Help recommend a firewall with bandwidth priority for users

I need to upgrade a SonicWall TZ-180 firewall to a appliance that will limit internet bandwidth to most users, but prioritize bandwidth for a select group of users.  Can you recommend a firewall that would do this?  About 40 client machines are on the entire network.  If I need to supply some more information to help you recommend something, I would be happy to add it.
257RobertsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

benchapmanCommented:
Do you want to limit bandwidth for a selection of machines or users? User management is usually a bit harder on a firewall applicance, it is better done with a proxy. Personally I would keep your firewall and set up a linux box on a spare PC running Squid and force all users through it. It does great bandwidth limiting on a rolling schedule so users can feel like the web is running at full speed when doing general browsing but once they exceed a set quantity of data in a certain period of time, eg downloading music or video, they then get bandwidth limited. It does take a bit more work to make it user aware but it can be done and is free. Any commercial proxy will do user level throttling and quotas as well. Set up firewall rules to block any direct internet access for the users and only allow internet access from the proxy machine and you are done. You will probably find that the costs of setting up a proxy are less than replacing a hardware firewall and it gives you far more options for content filtering and reporting.

Regards
Ben
0
mere-mortalCommented:
Have a look at the Cyberoam, great piece of kit.  Sorry don't agree that commercial proxies will offer this.  You need to identify the user to be able to provide bandwidth policies.

Regards

Jason
0
257RobertsAuthor Commented:
mortal, I can get the MAC addresses of all of the users and identify the ones I want unlimited bandwidth access for.  I will need a commercial hardware firewall with good content filtering.  I am happy with the SonicWall filtering subscription.  
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

257RobertsAuthor Commented:
Ben, I need unlimited bandwidth for a group of machines.  I am not sure what you mean by a "Proxy".
0
mere-mortalCommented:
257Roberts, what if the user logs into a different machine?
0
257RobertsAuthor Commented:
I'm not worried about that, the uses do not switch machines around.  I only need unlimited bandwidth access to 7 or 8 machines.
0
mere-mortalCommented:
I suggest you have a look at the cyberoam anyway.
0
257RobertsAuthor Commented:
Which model?
0
benchapmanCommented:
If you know the users will not be moving between machines and your internal subnet is 192.168.0.0/24, split your users into groups above and below 192.168.0.128 so you can set up rules on the firewall for 192.168.0.0/25 and 192.168.0.128/25 and treat them differently. Set static on one of the groups, set your DHCP to automatically assign IPs in the restricted group or use reservations on mac address to split them. As long as you dont restrict them too far, they probably wont even notice.

Juniper SSG firewalls can do bandwidth limiting on ACL's, the SSG range of Juniper gear is great, definitely my preferred security devices from a management perspective.

Commercial proxies I have used in Windows networks have been user aware such as Web Marshal, Netbox Blue (appliance) and ISA.

Regards
Ben
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
257RobertsAuthor Commented:
What is the support from Juniper like?  The support on our current SonicWall is terrible, with overseas personnel who cannot speak English well.
0
mere-mortalCommented:
257Roberts

For forty users I would look at the 25ia or 35ia.  Have a look at the specs.  You should also be able to get the second years subscription for free as a trade-up from the sonicwall.  This is not the only Firewall product we sell and support but it is worth a good look at.

Jason
0
benchapmanCommented:
I have had no issues with Juniper support when I have needed them but I have also had a very good local reseller (Juniper Partners for the region) providing support both remotely and onsite which has been a great help. Once set up they are very intuitive to manage, I prefer the web based admin of the Juniper over the Cisco ASDM. I have also used Watchguard and Checkpoint devices and the Juniper cleans up from an ease of use perspective.

I am a fan but they dont suit everyone. Definitely give them a look.

Regards
Ben

0
benchapmanCommented:
PS, I have run over 80 people through a Juniper SSG 20 with a 10mbps fibre connection and secondary ADSL 2+ connection connected with an internal ADSL2+ module in the firewall itself. RAM sat under 50% and CPU under 10% with 4 VPN tunnels and about 50 ACL's across 4 security zones.

An SSG5 would easily handle 40 users without issue but is not quite as flexible as the SSG20 as the SSG20 has two modular multi purpose sockets. SSG5 and SSG20 will do 160mbps firewall and 40mbps IPSec VPN which is usually more than a 40 person office requires. There is a significant price jump to the SSG140 which is the next step up and I have never needed one (all my work has been primarily for companies of around 100 people in 4-7 locations and SSG5's and 20's have always been more than enough. I have never had more than 30mbps of internet bandwidth, you might)

Regards
Ben
0
257RobertsAuthor Commented:
What is the content filtering like on the Juniper?  The content filtering subscription for SonicWall is really good, just the support is terrible.  
0
benchapmanCommented:
Content filtering on the Juniper is limited as it is primarily a security and networking device, thus my previous mention of a proxy for content filtering. The juniper can do Anti Virus and Anti Spam and a certain amount of web filtering as in anti-malware and anti-phishing but it cannot read web site content and block porn for example.

Regards
Ben
0
257RobertsAuthor Commented:
I would need an firewall that has good website content filtering.
0
mere-mortalCommented:
Have a look at the Cyberoam.  It is a great piece of kit.

Regards

Jason
0
benchapmanCommented:
Juniper have the SRX Series that do what you need but I have never used them. I have only used the SSG's so cannot vouch for them. As a Juniper user of SSG's and SSL VPN though, I doubt they got it wrong. I am interested in the Cyberoam as well myself after looking at them, I had never heard of them but they seem to cover a lot. The only complete security applicance I have experience with (I manage a couple of them) is Netbox Blue. They are an Australian but have partners in other countries. They could be worth a look.

Regards
Ben
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.