Alan Dala
asked on
New firewall or not
I'm in the market for a new firewall. I'm looking for a all-in-one solution. So far the most attractive solution for price/performace is a Fortinet 100D. The vendor guarantees up to 200Mpbs speed with all the services on(webfiltering, IPS/IDS, VPNs, etc). While that sounds OK for now, I'm just worried that in the near future, I will be constricted by this limit of 200Mpbs and not be ready for the potential 1000Mbps upgrades with all the fiber installs. I know 200 is not bad but the vision of the company is to go full speed to the cloud and eventually have all the services stored somewhere in a data center. Is this a realistic concern? Anybody having any similar experience out there?
Please let me know if you need any other details.
Thank you!
Please let me know if you need any other details.
Thank you!
Sajith Silva
Checkout the PaloAlto range. They are pretty good.
I agree with the above expert, PA makes a good product. Currently we have an ASA in place, but are going to a Meraki. While I'm still kind of up in the air about the Meraki, the vendor we use to help us select these things seems to believe that it will do what we need it to do from a number of different perspectives.
Hi Alan,
You should be forecasting in a 3-5 year window, which aligns with the ideal refresh rate of 3 years. That said, do you plan on upgrading to 1Gbps in the next 3 years? How many users do you have? Is your core infrastructure in the cloud?
We have most of our client's infrastructure in the cloud and they rarely max out their 100x100 dedicated connections (some have multiple connections). These are clients in 600-1000 user range.
Using the Fortigate 100d as a comparison, I'd recommend SonicWALL TZ600, which has more than double the throughput (500Mbps) with fully DPI and all security services enabled. Plus it's less expensive than the Fortigate 100d. IMO nothing beats SonicWALL's active vs-dB and threat intelligence for the buck.
REF: http://www.sonicwall.com/products/tz600/
Let me know if you have any questions. Thanks!
You should be forecasting in a 3-5 year window, which aligns with the ideal refresh rate of 3 years. That said, do you plan on upgrading to 1Gbps in the next 3 years? How many users do you have? Is your core infrastructure in the cloud?
We have most of our client's infrastructure in the cloud and they rarely max out their 100x100 dedicated connections (some have multiple connections). These are clients in 600-1000 user range.
Using the Fortigate 100d as a comparison, I'd recommend SonicWALL TZ600, which has more than double the throughput (500Mbps) with fully DPI and all security services enabled. Plus it's less expensive than the Fortigate 100d. IMO nothing beats SonicWALL's active vs-dB and threat intelligence for the buck.
REF: http://www.sonicwall.com/products/tz600/
Let me know if you have any questions. Thanks!
ASKER
Thank you all for your responses.
@diverseit: I worked with Sonicwall in the past(never with TZ600) and I have a love/hate relationship with them. Some worked great, some slowed down the connection significantly. That's the only concern that I have with Sonicwall, the difference between the advertised and the actual speed when all the services are on. Any experience with that?
Thanks!
@diverseit: I worked with Sonicwall in the past(never with TZ600) and I have a love/hate relationship with them. Some worked great, some slowed down the connection significantly. That's the only concern that I have with Sonicwall, the difference between the advertised and the actual speed when all the services are on. Any experience with that?
Thanks!
I understand the love/hate especially with the older models. Yes, we have 100's of SonicWALLs that we manage in the field. In the olden days gen1-3 devices tz170, tz190,Pro series etc. they were slow natively and not that feature rich. The licensing was horrific too...everything was an add-on. Then they released NGFW in gen4 (TZ200, TZ 210, NSA 220, etc.), which improved the product line substantially because the SonicOS enhanced version was included in every version and the licensing model changed dramatically. With the release of gen5 (TZ205, TZ 215, NSA 3600, etc.), they changed the game in a major positive way. At that time they had everyone beat in terms of security, features and throughput matched with cost. They were beating ASA's hands down in both price, security and speed. In Gen6 they have carried everything though and increased their speed by 4-5x from gen 5 devices!
It is important to note how and who is performing the testing of any firewall/switch. For SonicWALL it is based on RFC 2544 (for firewall). Actual performance, obviously, may vary depending on network conditions, which services are activated and how the overall config is setup. I have seen them come in at or around their advertised speeds. But this is just from my perspective.
Ultimately, try to look at the field as objectively as possible. Cisco is not what you may think it once was...the end-all be-all. Look at all the specs of each, compare price and settle with your gut. IMO, it is SonicWALL for our company and clients.
Best of luck. Let me know if you have any other questions!
It is important to note how and who is performing the testing of any firewall/switch. For SonicWALL it is based on RFC 2544 (for firewall). Actual performance, obviously, may vary depending on network conditions, which services are activated and how the overall config is setup. I have seen them come in at or around their advertised speeds. But this is just from my perspective.
Ultimately, try to look at the field as objectively as possible. Cisco is not what you may think it once was...the end-all be-all. Look at all the specs of each, compare price and settle with your gut. IMO, it is SonicWALL for our company and clients.
Best of luck. Let me know if you have any other questions!
ASKER
I appreciate the insight. The TZ600 looks very tempting.
On a different note, do you think that investing in a firewall is still worth it these days with more people working from home and more services moving to the cloud?
Thanks!
On a different note, do you think that investing in a firewall is still worth it these days with more people working from home and more services moving to the cloud?
Thanks!
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I don't think security is outdated by any means. I just want to make sure I'm focusing on the right solution and any insight from people with much more experience than I have is greatly appreciated. The plan is to go full speed to the cloud, with all the services ending up somewhere in a data center in the next few years. That raised the question if having an UTM at the LAN border is not actually an overkill in this day and age. People tend to work from anywhere more and more these days and with services going to the cloud, what's left to defend at the classical LAN level? We're still not there, we still have some services in the office (shares, AD authentication, printing and phone system) but I don't see why they wouldn't be migrated somewhere else in the near future.
Thanks again for taking the time to give input on this matter.
Thanks again for taking the time to give input on this matter.
My pleasure! So paint me a picture of what your environment looks like in the near future with everything offloaded onto the cloud? What does your HQ network look like? Is their an HQ where people actually physically work or is everyone at home? How many users are we talking about?
Thanks!
Thanks!
ASKER
We do have an office with 50-60 staff. Some are 8-5ers, some not so much, traveling or working from home. In the near future, my plan would be to move all services that still reside in our server room to the cloud (Rackspace, Azure, etc). I assume some staff will always be working from the office but with many people in the field, I'm looking into raising the quality/security of their service too. My question is if I should focus more on security at the device level rather than the network gateway. I'm not saying that I shouldn't have a firewall at all but I'm just trying to figure out what would be the best solution for our environment.
Thanks!
Thanks!
I'm a bit confused because, on one hand you talked, initially, about mega bandwidth (1Gbps) and on the other you talked, more recently, about decentralization with the majority of the users working from home or traveling. In each scenario the model is vastly different.
When you go to the cloud, entirely or otherwise, you depend on ISPs more so. This means if you have a central office dual WAN is default and three WANs could even be considered depending on SLAs, etc.. This also means load balancing w/fail-over and fail-back, etc would be required. Central office and cloud means a firewall-centric model where a firewall or HA (High Availability (dual Firewalls)) model would be invoked.
If your office becomes decentralized, majority of workers if not all are off-site then a firewall becomes imperative at each users location, whether it be a home, hotel, etc. Obviously, your company is not going to outfit every user with a business-class or otherwise decent firewall, and thus vulnerability strikes.
So in this plan do you see any servers in your headquarters or are they all clients connecting independently? Are you planning on implementing Azure AD?
The device layer can be hardened only so much. Ultimately, if everyone is not centralized then their most used location will become their main gateway. The cloud is still susceptible to attacks. That means LoBs should be backed up from the cloud to either another cloud services or off of the cloud entirely.
You may considered virtualized desktops/cloud computing. SSL w/tunnel all mode into the virtual space would reduce the vulnerabilities enormously in a decentralized model.
Each of these decisions need to be weight with your Business needs, Burn Rate and the value of your data.
Best of luck!
When you go to the cloud, entirely or otherwise, you depend on ISPs more so. This means if you have a central office dual WAN is default and three WANs could even be considered depending on SLAs, etc.. This also means load balancing w/fail-over and fail-back, etc would be required. Central office and cloud means a firewall-centric model where a firewall or HA (High Availability (dual Firewalls)) model would be invoked.
If your office becomes decentralized, majority of workers if not all are off-site then a firewall becomes imperative at each users location, whether it be a home, hotel, etc. Obviously, your company is not going to outfit every user with a business-class or otherwise decent firewall, and thus vulnerability strikes.
So in this plan do you see any servers in your headquarters or are they all clients connecting independently? Are you planning on implementing Azure AD?
The device layer can be hardened only so much. Ultimately, if everyone is not centralized then their most used location will become their main gateway. The cloud is still susceptible to attacks. That means LoBs should be backed up from the cloud to either another cloud services or off of the cloud entirely.
You may considered virtualized desktops/cloud computing. SSL w/tunnel all mode into the virtual space would reduce the vulnerabilities enormously in a decentralized model.
Each of these decisions need to be weight with your Business needs, Burn Rate and the value of your data.
Best of luck!