• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 440
  • Last Modified:

purchasing firewall

Hi wanna ask

what should i consider before purchasing a new firewall for medium business

Thank you.
  • 3
  • 3
  • 2
  • +2
6 Solutions
JohnBusiness Consultant (Owner)Commented:
How big is the "medium" business?

You want a firewall that has enough speed capacity (throughput) and number of user capacity to handle the size of business you have.

Small (SS5G) Juniper Netscreen Firewalls can handle 30 or more users. Scale up for yet more users.

... Thinkpads_User

1. Budget

Maybe the most critical question. Management (yours or your client's) may have a huge feature set and extensive security requirements (perceived or real). However, if they are unable or unwilling to commit commensurate resources, then you will need to be realistic. As your evaluation progresses, you will have to be frank as to what you can afford or what management must be willing to spend to get the features and support they actually require.

You will have to come back to this question at various points in your evaluation and selection process.

2. Number of Networks to Support

A critical but simple question of how many ports the firewall will need to have inside and outside.  A slightly less simple question when considering additional networks that may be inside but on another subnet from the firewall.  The latter implication regards bandwidth capability of the firewall.

3. Level of Support Needed

This has to do with both warranty support but technical support for configuration. This also has to do with response times you will require. The better firewalls have decent support packages. Some levels may only be available during business hours others 24x7. Included in this is if the support is from folks that are not only technically competent but are competent in the language of your firewall administrators. It matters not one bit if the manufacturer support folks are the best experts on the planet if they cannot communicate proficiently in the language of your administrators.

4. Level of Security Needed

This could be considered a two way question.  How locked down will the protected network(s) need to be?  How much access will need to be provided through the firewall in EACH DIRECTION?

Often, management will dictate absolute security at the same time that they dictate easy access for themselves and others. These conflicts will dictate moments of candor on your part.

I'm not going into too much detail here because this is an area that you should explore and expand upon a little more yourself.  Then more detail can be discussed based on some of the most basic questions that you ask of management.

Some questions for management include "what are their expectations of security?". "Will employees, contractors and/or vendors need access to internal networks from outside?", "Are there any specific requirement specifications or standards that they already have documented/determined?" The last question includes any standards or specifications required by their clients or customers.

Once you have had a general discussion with management (not just the CIO either, but the CEO/Owner as well), schedule a follow-up meeting distant enough to have a chance to do your home work and get back to them with your research results and additional questions (including if the budget or specifications need to be adjusted).

5. Baseline Feature Set Required by Management

This is really a bullet list of critical features you determine are the results of your discussion(s) with IT and management.

6. Firewall Administrators and Support Staffing

Either consulting and/or staff will be responsible for the configuration and ongoing support of the firewall. The abilities and costs for either need to be detailed and accounted for in calculating the capital and operational costs and budgets.

7. Review the Corporate Politics and Religion of Management

Politics and religion in everyday life are topics of concern and strife that anybody navigating said life must be cognizant of and be prepared accordingly.

Business and technology are no different. Corporate culture is very important in your decisions and recommendations as well as how you communicate the same.

I lift the terms from the old OSI model, an abstract representation of how networking works. The OSI model in text books had seven (7) layers starting with the Physical layer and ending at the Application layer. However, experienced network engineers added the layers Politics and Religion as the most important when relating to corporate culture.

Basically, management will take most of what you say and recommend that is technical in nature but yet require other non-technical considerations. By example, brand name and access  "requirements" are areas that may be in conflict with technical considerations. If you deem that a given management stance is based on "politics", you may have some room to argue your position. If their position is "religious" in nature, arguing the point is, well pointless. In the latter case, the only other consideration is how far up the food chain in management from which the problem originates. If it is the CEO/Owner, you probably need to move on.
Good Luck,

tankergoblinAuthor Commented:
Actually i have two network.. network A and B

Network A i have approximately 70 users and network B i have 100 users.

Actually for network B i m not sure how many users because most users online by WIFI.

i have 5 AP and each AP can accommodate 20 users.. so i guess 5 AP should accommodate
100 users..  

I tend to connect this two network to one firewall but dont know that is a good idea or not.

should i get two firewall or one is enough.
WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

JohnBusiness Consultant (Owner)Commented:
Does each network have its own ISP connection? Even for 100 users, you would need a very high bandwidth connection.

Do you want the networks connected?  That is, all the people able to access everywhere?  170 users will (just) fit into one normal subnet but you can make subnets bigger.

A mid-range Juniper or Cisco firewall (one or two depending on the answers above) can handle the load.

For example, you could have one ISP (high bandwidth), one medium size firewall with enough throughput, and then connect users to that. You can connect the Access Points to such a network.

.... Thinkpads_User
In the Cisco world, you will likely fall in to the ASA5512X or ASA5525X range. However, as stated above, you would need to produce requirements and specs beyond simple user count.
The subnet and user counts are a good start.

I concur that you are looking for a commercial grade mid level firewall.  I have not had any bandwidth issues with SonicWALL firewalls (originally a NAS 3060, now s NAS 4500) with a two subnet network that is similar in bandwidth needs to what you describe.  Both subnets are 1G MANs and connect to each other through the firewall and share a 100M Internet connection.  To that, we recently added a second set of subnets consisting of small 1G LANs on a SonicWALL NAS 2400 firewall at a remote location with a VPN tunnel between the two firewalls and both are performing nicely.  However, the VPN traffic is limited to IT remote management and monitoring tasks.

To Cisco and Juniper, I would add SonicWALL as a contender in your research. They have stood up well and the support has been excellent throughout the years.

All that said, you still need to sit down with IT and then management to determine the baseline specifications that will be desired/required and the budget to support them.

 - Tom
DarinTCHSenior CyberSecurity EngineerCommented:
are you comfortable with managing a firewall
How much are you willing to pay?
all good firewalls should support disparate networks
and allow you to connect multiple networks into them

the top Hardware firewalls from a purely FW aspect
Palo Alto

I ordered them from my idea of LARGE Enterprise size company down - roughly
that being said they all can support mid size business

most top FW are managed by command line
so if you are not savvy in Command line you want one that can also be managed by a GUI interface
most of those listed have this also (whether it fast/slow or easy is another issue)
Juniper and Cisco have many in the Huge...large...mid size ...medium ranges
depending on what you need to support
besides just overall Total connections
tankergoblinAuthor Commented:
Thank you for all the comment above..

i was looking on fortigate 100d..

Do you think it is a good firewall?? about my ISP i have 2 seperate dsl connection each has 1Mbps line.

Do you think i should purchase UTM that bundle in my firewall? reason i ask because every year i need to pay a sum of money for that service.

my purpose to setup a firewall is too prevent all kind of threat from internet and prevent virus/worm to spread.

I know this may sound stupid but i have to ask..

what can i do with firewall in detail.. what is the major advantage to have firewall..

Thank you.
JohnBusiness Consultant (Owner)Commented:
what can i do with firewall in detail.. what is the major advantage to have firewall

I have not usef a Fortigate, so I cannot comment on that.

The main advantage of a firewall is to screen out unwanted attacks (like Denial of Service), close off ports not needed, route traffic that needs to be routed and general network stuff like that. VPN Firewalls additionally provide hardware VPN services for secure access in.

Some firewalls have build in virus checkers you can purchase additionally as well. I depend as much or more on overall antivirus suites for that.

.... Thinkpads_User
Regarding depending on a UTM firewall:

I much prefer defense in depth. As Thinkpads_User notes, the firewall's primary function is, as the name implies, firewalling the inside network from most direct threats from outside the private network or networks. Mainly that relates to unwanted direct connections to stations and other resources on the inside as well as defending against DOS/DDOS attacks.

Beyond that, again as Thinkpads notes, firewalls provide VPN services allowing connectivity to other private networks that you trust to a given degree.

Yes, a firewall can perform anti-malware functions. However, you really should start with a "defense in depth" approach wherein internal computers are individually protected with a security suite. You must keep in mind that the gateway or firewall is not the only entry point to your networks.  Even a firewall with UTM services that are 100% successful will not keep your networks safe from thumb drives, CDs, DVDs, etc. The latter includes commercial products "in the shrink wrap". A number of malware have been distributed in commercial products including CDs and DVDs.

In the last few years, it has become common for folks to connect and sync their handheld devices with their desktops.

Without a defense in depth approach, you may assume you will encounter a malware intrusion.

The one additional service I have liked leveraging on some firewalls is web/ftp etc. filtering services. With these, the company may subscribe to and leverage a list or lists that can be checked each time an internal user attempts to connect to a new web site and said site may be blocked if it is either on your internal list of blocked sites or if it is on the subscribed list of sites that are known for hosting malware or phishing activity. The latter includes sites that may have been recently hacked and reported to your listing services.

The better listing services have few false positives.

 - Tom
DarinTCHSenior CyberSecurity EngineerCommented:
So that FW is propably $1800-2200
I'd go with Juniper SRX 210 or SRX240 first
Even a Cisco ASA
or Palo Alto if you really want app level FW

The fortigate is in the small business arena - maybe small mid size

I choose an enterprise product over the smaller player
I like the depth of Technical support and expertise
and I've used the Juniper & Cisco for branch offices in large networks

but the final point is you need to get a good grasp on why you need Security (in-depth)
and not a narrow focus but a a broad view of Security - tom and thinkpads have made good points
if you want to learn this topic deeper even a SECURITY+ class would help
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

  • 3
  • 3
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now