Solved

Advice On Firewall

Posted on 2014-07-17
17
61 Views
Last Modified: 2016-11-23
We are in the process of upgrading our server, computers, etc.

I noticed that the current firewall we use (SnapGear/McAfee 560) is EOL. I am curious as to what everyone recommends for firewalls?

We have a pretty basic setup with the SG560...Some rules to block/allow certain connections but that's about it.

I know it CAN do VPN and many other things but we just have not utilized it to its fullest.

Going forward - I want to know what would be the best solution for us. We are thinking of switching to a new Firewall that would have tech support available. We are purchasing a new Dell server and they recommend SonicWall

Can anyone give me advice on this? It would be nice to be able to VPN into our network as well as create rules for internet surfing (not sure if all/no firewalls have this feature).

The cheapest SonicWall on Dell's website (when configuring a new server) is the TZ 205. Would this be "easy" to setup like the SG560 is?

Any assistance would be greatly appreciated.
0
Comment
Question by:Nicholas_BlueStar
  • 6
  • 4
  • 3
  • +3
17 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 150 total points
ID: 40202571
In addition to SonicWall, Juniper Netscreen is VERY good and the models range from Small Business up. I use Juniper Netscreen SSG5 at small business clients.
0
 
LVL 2

Assisted Solution

by:STS-Tech
STS-Tech earned 50 total points
ID: 40202700
Not surprising that Dell would recommend SonicWall since they now own them :)  With that said- we have several clients that use them and they are a great product.  A little more expensive than average, but you get what you pay for.  They are also not as complicated to set up as say, a Cisco, but it's not something you'll figure out unless you are familiar with routing.  Their tech support is great- I've had to have them remote in to fix an issue for me before and they were quick and explained everything they were doing.  They do, as is becoming more common, charge a yearly fee for support, updates, and any enhanced services you opt for such as antivirus, content filters, etc.  

For clients not requiring the features (and not wanting the cost) of a SonicWall, we typically sell Netgear.  On this I will advise to spend the extra money and get a business class model as the home stuff is typically junk.  Setup of services and rules is simple and straight-forward but you are limited (at least on the models I've used) on the number of inbound connections you can have (I think around 15).

Both of these have models with VPN support via their own proprietary client software which we have used and they work well.
0
 
LVL 18

Assisted Solution

by:Sanga Collins
Sanga Collins earned 50 total points
ID: 40202950
We primarily use juniper ssg firewalls but we also have several sonic wall devices due to the great VPN. Both are easier to use than a cisco or the juniper srx class. If VPN is important I recommend sonicwall
0
 

Author Comment

by:Nicholas_BlueStar
ID: 40202985
Thanks for the quick responses!

I see there is a TZ 205 and a TZ 215...Looks like the specs are a little different...

Specs
Any reason to go with the 215 over the 205?

Can someone explain what a GVC VPN License is? It says it comes with 1 or 2 (depending on the model).

With the SG560 we could have as many users setup to connect into the VPN as we wanted. Is that the case with the sonicwall? Or do I have to purchase a GVC license for every user that will be connecting into the VPN?
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 150 total points
ID: 40203049
Juniper has excellent VPN capabilities and no issues with their VPN.
0
 

Author Comment

by:Nicholas_BlueStar
ID: 40203360
Here is a section from the Juniper

SSG5 delivers 160 Mbps of stateful firewall traffic and 40 Mbps of IPsec VPN throughput for small branch, teleworker, and enterprise deployments.

The 205 and 215 have 500Mbps of "stateful" traffic and the same 40Mbps for UTM performance (which I am assuming is the same a VPN throughput). What kind of differences will I see in real life scenarios going from 160 to 500?
0
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 150 total points
ID: 40203373
You need 500 Mbits/sec if your ISP is beyond 20 Mbits. My older RV042 was 200 Mbits and I needed faster as the ISP speed went up.
0
 
LVL 20

Assisted Solution

by:carlmd
carlmd earned 100 total points
ID: 40204282
Before you select a Sonicwall model can you provide some details on what type of traffic will pass. How many users on LAN ? Do you host web sites, Exchange server etc. Anything else on the LAN that would generate significant traffic? This would help to determine if the TZ series is good for your site.

A GVC VPN is an IPsec client that requires you install it on the remote pc before it can connect via the VPN. You can purchase additional licenses beyond those included. The TZ205 includes 2 and has a maximum of 10. The TZ215 includes 2 and can go to a maximum of 25.

Both these model also include and support an SSLVPN. This does not use a client. The TZ205 includes 1 SSLVPN license and can go to a maximum of 10. The TZ215 includes 2 and can go to a maximum of 10.

For the difference of about $200 I would definitely suggest the TZ215 if you are limiting you choice to only those models.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:Nicholas_BlueStar
ID: 40204738
@CarolMD

We will have under 10 users onsite. And under 5 users offsite.

The only thing our server does at the moment is our exchange and then local file hosting. Our website is hosted on a different server outside of our network and maintained separately.

One thing that MUST work flawlessly would be VOIP phones...we are very strongly considering going to them in the next couple of months and need to make sure anything we implement will work down the road.

Our internet speed is 12-Down & 3-Up (I am willing to up the speed, I think our ISP can do 20X5). Again, I want to purchase hardware that will be viable a few years down the road...so it seems like I would need a stateful speed of at least 500Mbps right?

I would like to be able to VPN into our server from a remote location with as little latency as possible. I want it to feel like I am onsite when I am using the VPN service...Is our ISP speed good enough at 3Mbps upload speed? Is the GVC a better option than what we are using right now? (Our current Snapgear can do PPTP, L2TP, IPsec...None of them are setup though).
0
 
LVL 20

Accepted Solution

by:
carlmd earned 100 total points
ID: 40204762
Unless you plan to grow significantly over the new few years a TZ215 should do it for you.

Yes it will work for VOIP. I have included a link to the admin guide if you want to read the section on VOIP

https://support.software.dell.com/download/downloads?id=5353111

You might need to upgrade your ISP line when you move to VOIP.
0
 

Author Comment

by:Nicholas_BlueStar
ID: 40205059
Thanks Carl

I am looking into the document right now and trying to read up on everything it does.

How much is it to add a GVC license? If it only comes with one license, I would need to purchase 4 more (to allow 5 VPN users to connect) right?
0
 
LVL 2

Assisted Solution

by:Peter Wilson
Peter Wilson earned 150 total points
ID: 40206668
GVC licensing pricing are as follows:

01-SSC-5310      SonicWALL Global VPN Client Windows - 1 License      $50
01-SSC-5316      SonicWALL Global VPN Client Windows - 5 Licenses      $215
01-SSC-5311      SonicWALL Global VPN Client Windows - 10 Licenses      $345
01-SSC-5313      SonicWALL Global VPN Client Windows - 50 Licenses      $595

This is all MSRP pricing and are one time purchases...through distro you can get better I'm sure. These are then added to the VPN count the device already comes with.

I prefer to use SSL-VPN, they are clientless but if you want to run the client they are super simple to deploy. In fact pretty much touch-less as far as management goes. Once you setup the Virtual Office even if you have nothing running through it, once they get to the page it auto installs and then they enter credentials and poof...connected!
0
 

Author Comment

by:Nicholas_BlueStar
ID: 40209048
I prefer to use SSL-VPN, they are clientless but if you want to run the client they are super simple to deploy. In fact pretty much touch-less as far as management goes. Once you setup the Virtual Office even if you have nothing running through it, once they get to the page it auto installs and then they enter credentials and poof...connected!

That sounds like what I want to do. Now when you say clientless...does that just mean you do not need to install software in order to make it work? I still need "client" licenses right? If I want to VPN on my laptop (from down the street at Starbucks), the manager wants to VPN from home, and the owner wants to VPN from a different city? That would be 3 concurrent VPN connections. I would need 3 "client licenses" right? What if I needed 3 people to have a VPN connection but only 2 of them would be on at any one time?
0
 
LVL 2

Assisted Solution

by:Peter Wilson
Peter Wilson earned 150 total points
ID: 40210911
Yes you still need pay for licenses. It is concurrent licensing so you could have 10 uses setup on ssl-vpn but if only 3 users are active in the tunnel then that is all the licensing you need!
0
 

Author Comment

by:Nicholas_BlueStar
ID: 40214870
Peter - I am still a little unclear.

If I have 3 people (with 3 different computers) that will need access at some point (but never all 3 at the same time) do I still need to purchase 3 SSL VPN licenses? Or can I have 2 licenses that 3 people use (just not all 3 at the same time)?
0
 
LVL 2

Assisted Solution

by:Peter Wilson
Peter Wilson earned 150 total points
ID: 40215118
Correct that is what concurrent licensing means...its using the licenses at the same time. So with one license, if you are on the SSL-VPN and someone else tries to get on then you they will be denied due to not having enough licenses.

Does that make sense?
0
 
LVL 90

Expert Comment

by:John Hurst
ID: 40730670
@Nicholas_BlueStar - Thanks and I was happy to help
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
I found an issue or “bug” in the SonicOS platform (the firmware controlling SonicWALL security appliances) that has to do with renaming Default Service Objects, which then causes a portion of the system to become uncontrollable and unstable. BACK…
This video discusses moving either the default database or any database to a new volume.
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now