purchasing firewall

Posted on 2013-01-10
Last Modified: 2013-01-27
Hi wanna ask

what should i consider before purchasing a new firewall for medium business

Thank you.
Question by:tankergoblin
  • 3
  • 3
  • 2
  • +2
LVL 94

Expert Comment

by:John Hurst
ID: 38765580
How big is the "medium" business?

You want a firewall that has enough speed capacity (throughput) and number of user capacity to handle the size of business you have.

Small (SS5G) Juniper Netscreen Firewalls can handle 30 or more users. Scale up for yet more users.

... Thinkpads_User
LVL 12

Assisted Solution

TomRScott earned 250 total points
ID: 38765652

1. Budget

Maybe the most critical question. Management (yours or your client's) may have a huge feature set and extensive security requirements (perceived or real). However, if they are unable or unwilling to commit commensurate resources, then you will need to be realistic. As your evaluation progresses, you will have to be frank as to what you can afford or what management must be willing to spend to get the features and support they actually require.

You will have to come back to this question at various points in your evaluation and selection process.

2. Number of Networks to Support

A critical but simple question of how many ports the firewall will need to have inside and outside.  A slightly less simple question when considering additional networks that may be inside but on another subnet from the firewall.  The latter implication regards bandwidth capability of the firewall.

3. Level of Support Needed

This has to do with both warranty support but technical support for configuration. This also has to do with response times you will require. The better firewalls have decent support packages. Some levels may only be available during business hours others 24x7. Included in this is if the support is from folks that are not only technically competent but are competent in the language of your firewall administrators. It matters not one bit if the manufacturer support folks are the best experts on the planet if they cannot communicate proficiently in the language of your administrators.

4. Level of Security Needed

This could be considered a two way question.  How locked down will the protected network(s) need to be?  How much access will need to be provided through the firewall in EACH DIRECTION?

Often, management will dictate absolute security at the same time that they dictate easy access for themselves and others. These conflicts will dictate moments of candor on your part.

I'm not going into too much detail here because this is an area that you should explore and expand upon a little more yourself.  Then more detail can be discussed based on some of the most basic questions that you ask of management.

Some questions for management include "what are their expectations of security?". "Will employees, contractors and/or vendors need access to internal networks from outside?", "Are there any specific requirement specifications or standards that they already have documented/determined?" The last question includes any standards or specifications required by their clients or customers.

Once you have had a general discussion with management (not just the CIO either, but the CEO/Owner as well), schedule a follow-up meeting distant enough to have a chance to do your home work and get back to them with your research results and additional questions (including if the budget or specifications need to be adjusted).

5. Baseline Feature Set Required by Management

This is really a bullet list of critical features you determine are the results of your discussion(s) with IT and management.

6. Firewall Administrators and Support Staffing

Either consulting and/or staff will be responsible for the configuration and ongoing support of the firewall. The abilities and costs for either need to be detailed and accounted for in calculating the capital and operational costs and budgets.

7. Review the Corporate Politics and Religion of Management

Politics and religion in everyday life are topics of concern and strife that anybody navigating said life must be cognizant of and be prepared accordingly.

Business and technology are no different. Corporate culture is very important in your decisions and recommendations as well as how you communicate the same.

I lift the terms from the old OSI model, an abstract representation of how networking works. The OSI model in text books had seven (7) layers starting with the Physical layer and ending at the Application layer. However, experienced network engineers added the layers Politics and Religion as the most important when relating to corporate culture.

Basically, management will take most of what you say and recommend that is technical in nature but yet require other non-technical considerations. By example, brand name and access  "requirements" are areas that may be in conflict with technical considerations. If you deem that a given management stance is based on "politics", you may have some room to argue your position. If their position is "religious" in nature, arguing the point is, well pointless. In the latter case, the only other consideration is how far up the food chain in management from which the problem originates. If it is the CEO/Owner, you probably need to move on.
Good Luck,


Author Comment

ID: 38765714
Actually i have two network.. network A and B

Network A i have approximately 70 users and network B i have 100 users.

Actually for network B i m not sure how many users because most users online by WIFI.

i have 5 AP and each AP can accommodate 20 users.. so i guess 5 AP should accommodate
100 users..  

I tend to connect this two network to one firewall but dont know that is a good idea or not.

should i get two firewall or one is enough.
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 94

Expert Comment

by:John Hurst
ID: 38765722
Does each network have its own ISP connection? Even for 100 users, you would need a very high bandwidth connection.

Do you want the networks connected?  That is, all the people able to access everywhere?  170 users will (just) fit into one normal subnet but you can make subnets bigger.

A mid-range Juniper or Cisco firewall (one or two depending on the answers above) can handle the load.

For example, you could have one ISP (high bandwidth), one medium size firewall with enough throughput, and then connect users to that. You can connect the Access Points to such a network.

.... Thinkpads_User
LVL 20

Expert Comment

ID: 38765864
In the Cisco world, you will likely fall in to the ASA5512X or ASA5525X range. However, as stated above, you would need to produce requirements and specs beyond simple user count.
LVL 12

Assisted Solution

TomRScott earned 250 total points
ID: 38766309
The subnet and user counts are a good start.

I concur that you are looking for a commercial grade mid level firewall.  I have not had any bandwidth issues with SonicWALL firewalls (originally a NAS 3060, now s NAS 4500) with a two subnet network that is similar in bandwidth needs to what you describe.  Both subnets are 1G MANs and connect to each other through the firewall and share a 100M Internet connection.  To that, we recently added a second set of subnets consisting of small 1G LANs on a SonicWALL NAS 2400 firewall at a remote location with a VPN tunnel between the two firewalls and both are performing nicely.  However, the VPN traffic is limited to IT remote management and monitoring tasks.

To Cisco and Juniper, I would add SonicWALL as a contender in your research. They have stood up well and the support has been excellent throughout the years.

All that said, you still need to sit down with IT and then management to determine the baseline specifications that will be desired/required and the budget to support them.

 - Tom
LVL 12

Assisted Solution

DarinTCH earned 167 total points
ID: 38766976
are you comfortable with managing a firewall
How much are you willing to pay?
all good firewalls should support disparate networks
and allow you to connect multiple networks into them

the top Hardware firewalls from a purely FW aspect
Palo Alto

I ordered them from my idea of LARGE Enterprise size company down - roughly
that being said they all can support mid size business

most top FW are managed by command line
so if you are not savvy in Command line you want one that can also be managed by a GUI interface
most of those listed have this also (whether it fast/slow or easy is another issue)
Juniper and Cisco have many in the Huge...large...mid size ...medium ranges
depending on what you need to support
besides just overall Total connections

Author Comment

ID: 38773239
Thank you for all the comment above..

i was looking on fortigate 100d..

Do you think it is a good firewall?? about my ISP i have 2 seperate dsl connection each has 1Mbps line.

Do you think i should purchase UTM that bundle in my firewall? reason i ask because every year i need to pay a sum of money for that service.

my purpose to setup a firewall is too prevent all kind of threat from internet and prevent virus/worm to spread.

I know this may sound stupid but i have to ask..

what can i do with firewall in detail.. what is the major advantage to have firewall..

Thank you.
LVL 94

Assisted Solution

by:John Hurst
John Hurst earned 83 total points
ID: 38773996
what can i do with firewall in detail.. what is the major advantage to have firewall

I have not usef a Fortigate, so I cannot comment on that.

The main advantage of a firewall is to screen out unwanted attacks (like Denial of Service), close off ports not needed, route traffic that needs to be routed and general network stuff like that. VPN Firewalls additionally provide hardware VPN services for secure access in.

Some firewalls have build in virus checkers you can purchase additionally as well. I depend as much or more on overall antivirus suites for that.

.... Thinkpads_User
LVL 12

Assisted Solution

TomRScott earned 250 total points
ID: 38776619
Regarding depending on a UTM firewall:

I much prefer defense in depth. As Thinkpads_User notes, the firewall's primary function is, as the name implies, firewalling the inside network from most direct threats from outside the private network or networks. Mainly that relates to unwanted direct connections to stations and other resources on the inside as well as defending against DOS/DDOS attacks.

Beyond that, again as Thinkpads notes, firewalls provide VPN services allowing connectivity to other private networks that you trust to a given degree.

Yes, a firewall can perform anti-malware functions. However, you really should start with a "defense in depth" approach wherein internal computers are individually protected with a security suite. You must keep in mind that the gateway or firewall is not the only entry point to your networks.  Even a firewall with UTM services that are 100% successful will not keep your networks safe from thumb drives, CDs, DVDs, etc. The latter includes commercial products "in the shrink wrap". A number of malware have been distributed in commercial products including CDs and DVDs.

In the last few years, it has become common for folks to connect and sync their handheld devices with their desktops.

Without a defense in depth approach, you may assume you will encounter a malware intrusion.

The one additional service I have liked leveraging on some firewalls is web/ftp etc. filtering services. With these, the company may subscribe to and leverage a list or lists that can be checked each time an internal user attempts to connect to a new web site and said site may be blocked if it is either on your internal list of blocked sites or if it is on the subscribed list of sites that are known for hosting malware or phishing activity. The latter includes sites that may have been recently hacked and reported to your listing services.

The better listing services have few false positives.

 - Tom
LVL 12

Accepted Solution

DarinTCH earned 167 total points
ID: 38783871
So that FW is propably $1800-2200
I'd go with Juniper SRX 210 or SRX240 first
Even a Cisco ASA
or Palo Alto if you really want app level FW

The fortigate is in the small business arena - maybe small mid size

I choose an enterprise product over the smaller player
I like the depth of Technical support and expertise
and I've used the Juniper & Cisco for branch offices in large networks

but the final point is you need to get a good grasp on why you need Security (in-depth)
and not a narrow focus but a a broad view of Security - tom and thinkpads have made good points
if you want to learn this topic deeper even a SECURITY+ class would help

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port forwarding in Cisco RV215w 2 64
Cisco ASA Restarted Suddenly 11 91
Web site adult filtering solutions for a small LAN network 27 157
Upgrading from Sonicwall Tz210 6 14
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …
In an interesting question ( here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question