Recommended Firewall model

Palo Alto

Hello Giovanni Heward, can you suggest the model in details? (we need protect our DC which had 30 VM servers + 10 physical servers)

Sorry for the brief reply on my mobile phone. What throughput do you need to support, with all the features enabled you mentioned in your question?

Sonicwall.

Will you be needing VPN?  How many users?

Untangle.  www.untangle.com - been using the free and paid versions and have been very satisfied with it.

NOTE: NOTHING is 100% - these days, nothing is 50%.  The bad guys are constantly trying to get in and bypass your security.  And they have (or get) access to the same products you do to find vulnerabilities and ways around the protections.  You need to use a multi-layer approach that includes GOOD user training!

Greetings,

firewalls in your case you need UTM appliance (unified threat management) which will scan, ids/ips feature licenses etc. all the features comes along with it, when you purchase UTM in your case you have to go for the full license (i.e in Sonicwall it's called total protection)  models depends up on the throughput requirements.

any how when you purchase the appliance it can be a Sonicwall, Palo Alto, Sophos, Fortinet etc. any model first check the budget, best support and availability etc.. all the UTM models supports Failover and all required features,

ask the vendor your requirement and required licenes as well..

all the best

Hi, we have about 500 users and also need vpn. How about Cisco ASA?

I will let someone else chime in for the Cisco ASA but if you decide to check out Sonicwall you can use the NSA series your environment.

http://www.sonicguard.com/NSA-New-Series.asp?utm_term=sonicwall%20nsa&utm_campaign=SonicWALL+*173&utm_source=adwords&utm_medium=ppc&hsa_tgt=kwd-70833164461&hsa_grp=61154507201&hsa_src=g&hsa_net=adwords&hsa_mt=e&hsa_ver=3&hsa_ad=283730064162&hsa_acc=9041622380&hsa_kw=sonicwall%20nsa&hsa_cam=1482013082&gclid=EAIaIQobChMIh8HllLbl3AIVSrXACh2waQBPEAAYASAAEgIQEvD_BwE

I just wonder: when we buy a Firewall appliance, let's say for example Cisco ASA 5525, Sonicwall or SophosXG,... do we have to configure anything to get its function of preventing network attack? or will it run out of the  box?

If you use Untangle, you install the module and then you have to activate it.  

From the Untangle web site:
Intrusion Prevention blocks hacking attempts before they reach internal servers and desktops. Untangle’s pre-configured signature-based IPS makes it easier for administrators to provide 24/7 network protection from hackers.

It minimizes annoying false positives and ensures that signatures are always current with automatic updates. With an easy-to-use setup wizard allowing simple configuration of rules specific to each environment, Intrusion Prevention provides flexible control. Over 34,000 signature detections, including heuristic signatures for port scans, enable you to effectively monitor and block most suspicious requests.

With either Cisco or Sonicwall you will get somekind of protection right out of the box but let's be frank.  if you're not well versed with Cisco IOS I wouldn't recommend it.  Sonicwall is all gui driven.  Whether you choose Cisco, Sonicwall, or Sophos UTM service expect to subscribe to the update service which will include firmware upgrade, AV/firewall threat update, and technical support to say the least so you will always have their help.  A UTM appliance is useless without updates.  But these subscriptions are not cheap.  Sonicwall Comprehensive Gateway Security Suite for the NSA series can run from $800 a year and up but for 500 users environment that cost should be justified.

Having said that each corporate environment is different and the firewall requirements are different.  You should tailor the UTM appliance to your environment.

So to answer "do we have to configure anything to get its function of preventing network attack? or will it run out of the  box?" then yes you will get some basic default settings and protection out of the box.  Whether the basic protection will meet your standard is a different question and only you can answer.

We are looking to implement the following in our DC. We need a cluster with HA and fail-over.Our requirements are similar to your and most business with high security, load balancing and HA.
It has a lot of features, seems to be easy to manage and configure. The VPN tunnels are re-mounted automatically in the event of failure of primary UTM.
Stormshield SN710
https://www.stormshield.com/products/sn710/
Budget around € 20,000

How about the Sophos XG 210, 310 ?

Looks good. I would suggest that you reach out to vendors or partners for different products. Schedule a meeting with their technical sales team to discuss your requirements and their offerings, to get a better idea. It really helps. That is what I have been doing. Currently using a Watchguard UTM but open to change.

Hi, I'm not sure whether if the datasheet for Sophos is correct or not but their stats are much higher than that of other vendors, such as Palo alto of Cisco.

For example: Cisco ASA 5525, Palo Alto 3060 and Sophos XG210. I also attached their documents

Sophos XG210:
-> Firewall throughput = 16 Gb/s
-> VPN throughput = 1.6 Gb/s
-> IPS throughput = 2.7 Gb/s
-> Max concurrent connections = 8,200,000
-> New connection/sec = 135,000

Palo Alto PA-3060:
-> Firewall throughput = 4 Gb/s
-> VPN throughput = 500 Mb/s
-> IPS throughput = 2 Gb/s
-> Max concurrent connections = 500,000
-> New connection/sec = 50,000

Cisco ASA 5525-K9:
-> Firewall throughput = 2 Gb/s
-> VPN throughput = 300 Mb/s
-> IPS throughput = 600 Mb/s
-> Max concurrent connections = 500,000
-> New connection/sec = 20,000

What do you think? With my ISP connection (Internet leased line: 100 Mb/s Domestic + 45 Mb/s International), which model should we choose?
palo-alto-networks-product-summary-s.pdf
sophos-xg-series-appliances-brna.pdf

Hi,

Cisco ASA 5508 will support all the features you mentioned.It will Support FailOver ,Cluster and Cisco Any Connect .

Thanks for your support!