[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 935
  • Last Modified:

Firewall Recommendations

Hi all,

I am seeking a reliable Firewall solution for a small office of about 80 users. The office has Fibre for Internet service (5 Mbps) and currently has no public servers. I do have plans to implement Exchange and possibly Sharepoint later this year. I want VPN abilities (site to site and vpn client) for IPSEC and SSL. Stateful Failover would be fantastic but is not a requirement. I would like IDS, URL Filtering and full logging ablities as well. I have looked at Cisco ASA, Sonicwall, ISA Server, Fortinet and Juniper Netscreens but would like some feedback from the Experts Exchange to assist in the decision making process.

I have used Cisco Pix's and Cisco ASA's previously but was not completey satisfied with them and as a result, am looking at other offerings. I'd appreciate your feedback, thanks.
0
Schnizzle
Asked:
Schnizzle
  • 4
  • 3
  • 2
  • +1
1 Solution
 
deomega22Commented:
i would say Cisco ASA, but since you don't want that i would go with a SonicWall. If money is no object the Pro 4100 will do everything( about 6000$). But the TZ series goes between 150$ and 300$. They come with built in VPN, Content filtering, access list etc.

I work in IT and see alot of these, never seen anyone complain about them.
0
 
deomega22Commented:
Quick note... don't go with ISA unless you want headaches
0
 
SchnizzleAuthor Commented:
I'm looking at the $1.5K - $3.5K proce range. I haven't ruled out ASA but the grass is always greener.....
0
The eGuide to Automating Firewall Change Control

Today’s IT environment is constantly changing, which affects security policies and firewall rules. Discover tips to help you embrace this change through process improvement & identify areas where automation & actionable intelligence can enhance both security and business agility.

 
Cyclops3590Commented:
Personally I'd go with the ASA.  But I have most of my experience with ASA as well.  Juniper is very solid as well and is currently the only other brand I'd currently go with.  This is also due to the amount of extra support that is out there for those two (e.g. documentation, forums like EE, etc.) to help you out when coming across troubleshooting issues.

just out of curiousity though, what makes you hesitant towards the ASA?
0
 
SchnizzleAuthor Commented:
Hi Cyclops3590

I do like the ASA's and I have used them quite a bit but it does take some time to learn all the ins and outs of the IOS. I realize there's no single magic bullet out there, but I just want to do my due diligence here and not just keep going with what I am already used to for the sake of my own convenience/comfort.

thanks,
0
 
Cyclops3590Commented:
perfectly understand.  The only reason I'd say give Juniper a look then is that it seems to be topping a lot of lists for "band for buck" measurements.

However, like you eluded too, its easy to get trapped into using the same brand because of learning curve.  That's why I figure unless there's a real reason to look at switching IMHO its not worth the risk of accidentally choosing a brand you end up not liking.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Nice to see someone who is taking the time to bother asking these days....

I find ISA Server probably the best firewall/application gateway on the market but again it requires detailed knowledge (either inherent because you have done it yourself or through lab testing curves yourself). Almost every product mentioned so far could do what you want without breathing heavily although ISA does not do SSL VPN's in the current version - it uses the IAG server for that.

I also like a two layer stack - A Cisco ASA Access Server on the outside and an ISA firewall on the inside is likely the most powerful combination I have come across and ticks all the boxes from NAC and IPSEC/SSL VPN's through to quarantine areas, wireless zones, forward and reverse proxies and DMZ environments for FE servers. ISA also provides all of the wizards for publishing the services such as Exchange, Sharepoint etc out of the box. The mixture of brand/model also gives the protection of 'break one, now face another' satisfaction. Downside is administrative overhead but once trained, you cannot really do more.

Having a asic based system doing the grunt work up front and the software driven internal system also splits the loading nicely. Overkill for 80 users? I doubt it - just a secure environment that protects the outside and incomers, plus a system that protects internally from the laptop users who bring their boxes in from the outside and plug straight back into the internal network bringing their crap from the outside. In many ways, the 'perimeter' security approach is dying out. The number of issues being raised from an internal issue are significantly increasing so protection from the inside is equally important in my view.

Keith



0
 
SchnizzleAuthor Commented:
Great Feedback Keith, thanks.

Within our organization, I AM the IT Dept., so I need to implement solutions that provide the service I am looking for but won't have a steep learning curve, as I just don't have the time. I have heard others suggest the using ASA out front and having the ISA sitting behind it before, which I am considering. I suppose I could implement ASA out front and add the ISA later, however I have never used ISA before and would have to fully acquaint myself with it prior to implementation. Yes, it's 80 users now, but time marches on and 80 will turn to 500 pretty quickly so I need to plan appropriately. I am also looking at this site being the main site and establishing a secondary site for failover, something else I need to consider.

thanks,

0
 
SchnizzleAuthor Commented:
What would be the benefit of using a Cisco ASA or Netscreen rather than an ISR Cisco 2600 router & configuring the ios firewall?

thanks,
0
 
Keith AlabasterEnterprise ArchitectCommented:
ISA is available from the MS web as a fully functioning .vhd download for 6 months trial or you can download a copy of the install CD - you can put that in a lab area to test if you wanted. PIX or ASA alone is fine but it doesn't give you all the proxy services - which is getting more and more important as you can control traffic right up to the application layer. ISA on a good box will cater fo ten times the number you are estimating getting to without breathing heavily. A decent specc'ed ASA/PIX can do the same.

Using ACLs on a router is one way to go but personally I would not give it credence - A firewall is a security device - built from the ground up to do its job. A router routes traffic and has functions to allow/restrict traffic based on its rules - same thing a firewall does? Yes, in part. However, a firewall can also deal with dynamic port openings, stateful packet inspections blah blah blah.

Keith
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thank you :)
0

Featured Post

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now