Firewall recommendations

I have a client who runs a peer-to-peer network (he refuses to use servers...long story, don't ask). He is very anal about security and is in the process of upgrading parts of his network. I am now tasked with finding a firewall that meets, at a minimum, the following requirements:

Inbound/Outbound E-mail Scanning (SMTP/POP3), w/rules for attachment handling and other business requirements.

Internet websites blacklist/whitelist, granular settings by user/node/IP address. AD/DS is not and will not be used in this network.

Internet connectivity failover.

Dual power supplies, preferably hot-swappable.

Site-to-site VPN capability.

Graphical User Interface (GUI) for management. Does not want cloud management capability, if it does can it be turned off?


Thank you in advance for your recommendations/comments/snippets!!!
LVL 1
YortAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jason JohanknechtIT ManagerCommented:
I would recommend Checkpoint for any firewall solution.  I am not sure on the dual power supply part, but the rest they for sure will meet your needs.

Checkpoint
0
MattCommented:
How would you identify users with no authentication on this site?

Internet connectivity failover - BGP routing with his own AS system or just two ISP providers without AS system just for surfing to the public network?
0
YortAuthor Commented:
@DataPro - Thanks. I will research Checkpoint.

@Matt - I am hoping we can use static IP addresses/NetBIOS names as the means of identification. Failover would simply be two ISPs, so if the primary goes down the firewall can failover to the backup connection.
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

Ben StirlingOperations Technology AnalystCommented:
Sphos UTM formally Astaro they have some good options for the SMB
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stu29Commented:
Yort,

For the size of your network, I would point you toward Watchguard.  Quick and easy GUI with granular control based on any number of parameters.  It will give you surfing controls based on combo of categories and specified, email control and scanning/quarantine. You can also upgrade the box for application control.

Definitely worth a look.
0
madunix (Fadi SODAH)Commented:
You could check Fortigate, Sonic Wall,  Check-point, Juniper ..etc, A list of software/appliances:
squid www.squid-cache.org
Untangle       www.untangle.com
astaro   www.astaro.com
ClearOS www.clearfoundation.com
PF www.pfsense.org
WALL m0n0.ch/wall
IPCop ipcop.org
websense websense.com
eblaster eblaster.com
forti fortinet.com
SonicWall      sonicwall.com
Cyberroam      cyberoam.com
SmoothWall      smoothwall.net

Check fortinet, they have a good products such as 1500D
http://www.fortinet.com/press_releases/2013/fortinet-disrupts-high-performance-enterprise-firewall-1500D.html
http://www.fortinet.com/solutions/unified_threat_management.html
1. Frewall throughput minimum 40Gbps.
2. VPN throughput 17Gbps
3. Support up to 6 million concurrent sessions.
4. Support up to 2000 IPSec VPN peers.
5. At least 2x10GE SFP+ ports and 12x 10/100/1000 RJ45
6. Support VPN clustering and load balancing
7. Support Active/Active and Active/Standby HA
8. Power supply redundancy.
9. Support IPS
10. Integrated IPS throughput should not be less than 6Gbps
11. Able to provide stateful inspection capabilities
12. Able to support Network Address Translations(NAT)
13. Capable of supporting ssh, telnet web  management methods:
14. Capable of preventing Denial of Service attacks.
15. Support Virtual domains / Security zones Min. 10/250
0
YortAuthor Commented:
@Ben Stirling: Thank you. We have opted for the Sophos UTM as it has everything we need.

Thank you to everyone else for the suggestions...it is appreciated.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.