New firewall or not

Alan Dala
Alan Dala used Ask the Experts™
on
I'm in the market for a new firewall. I'm looking for a all-in-one solution. So far the most attractive solution for price/performace is a Fortinet 100D. The vendor guarantees up to 200Mpbs speed with all the services on(webfiltering, IPS/IDS, VPNs, etc). While that sounds OK for now, I'm just worried that in the near future, I will be constricted by this limit of 200Mpbs and not be ready for the potential 1000Mbps upgrades with all the fiber installs. I know 200 is not bad but the vision of the company is to go full speed to the cloud and eventually have all the services stored somewhere in a data center. Is this a realistic concern? Anybody having any similar experience out there?

Please let me know if you need any other details.


Thank you!
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Checkout the PaloAlto range. They are pretty good.
I agree with the above expert, PA makes a good product. Currently we have an ASA in place, but are going to a Meraki. While I'm still kind of up in the air about the Meraki, the vendor we use to help us select these things seems to believe that it will do what we need it to do from a number of different perspectives.
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
Hi Alan,

You should be forecasting in a 3-5 year window, which aligns with the ideal refresh rate of 3 years. That said, do you plan on upgrading to 1Gbps in the next 3 years? How many users do you have? Is your core infrastructure in the cloud?

We have most of our client's infrastructure in the cloud and they rarely max out their 100x100 dedicated connections (some have multiple connections). These are clients in 600-1000 user range.

Using the Fortigate 100d as a comparison, I'd recommend SonicWALL TZ600, which has more than double the throughput (500Mbps) with fully DPI and all security services enabled. Plus it's less expensive than the Fortigate 100d. IMO nothing beats SonicWALL's active vs-dB and threat intelligence for the buck.

REF: http://www.sonicwall.com/products/tz600/

Let me know if you have any questions. Thanks!
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
Thank you all for your responses.

@diverseit: I worked with Sonicwall in the past(never with TZ600) and I have a love/hate relationship with them. Some worked great, some slowed down the connection significantly. That's the only concern that I have with Sonicwall, the difference between the advertised and the actual speed when all the services are on. Any experience with that?

Thanks!
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
I understand the love/hate especially with the older models. Yes, we have 100's of SonicWALLs that we manage in the field. In the olden days gen1-3 devices tz170, tz190,Pro series etc. they were slow natively and not that feature rich. The licensing was horrific too...everything was an add-on. Then they released NGFW in gen4 (TZ200, TZ 210, NSA 220, etc.), which improved the product line substantially because the SonicOS enhanced version was included in every version and the licensing model changed dramatically. With the release of gen5 (TZ205, TZ 215, NSA 3600, etc.), they changed the game in a major positive way. At that time they had everyone beat in terms of security, features and throughput matched with cost. They were beating ASA's hands down in both price, security and speed. In Gen6 they have carried everything though and increased their speed by 4-5x from gen 5 devices!

It is important to note how and who is performing the testing of any firewall/switch. For SonicWALL it is based on RFC 2544 (for firewall). Actual performance, obviously, may vary depending on network conditions, which services are activated and how the overall config is setup. I have seen them come in at or around their advertised speeds. But this is just from my perspective.

Ultimately, try to look at the field as objectively as possible. Cisco is not what you may think it once was...the end-all be-all. Look at all the specs of each, compare price and settle with your gut. IMO, it is SonicWALL for our company and clients.

Best of luck. Let me know if you have any other questions!

Author

Commented:
I appreciate the insight. The TZ600 looks very tempting.

On a different note, do you think that investing in a firewall is still worth it these days with more people working from home and more services moving to the cloud?


Thanks!
Last Knight
Distinguished Expert 2018
Commented:
I often ponder this. It solely depends on your business model, requirements, and design. Where are you positioned as a company...are you on the bleeding edge, cutting edge, relevant or deprecated? There are many variables at play with a question like this and not knowing your environment is difficult for me to speak to specifically. You could have everyone working remotely on thin clients that sit at their homes, or expendable laptops that are imaged so remediation is quick. Whatever kind of architecture you have designed and even with the invention of the cloud...cracking and identity theft are continually trending upward...if it were stock I'd be a billionaire...it is constantly trending in one direction (up) and growing exponentially. Threats are becoming more and more sophisticated. Having a robust a multi-layered boarder defense system (a firewall) is imperative.

The concept of a borderless architecture is a bit aloof and misleading. Even if you have all your LoBs in the cloud and there is no central office, you still need something protecting those systems accessing the cloud plus the systems, themselves, in the cloud. Hardware firewalls are the only pragmatic way to achieve this. To think that the very device you are connecting to the cloud on doesn't need defense is naive. In this day and age, a multi-layered approach to security is the only sustainable methodology. Multiple AV, AS, IPS, Application Control, firewalls (hardware & software) each on multiple layers is the idea. And with all that malware can still get in if the user layer is not locked down adequately.

The network architecture is changing, however, there is still hype even in the IT industry. Remember when a few Fortune500 companies thought it would be really cool to go all Mac...that failed, but there was a buz that PCs were dead and the enterprise is going Mac. Same idea with the borderless network, ultimately authentication and trust mechanisms must exist in order for there to be order.

Network architecture can be as free as your imagination but when people start talking in ultra simplistic terms it usually leads to one of two things, either the proof of concept fails from a business needs perspective or the security architecture becomes extremely exposed. When threat complexity grows you typically can't thwart it with a simplistic ideology...it has to be at least as complex as the threat itself, if not more so to effectively counter it.

Let me know if you have any other questions!

Author

Commented:
I don't think security is outdated by any means. I just want to make sure I'm focusing on the right solution and any insight from people with much more experience than I have is greatly appreciated. The plan is to go full speed to the cloud, with all the services ending up somewhere in a data center in the next few years. That raised the question if having an UTM at the LAN border is not actually an overkill in this day and age. People tend to work from anywhere more and more these days and with services going to the cloud, what's left to defend at the classical LAN level? We're still not there, we still have some services in the office (shares, AD authentication, printing and phone system) but I don't see why they wouldn't be migrated somewhere else in the near future.

Thanks again for taking the time to give input on this matter.
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
My pleasure! So paint me a picture of what your environment looks like in the near future with everything offloaded onto the cloud? What does your HQ network look like? Is their an HQ where people actually physically work or is everyone at home? How many users are we talking about?

Thanks!

Author

Commented:
We do have an office with 50-60 staff. Some are 8-5ers, some not so much, traveling or working from home. In the near future, my plan would be to move all services that still reside in our server room to the cloud (Rackspace, Azure, etc). I assume some staff will always be working from the office but with many people in the field, I'm looking into raising the quality/security of their service too. My question is if I should focus more on security at the device level rather than the network gateway. I'm not saying that I shouldn't have a firewall at all but I'm just trying to figure out what would be the best solution for our environment.

Thanks!
Blue Street TechLast Knight
Distinguished Expert 2018

Commented:
I'm a bit confused because, on one hand you talked, initially, about mega bandwidth (1Gbps) and on the other you talked, more recently, about decentralization with the majority of the users working from home or traveling. In each scenario the model is vastly different.

When you go to the cloud, entirely or otherwise, you depend on ISPs more so. This means if you have a central office dual WAN is default and three WANs could even be considered depending on SLAs, etc.. This also means load balancing w/fail-over and fail-back, etc would be required. Central office and cloud means a firewall-centric model where a firewall or HA (High Availability (dual Firewalls)) model would be invoked.

If your office becomes decentralized, majority of workers if not all are off-site then a firewall becomes imperative at each users location, whether it be a home, hotel, etc. Obviously, your company is not going to outfit every user with a business-class or otherwise decent firewall, and thus vulnerability strikes.

So in this plan do you see any servers in your headquarters or are they all clients connecting independently? Are you planning on implementing Azure AD?

The device layer can be hardened only so much. Ultimately, if everyone is not centralized then their most used location will become their main gateway. The cloud is still susceptible to attacks. That means LoBs should be backed up from the cloud to either another cloud services or off of the cloud entirely.

You may considered virtualized desktops/cloud computing. SSL w/tunnel all mode into the virtual space would reduce the vulnerabilities enormously in a decentralized model.

Each of these decisions need to be weight with your Business needs, Burn Rate and the value of your data.

Best of luck!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial