Advice On Firewall

We are in the process of upgrading our server, computers, etc.

I noticed that the current firewall we use (SnapGear/McAfee 560) is EOL. I am curious as to what everyone recommends for firewalls?

We have a pretty basic setup with the SG560...Some rules to block/allow certain connections but that's about it.

I know it CAN do VPN and many other things but we just have not utilized it to its fullest.

Going forward - I want to know what would be the best solution for us. We are thinking of switching to a new Firewall that would have tech support available. We are purchasing a new Dell server and they recommend SonicWall

Can anyone give me advice on this? It would be nice to be able to VPN into our network as well as create rules for internet surfing (not sure if all/no firewalls have this feature).

The cheapest SonicWall on Dell's website (when configuring a new server) is the TZ 205. Would this be "easy" to setup like the SG560 is?

Any assistance would be greatly appreciated.
Nicholas_BlueStarAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
In addition to SonicWall, Juniper Netscreen is VERY good and the models range from Small Business up. I use Juniper Netscreen SSG5 at small business clients.
0
STS-TechCommented:
Not surprising that Dell would recommend SonicWall since they now own them :)  With that said- we have several clients that use them and they are a great product.  A little more expensive than average, but you get what you pay for.  They are also not as complicated to set up as say, a Cisco, but it's not something you'll figure out unless you are familiar with routing.  Their tech support is great- I've had to have them remote in to fix an issue for me before and they were quick and explained everything they were doing.  They do, as is becoming more common, charge a yearly fee for support, updates, and any enhanced services you opt for such as antivirus, content filters, etc.  

For clients not requiring the features (and not wanting the cost) of a SonicWall, we typically sell Netgear.  On this I will advise to spend the extra money and get a business class model as the home stuff is typically junk.  Setup of services and rules is simple and straight-forward but you are limited (at least on the models I've used) on the number of inbound connections you can have (I think around 15).

Both of these have models with VPN support via their own proprietary client software which we have used and they work well.
0
Sanga CollinsSystems AdminCommented:
We primarily use juniper ssg firewalls but we also have several sonic wall devices due to the great VPN. Both are easier to use than a cisco or the juniper srx class. If VPN is important I recommend sonicwall
0
Increase Security & Decrease Risk with NSPM Tools

Analyst firm, Enterprise Management Associates (EMA) reveals significant benefits to enterprises when using Network Security Policy Management (NSPM) solutions, while organizations without, experienced issues including non standard security policies and failed cloud migrations

Nicholas_BlueStarAuthor Commented:
Thanks for the quick responses!

I see there is a TZ 205 and a TZ 215...Looks like the specs are a little different...

Specs
Any reason to go with the 215 over the 205?

Can someone explain what a GVC VPN License is? It says it comes with 1 or 2 (depending on the model).

With the SG560 we could have as many users setup to connect into the VPN as we wanted. Is that the case with the sonicwall? Or do I have to purchase a GVC license for every user that will be connecting into the VPN?
0
JohnBusiness Consultant (Owner)Commented:
Juniper has excellent VPN capabilities and no issues with their VPN.
0
Nicholas_BlueStarAuthor Commented:
Here is a section from the Juniper

SSG5 delivers 160 Mbps of stateful firewall traffic and 40 Mbps of IPsec VPN throughput for small branch, teleworker, and enterprise deployments.

The 205 and 215 have 500Mbps of "stateful" traffic and the same 40Mbps for UTM performance (which I am assuming is the same a VPN throughput). What kind of differences will I see in real life scenarios going from 160 to 500?
0
JohnBusiness Consultant (Owner)Commented:
You need 500 Mbits/sec if your ISP is beyond 20 Mbits. My older RV042 was 200 Mbits and I needed faster as the ISP speed went up.
0
carlmdCommented:
Before you select a Sonicwall model can you provide some details on what type of traffic will pass. How many users on LAN ? Do you host web sites, Exchange server etc. Anything else on the LAN that would generate significant traffic? This would help to determine if the TZ series is good for your site.

A GVC VPN is an IPsec client that requires you install it on the remote pc before it can connect via the VPN. You can purchase additional licenses beyond those included. The TZ205 includes 2 and has a maximum of 10. The TZ215 includes 2 and can go to a maximum of 25.

Both these model also include and support an SSLVPN. This does not use a client. The TZ205 includes 1 SSLVPN license and can go to a maximum of 10. The TZ215 includes 2 and can go to a maximum of 10.

For the difference of about $200 I would definitely suggest the TZ215 if you are limiting you choice to only those models.
0
Nicholas_BlueStarAuthor Commented:
@CarolMD

We will have under 10 users onsite. And under 5 users offsite.

The only thing our server does at the moment is our exchange and then local file hosting. Our website is hosted on a different server outside of our network and maintained separately.

One thing that MUST work flawlessly would be VOIP phones...we are very strongly considering going to them in the next couple of months and need to make sure anything we implement will work down the road.

Our internet speed is 12-Down & 3-Up (I am willing to up the speed, I think our ISP can do 20X5). Again, I want to purchase hardware that will be viable a few years down the road...so it seems like I would need a stateful speed of at least 500Mbps right?

I would like to be able to VPN into our server from a remote location with as little latency as possible. I want it to feel like I am onsite when I am using the VPN service...Is our ISP speed good enough at 3Mbps upload speed? Is the GVC a better option than what we are using right now? (Our current Snapgear can do PPTP, L2TP, IPsec...None of them are setup though).
0
carlmdCommented:
Unless you plan to grow significantly over the new few years a TZ215 should do it for you.

Yes it will work for VOIP. I have included a link to the admin guide if you want to read the section on VOIP

https://support.software.dell.com/download/downloads?id=5353111

You might need to upgrade your ISP line when you move to VOIP.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Nicholas_BlueStarAuthor Commented:
Thanks Carl

I am looking into the document right now and trying to read up on everything it does.

How much is it to add a GVC license? If it only comes with one license, I would need to purchase 4 more (to allow 5 VPN users to connect) right?
0
Peter WilsonITCommented:
GVC licensing pricing are as follows:

01-SSC-5310      SonicWALL Global VPN Client Windows - 1 License      $50
01-SSC-5316      SonicWALL Global VPN Client Windows - 5 Licenses      $215
01-SSC-5311      SonicWALL Global VPN Client Windows - 10 Licenses      $345
01-SSC-5313      SonicWALL Global VPN Client Windows - 50 Licenses      $595

This is all MSRP pricing and are one time purchases...through distro you can get better I'm sure. These are then added to the VPN count the device already comes with.

I prefer to use SSL-VPN, they are clientless but if you want to run the client they are super simple to deploy. In fact pretty much touch-less as far as management goes. Once you setup the Virtual Office even if you have nothing running through it, once they get to the page it auto installs and then they enter credentials and poof...connected!
0
Nicholas_BlueStarAuthor Commented:
I prefer to use SSL-VPN, they are clientless but if you want to run the client they are super simple to deploy. In fact pretty much touch-less as far as management goes. Once you setup the Virtual Office even if you have nothing running through it, once they get to the page it auto installs and then they enter credentials and poof...connected!

That sounds like what I want to do. Now when you say clientless...does that just mean you do not need to install software in order to make it work? I still need "client" licenses right? If I want to VPN on my laptop (from down the street at Starbucks), the manager wants to VPN from home, and the owner wants to VPN from a different city? That would be 3 concurrent VPN connections. I would need 3 "client licenses" right? What if I needed 3 people to have a VPN connection but only 2 of them would be on at any one time?
0
Peter WilsonITCommented:
Yes you still need pay for licenses. It is concurrent licensing so you could have 10 uses setup on ssl-vpn but if only 3 users are active in the tunnel then that is all the licensing you need!
0
Nicholas_BlueStarAuthor Commented:
Peter - I am still a little unclear.

If I have 3 people (with 3 different computers) that will need access at some point (but never all 3 at the same time) do I still need to purchase 3 SSL VPN licenses? Or can I have 2 licenses that 3 people use (just not all 3 at the same time)?
0
Peter WilsonITCommented:
Correct that is what concurrent licensing means...its using the licenses at the same time. So with one license, if you are on the SSL-VPN and someone else tries to get on then you they will be denied due to not having enough licenses.

Does that make sense?
0
JohnBusiness Consultant (Owner)Commented:
@Nicholas_BlueStar - Thanks and I was happy to help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.