SecureGUARD its a best tested solution for data security. I would also recommend you to use customised security settings on your windows box, You can secure windows without any firewall ( best would be win2k3).
0
 
LVL 2

Expert Comment

by:Dazm
ID: 16875973

Two words...
Firewall NOD32

0
 

Expert Comment

by:freshprince27
ID: 16881208
Dazm,
Yea that would be great but just one problem.  Eset does not create firewalls, they only create the antivirus program NOD32.

Rbunn,
Both firewalls are good, but it comes down to price and knowledge.  From what I’ve seen the Watchguard Firebox is more readily available and cheaper than the CELESTIX MSA2020 ISA 2004.  However, the Watchguard Firebox Error logs are a bit difficult to read unless you can read Unix system logs.  Besides that, the Watchguard Firebox is easy to use.  The CELESTIX MSA2020 ISA 2004’s web management is not so good, and its fairly easy to use.  They both have plenty of Ethernet ports.  As a result, I would recommend Watchguard Firebox over the CELESTIX MSA2020 ISA 2004.

Thanks,
Freshprince27
0
 
LVL 2

Expert Comment

by:Dazm
ID: 16881516

I don't know about that...
But i have Symantec Norton Internet Security 2006
and i have NOD32 which workslike Antivirus and Firewall
and even block more attacks than Internet Security  2006



0
 
LVL 2

Assisted Solution

by:Dazm
Dazm earned 140 total points
ID: 16881535

But yeah... what you said is true, is kind more like antivirus than a firewall
but some how NOD32 block a lot of malicious web script web's you visit regularly.

0
 
LVL 2

Expert Comment

by:Dazm
ID: 16881543

You also may want to try Kaspersky Anti-Hacker Firewall.
it block more things than any other firewall on the market : )

0
 
LVL 5

Expert Comment

by:kevinf40
ID: 16884380
Hi rbunn

I would second the vote for using the same kit for failover that you already have in production - this will ensure you face no issues with different configs, unsupported features etc should you need to fail over.  The need for different skillsets / knowledge of more than one firewall will also be removed.

To save costs you could replicate your existing config onto an identical cold standby rather than configuring them as an HA pair.

If you must go with the above options from what you have said the ISA solution will offer you better value as you will be able to make use of it's proxying / web caching features in the mean time.  Having had some experience with watchguard appliances previously that option is likely to be slightly easier to configure than the ISA solution.

cheers

Kevin
0
 
LVL 4

Expert Comment

by:xcromx
ID: 16885593
Netveda is the firewall you want..

This is not for your average user..this is a really nice professional verison for free...
0
 
LVL 12

Assisted Solution

by:NetAdmin2436
NetAdmin2436 earned 140 total points
ID: 16891390
...just my 2 cents (i can't afford anymore money than that) I can't speak for the other firewalls mentioned...

You won't get people to agree on a common firewall. giltjr has a good point that two different firewalls WILL have different capabilities. When the time comes that the first goes down...you may spend lots more time tweaking the second to adopt to your needs. You many have the second configured to "work" initially. Basic stuff may still work, but little things like .PDF's coming in through email, or an email size limit, or downloading exe's through http may not work initially....hence, more configuration is needed on a backup firewall that you may miss. With that said, your 'primary' firewall should be the more granular (complicated/better...more control basically) firewall. Then if the primary goes down, you can put in the secondary one with still 'good' protection and feel safe for a few days/weeks until you get the primary back up. You may want to keep your 'secondary' firewall running for a few weeks initially to work out all the kinks.

Microsoft ISA... Are all your other client computers running microsoft? it's of my opinion that protecting MICROSOFT with a MICOROST firewall is rather short sighted. The same is true for the opposite.... Hence, it is also of my opinion that you want a completly different platform safegaurding your network.  

I have a watchgaurd X500 on my network. For the most part I like i and am glad i have it now. Watchgaurds are apart of the new UTM (unified Threat Management) devices that are a rather 'stop all' firewall. With annual subscriptions to the some of the following: They can block viruses, spam, and have intrution prevention that stop all that stuff at the gates! They don't enter your network at all! Nice! This free's up your email server, FTP server, web server, ect...to do it's job without worrying about that crap (still have protection on them servers in case). Unless your a expert at firewalls, there is a learning curve that comes with watchgaurd. So you want to make sure you are prepared in case your primary goes down. As mentioned, the watchgaurd has extra 'optional' ports that are available with the fireware OS (yes, an initial one time extra cost) I believe mine has 5 optional configurable ports (DMZ for FTP, SMTP, web server..ect..) That's nice so you can have 'special' rules for your public servers to try and lock them down.

May i ask what your other firewall is?

Hope this helps
0
 
LVL 38

Assisted Solution

by:Rich Rumble
Rich Rumble earned 140 total points
ID: 16891463
You can use two identical cisco pixen and have stateful failover, no dropped sessions, no apparent disruption... using more than one brand to me makes no sense, your forcing yourself to have two differetn syntax's and perhaps rules to remember... with cisco's the firewall reads the ACL from top to bottom, in the order they are listed, some firewalls simply search the list for a match... little things like that can come back an bite you if your not careful, while one firewall was doing it's job, when it failed and the other took over, you forgot some minute detail or didn't account for this and that, and now the primary firewall is behaving different than it should... I've seen it time and time again.

http://www.cisco.com/warp/public/110/failover.html
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet0900aecd8040c5b5.html I think any of the 500 series firewalls allow you to do stateful failover... but i'm not positive...
-rich
0
 
LVL 13

Assisted Solution

by:hstiles
hstiles earned 140 total points
ID: 16893827
If this device is supposed to act as a stop-gap whilst your main firewall is rebuilt/replaced, then I would reccomend the firebox for the following reasons:

1) configuration is a breeze
2) The proxies are very powerful - the http proxy and web blocker make for a very secure environment
3) UTM.  The Firebox X core and peak devices running Fireware support gateway SMTP and HTTP antivirus, spamblocking, web blocker and IDS/IPS.  Some of these features cost on an annual subscription basis, but there is a lot of extra security on offer
4) Relatively inexpensive hardware.

Your business might be able to tolerate highly restricted web access whilst your main firewall was replaced.  I would rather err on the side of too much rather than too little security.

With reference to point 4, you might find that you buy a second Firebox and set up a HA pair.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 16894597
I still say that if you are using brand B firewall to backup your brand A firewall you are doing nothing but asking for trouble.  

How many people here would recommend using Linux as a backup to your Windows Domain Controllers and file servers because it is less expensive to have Linux boxes sitting there doing nothing when compared to setting up Window's clusters?  It would be a nightmare to try and get a Linux envorment setup and keep in sync with a Windows AD and file server world and it a whole new skill set to learn.  

It may seem less expensive until the day your production firewall falls over and it takes a day, or a week, or a month, to get it replaced and you find out that there are 100 changes you need to make to get the backup firewall to take over, and there are functions that your old firewall did that the backup does not do and now you have lost the ability for work to be done.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Article by: Justin
In light of the WannaCry ransomware attack that affected millions of Windows machines, you might wonder if your Mac needs protecting. Yes, it does and here is how to do it.
What's worse than having your data encrypted by ransomware? Getting attacked by a so-called "wiper," which simply destroys the data and offers you no hope of ever seeing it again.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Suggested Courses

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question