Solved

purchasing firewall

Posted on 2013-01-10
11
361 Views
Last Modified: 2013-01-27
Hi wanna ask

what should i consider before purchasing a new firewall for medium business

Thank you.
0
Comment
Question by:tankergoblin
  • 3
  • 3
  • 2
  • +2
11 Comments
 
LVL 90

Expert Comment

by:John Hurst
ID: 38765580
How big is the "medium" business?

You want a firewall that has enough speed capacity (throughput) and number of user capacity to handle the size of business you have.

Small (SS5G) Juniper Netscreen Firewalls can handle 30 or more users. Scale up for yet more users.

... Thinkpads_User
0
 
LVL 12

Assisted Solution

by:TomRScott
TomRScott earned 250 total points
ID: 38765652

1. Budget


Maybe the most critical question. Management (yours or your client's) may have a huge feature set and extensive security requirements (perceived or real). However, if they are unable or unwilling to commit commensurate resources, then you will need to be realistic. As your evaluation progresses, you will have to be frank as to what you can afford or what management must be willing to spend to get the features and support they actually require.

You will have to come back to this question at various points in your evaluation and selection process.

2. Number of Networks to Support


A critical but simple question of how many ports the firewall will need to have inside and outside.  A slightly less simple question when considering additional networks that may be inside but on another subnet from the firewall.  The latter implication regards bandwidth capability of the firewall.

3. Level of Support Needed


This has to do with both warranty support but technical support for configuration. This also has to do with response times you will require. The better firewalls have decent support packages. Some levels may only be available during business hours others 24x7. Included in this is if the support is from folks that are not only technically competent but are competent in the language of your firewall administrators. It matters not one bit if the manufacturer support folks are the best experts on the planet if they cannot communicate proficiently in the language of your administrators.

4. Level of Security Needed


This could be considered a two way question.  How locked down will the protected network(s) need to be?  How much access will need to be provided through the firewall in EACH DIRECTION?

Often, management will dictate absolute security at the same time that they dictate easy access for themselves and others. These conflicts will dictate moments of candor on your part.

I'm not going into too much detail here because this is an area that you should explore and expand upon a little more yourself.  Then more detail can be discussed based on some of the most basic questions that you ask of management.

Some questions for management include "what are their expectations of security?". "Will employees, contractors and/or vendors need access to internal networks from outside?", "Are there any specific requirement specifications or standards that they already have documented/determined?" The last question includes any standards or specifications required by their clients or customers.

Once you have had a general discussion with management (not just the CIO either, but the CEO/Owner as well), schedule a follow-up meeting distant enough to have a chance to do your home work and get back to them with your research results and additional questions (including if the budget or specifications need to be adjusted).

5. Baseline Feature Set Required by Management


This is really a bullet list of critical features you determine are the results of your discussion(s) with IT and management.

6. Firewall Administrators and Support Staffing


Either consulting and/or staff will be responsible for the configuration and ongoing support of the firewall. The abilities and costs for either need to be detailed and accounted for in calculating the capital and operational costs and budgets.

7. Review the Corporate Politics and Religion of Management


Politics and religion in everyday life are topics of concern and strife that anybody navigating said life must be cognizant of and be prepared accordingly.

Business and technology are no different. Corporate culture is very important in your decisions and recommendations as well as how you communicate the same.

I lift the terms from the old OSI model, an abstract representation of how networking works. The OSI model in text books had seven (7) layers starting with the Physical layer and ending at the Application layer. However, experienced network engineers added the layers Politics and Religion as the most important when relating to corporate culture.

Basically, management will take most of what you say and recommend that is technical in nature but yet require other non-technical considerations. By example, brand name and access  "requirements" are areas that may be in conflict with technical considerations. If you deem that a given management stance is based on "politics", you may have some room to argue your position. If their position is "religious" in nature, arguing the point is, well pointless. In the latter case, the only other consideration is how far up the food chain in management from which the problem originates. If it is the CEO/Owner, you probably need to move on.
Good Luck,


Tom
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 38765714
Actually i have two network.. network A and B

Network A i have approximately 70 users and network B i have 100 users.

Actually for network B i m not sure how many users because most users online by WIFI.

i have 5 AP and each AP can accommodate 20 users.. so i guess 5 AP should accommodate
100 users..  

I tend to connect this two network to one firewall but dont know that is a good idea or not.

should i get two firewall or one is enough.
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 38765722
Does each network have its own ISP connection? Even for 100 users, you would need a very high bandwidth connection.

Do you want the networks connected?  That is, all the people able to access everywhere?  170 users will (just) fit into one normal subnet but you can make subnets bigger.

A mid-range Juniper or Cisco firewall (one or two depending on the answers above) can handle the load.

For example, you could have one ISP (high bandwidth), one medium size firewall with enough throughput, and then connect users to that. You can connect the Access Points to such a network.

.... Thinkpads_User
0
 
LVL 20

Expert Comment

by:rauenpc
ID: 38765864
In the Cisco world, you will likely fall in to the ASA5512X or ASA5525X range. However, as stated above, you would need to produce requirements and specs beyond simple user count.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 12

Assisted Solution

by:TomRScott
TomRScott earned 250 total points
ID: 38766309
The subnet and user counts are a good start.

I concur that you are looking for a commercial grade mid level firewall.  I have not had any bandwidth issues with SonicWALL firewalls (originally a NAS 3060, now s NAS 4500) with a two subnet network that is similar in bandwidth needs to what you describe.  Both subnets are 1G MANs and connect to each other through the firewall and share a 100M Internet connection.  To that, we recently added a second set of subnets consisting of small 1G LANs on a SonicWALL NAS 2400 firewall at a remote location with a VPN tunnel between the two firewalls and both are performing nicely.  However, the VPN traffic is limited to IT remote management and monitoring tasks.

To Cisco and Juniper, I would add SonicWALL as a contender in your research. They have stood up well and the support has been excellent throughout the years.

All that said, you still need to sit down with IT and then management to determine the baseline specifications that will be desired/required and the budget to support them.

 - Tom
0
 
LVL 12

Assisted Solution

by:DarinTCH
DarinTCH earned 167 total points
ID: 38766976
are you comfortable with managing a firewall
How much are you willing to pay?
all good firewalls should support disparate networks
and allow you to connect multiple networks into them

the top Hardware firewalls from a purely FW aspect
Juniper
Cisco
Palo Alto
Barracuda
Checkpoint
Sonic
Watchguard
Astaro

I ordered them from my idea of LARGE Enterprise size company down - roughly
that being said they all can support mid size business

most top FW are managed by command line
so if you are not savvy in Command line you want one that can also be managed by a GUI interface
most of those listed have this also (whether it fast/slow or easy is another issue)
Juniper and Cisco have many in the Huge...large...mid size ...medium ranges
depending on what you need to support
besides just overall Total connections
VPN
IDS
AV
ZONES
IPSec
NAT
ALG
0
 
LVL 7

Author Comment

by:tankergoblin
ID: 38773239
Thank you for all the comment above..

i was looking on fortigate 100d..

Do you think it is a good firewall?? about my ISP i have 2 seperate dsl connection each has 1Mbps line.

Do you think i should purchase UTM that bundle in my firewall? reason i ask because every year i need to pay a sum of money for that service.

my purpose to setup a firewall is too prevent all kind of threat from internet and prevent virus/worm to spread.

I know this may sound stupid but i have to ask..

what can i do with firewall in detail.. what is the major advantage to have firewall..



Thank you.
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 83 total points
ID: 38773996
what can i do with firewall in detail.. what is the major advantage to have firewall

I have not usef a Fortigate, so I cannot comment on that.

The main advantage of a firewall is to screen out unwanted attacks (like Denial of Service), close off ports not needed, route traffic that needs to be routed and general network stuff like that. VPN Firewalls additionally provide hardware VPN services for secure access in.

Some firewalls have build in virus checkers you can purchase additionally as well. I depend as much or more on overall antivirus suites for that.

.... Thinkpads_User
0
 
LVL 12

Assisted Solution

by:TomRScott
TomRScott earned 250 total points
ID: 38776619
Regarding depending on a UTM firewall:

I much prefer defense in depth. As Thinkpads_User notes, the firewall's primary function is, as the name implies, firewalling the inside network from most direct threats from outside the private network or networks. Mainly that relates to unwanted direct connections to stations and other resources on the inside as well as defending against DOS/DDOS attacks.

Beyond that, again as Thinkpads notes, firewalls provide VPN services allowing connectivity to other private networks that you trust to a given degree.

Yes, a firewall can perform anti-malware functions. However, you really should start with a "defense in depth" approach wherein internal computers are individually protected with a security suite. You must keep in mind that the gateway or firewall is not the only entry point to your networks.  Even a firewall with UTM services that are 100% successful will not keep your networks safe from thumb drives, CDs, DVDs, etc. The latter includes commercial products "in the shrink wrap". A number of malware have been distributed in commercial products including CDs and DVDs.

In the last few years, it has become common for folks to connect and sync their handheld devices with their desktops.

Without a defense in depth approach, you may assume you will encounter a malware intrusion.

The one additional service I have liked leveraging on some firewalls is web/ftp etc. filtering services. With these, the company may subscribe to and leverage a list or lists that can be checked each time an internal user attempts to connect to a new web site and said site may be blocked if it is either on your internal list of blocked sites or if it is on the subscribed list of sites that are known for hosting malware or phishing activity. The latter includes sites that may have been recently hacked and reported to your listing services.

The better listing services have few false positives.

 - Tom
0
 
LVL 12

Accepted Solution

by:
DarinTCH earned 167 total points
ID: 38783871
So that FW is propably $1800-2200
I'd go with Juniper SRX 210 or SRX240 first
Even a Cisco ASA
or Palo Alto if you really want app level FW

The fortigate is in the small business arena - maybe small mid size

I choose an enterprise product over the smaller player
I like the depth of Technical support and expertise
and I've used the Juniper & Cisco for branch offices in large networks

but the final point is you need to get a good grasp on why you need Security (in-depth)
and not a narrow focus but a a broad view of Security - tom and thinkpads have made good points
if you want to learn this topic deeper even a SECURITY+ class would help
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now