Small Business Firewall

AMD_RULES

2[H]4U
Joined
Mar 26, 2007
Messages
3,010
Looking for a recommendation on a small business firewall for a very small office. There will be one server, two desktops, one laptop, and a total of five users. I'm looking more for a solid hardware firewall that doesn't necessarily have all of the UTM bells and whistles; however, the ability to block URLs or certain websites that could potentially distract from productivity would be great. VPN is a must for remote access. I was eyeing up the Sonicwall TZ 105, but the additional add-ons are almost more than the device costs. I've played around with pfsense on a spare machine at my home, but one thing that concerns me about a white-box firewall is if it is HIPAA-compliant.

What would you recommend? I am not opposed to a linux firewall, if you can convince me that it would be the ideal solution. A general budget would be somewhere under the $500 mark.

Thanks!
 
Zyxel Zywall 110. BSD based, will run for years without a restart, fantastic VPN capabilities. Its a newer model and it's speed alone puts the ASA5505 to shame. The only gotcha is that it comes with 30 days of setup support and warranty replacement is not overnight. But considering it costs 1/2 that of the ASA and a paid subscription is not required, I find it to be a much better value.

It also has a more user friendly than the ASA. Zyxel support will setup and configure the entire thing for you if you want within the first 30 days.

Nothing wrong with a Sonicwall but they are two different devices meant for two different sets of requirements. Sonicwall is a layer 2 UTM.


Router + VPN under $700 (mission critical) = Zyxel Zywall 110 (Buy two for $700) and configure them as a HA pair. Updates are free, support after 90 days costs money.

Router + VPN under $1000 (mIssion critical) = ASA with smartnet contract and HA spare (smartnet is about $80 per unit for 5 day a week, 8 hour, NBD service.
 
Cisco 5505
I looked into this device, but my lack of experience and knowledge of the Cisco interface made me think this would not be an ideal product to implement.

I would go with a Zyxell ZYWALL110

Zyxel Zywall 110. BSD based, will run for years without a restart, fantastic VPN capabilities. Its a newer model and it's speed alone puts the ASA5505 to shame. The only gotcha is that it comes with 30 days of setup support and warranty replacement is not overnight. But considering it costs 1/2 that of the ASA and a paid subscription is not required, I find it to be a much better value.

It also has a more user friendly than the ASA. Zyxel support will setup and configure the entire thing for you if you want within the first 30 days.

Nothing wrong with a Sonicwall but they are two different devices meant for two different sets of requirements. Sonicwall is a layer 2 UTM.


Router + VPN under $700 (mission critical) = Zyxel Zywall 110 (Buy two for $700) and configure them as a HA pair. Updates are free, support after 90 days costs money.

Router + VPN under $1000 (mIssion critical) = ASA with smartnet contract and HA spare (smartnet is about $80 per unit for 5 day a week, 8 hour, NBD service.

I am not quite familiar with this brand; however, I will dig into them more. How hard would the high availability be to setup?
 
I haven't used the 110 specifically, but I have been surprised at the quality of the Zyxel appliances I have dealt with for the price. The USG line has served very well for the SMB crowd I support.
 
Meraki MX60. Big features, good support, smaller price, Cisco backed. Easy to manage. Save time doing important stuff.
 
I haven't used the 110 specifically, but I have been surprised at the quality of the Zyxel appliances I have dealt with for the price. The USG line has served very well for the SMB crowd I support.


New ZyXel customer myself and I can say they are solid for the price and the 110 will fill a necessary void for those who don't need the UTM crap that really just destroys throughput on the old ZyXel line anyways. They're do for a refresh this year according to word on the street, so I'd disregard the USG line to anyone just because the hardware is starting to really show its age unless you pay the premium for the 300 line on up.

The 110 is powerful under the hood, however, being adapted to the Cisco world myself switching to ZyXel takes some getting used to. There are times you'll love dealing with the object-oriented interface and times you'll absolutely loathe it. I hear Site-to-Site VPN is a breeze to set up, but thus far remote VPN has been a pain in the ass fruitless process. You really need to know what you're doing with complete understanding or you'll quickly get lost. I don't want to push you away from the ZyXel line, but I'd do some homework because there are really only two communities for support. Here, through people often using them in the field, and the DSLReports forums. I think the website blocking feature only comes with the Content Filtering package and I don't know if the 110 supports that given its slim approach. Else it might take more work to implement.

If you just need something solid with minimal configuration the 110 will last for many years to come with plenty of power to spare.
 
Yeah, the Zyxel's are decent for the price. The only reason I recommend Cisco, especially when using site-to-site and remote VPN, is the support. Cisco remote VPN works and works well. The CLI can be a bit overwhelming if you aren't used to it, but there are tons of guides online for setting up a 5505. Plus you can find 50 user security plus 5505's for under $500 if you look hard enough.
 
Not available as far as I know. You can use a websense server to accomplish that.
 
Learn a little bit of the CLI and spend $100 on the Ubiquiti EdgeRouter Lite.
or
Go for something that's had loads more time to mature, the MikroTik Routerboard (450 would work great).

Whatever you do, I would suggest getting a free OpenDNS account and then block all DNS requests unless coming from/going to OpenDNS. Then you can setup your whitelist/blacklist there.
 
I would stay away from a cisco asa unless its an x series (even then personally i would chose a different firewall). Too old of hardware that can be out performed by newer cheaper products and you don't have to pay the cisco tax. I work with ASA's day in and out so feel I have some credibility to chime in on its performance.

URL filtering is probably going to be an added feature so expect to pay for the license additionally. Perhaps setup a proxy server instead and have users go through it where you can limit the sites or mess with your DNS for blocking known bad sites. Palo had a cool idea where you can just throttle the connection to those sites rather than blocking all together. Reason being is if you block it users will probably try to find a way around it. If you limit the bandwidth to it and make it crawl they will just think your network sucks and will probably stop beyond that.

The Zyxell seems nice however, I have never messed with one. On the lower end firewalls I tend to see sonicwall the most with some fortinet here and there. My vote would probably go to sonicwall just cause I have seen them more.
 
The Zyxel USG-Series is getting a touch long in the tooth, especially for the UTM functionality. But, as others have said they are fairly bulletproof and not too bad to set up with examples from Zyxel all over the internet.

I've also had some good luck with the Fortinet Fortigate firewalls. The new v.5 series firmware has really brought them far in UTM capability and reliability. They still have a few random bugs, but have been reliable for my clients.
 
Zyxel's Zywall and the USG VPNs are rock solid. I have to admit, the first time I set one up it took me 3 weeks. 9 months later (fall 2009) they produced a new 300+ page VPN manual that has all the examples and missing details.

Finding the manuals on there website is the hardest part, but we also did not use the startup support.... I discovered that later on, as they do not advertise it.

We have used "The greenbow VPN" for client IPsec. Evidently the normal Cisco client works or so I have been told.

The L2TP VPN is brain dead easy to setup and the client is built into windows.

The SSL VPN is fairly easy to setup, but you have to pay for extra licenses. The client automatically installs when you hit the portal page.

The part that most of you are forgetting is that Zyxel will hold your hand when you first buy the device and darn near set the thing up for you, VPN and all. They know that the Zywall 110 target audience is SMB, and so they offer excellent setup and configuration support.
 
Zyxel's Zywall and the USG VPNs are rock solid. I have to admit, the first time I set one up it took me 3 weeks. 9 months later (fall 2009) they produced a new 300+ page VPN manual that has all the examples and missing details.

Finding the manuals on there website is the hardest part, but we also did not use the startup support.... I discovered that later on, as they do not advertise it.

We have used "The greenbow VPN" for client IPsec. Evidently the normal Cisco client works or so I have been told.

The L2TP VPN is brain dead easy to setup and the client is built into windows.

The SSL VPN is fairly easy to setup, but you have to pay for extra licenses. The client automatically installs when you hit the portal page.

The part that most of you are forgetting is that Zyxel will hold your hand when you first buy the device and darn near set the thing up for you, VPN and all. They know that the Zywall 110 target audience is SMB, and so they offer excellent setup and configuration support.


Have you ever considered making a tutorial? They are very few and far between after all my searching. It would benefit a lot of people even on DSLReports where that seems to be the main issue and difficulty with the VPN aspect, myself included. I've personally read through at least 3 tutorials from DSLReports and watched a few foreign Youtube clips (as most of them seem to be for ZyXel) and no matter how much I've tried emulating others nothing seems to work for L2TP with Windows. Apparently the settings have to be dead on or you're going to have issues.

I think it's just the object orientedness that makes it challenging. Some things are just better dealing with numbers rather than strange titles representing services and addresses. I don't know about the 300 page specific guide for VPN's ZyXel puts out, but their manual was absolute garbage when I looked at it. They almost seem to go into a half explaining this feature and half tutorial kinda presentation that ultimately leaves you with more questions than answers.
 
Does Zyxel require yearly fees to manage the device?

Meraki does...

That yearly fee also acts as a maintenance and warranty plan. The Meraki stuff is really good so long as you're not doing anything really uncommon for networking tasks.

What you do get for the price is a solid firewall that takes out all the guesswork for admins that are not trained or know the nuances of firewalls. Another big bonus is uninhibited client vpn connections without buying any extra licenses.

I never heard of Meraki until I started my job here in Atlanta, but my boss loves then. I admit they are too simple for a network engineer's liking, but in SMB locations they are a godsend to most admins who aren't network engineers

Depending on your budget it wouldn't hurt to do a trial with them to try it out. Meraki is surprisingly flexible with trials. Just installed five APs in a county library for a trial eval. I'd say it's worth a try to see if it'll work for your environment
 
How much is the yearly fee with the Zyxel. Zyxel seems pretty promising; however, I like what I see with the Cisco ASA 5505 with its reliability and maturity.
 
I haven't used the other devices talked about here but I have used the 5505, even have one at home and they are rock solid devices.
 
If you like to do anything yourself, you won't like Meraki. It's a full blown subscription model to the Nth degree.
 
Have you ever considered making a tutorial? They are very few and far between after all my searching. It would benefit a lot of people even on DSLReports where that seems to be the main issue and difficulty with the VPN aspect, myself included. I've personally read through at least 3 tutorials from DSLReports and watched a few foreign Youtube clips (as most of them seem to be for ZyXel) and no matter how much I've tried emulating others nothing seems to work for L2TP with Windows. Apparently the settings have to be dead on or you're going to have issues.

I think it's just the object orientedness that makes it challenging. Some things are just better dealing with numbers rather than strange titles representing services and addresses. I don't know about the 300 page specific guide for VPN's ZyXel puts out, but their manual was absolute garbage when I looked at it. They almost seem to go into a half explaining this feature and half tutorial kinda presentation that ultimately leaves you with more questions than answers.

The manual is a VPN guide for the USG line. The code base and VPN features are identical and thus applicable.

I just pulled this for the new Zywall line: ftp://ftp.zyxel.com/ZyWALL_310/user_guide/ZyWALL%20310_V3.10_Ed2.pdf
 
Last edited:
How much is the yearly fee with the Zyxel. Zyxel seems pretty promising; however, I like what I see with the Cisco ASA 5505 with its reliability and maturity.

No reoccurring subscription for the Zywall 110. The prices are part #s for the SSL VPN upgrades are not yet posted. You'll probably have to call Zyxel to ask for the price and part #. Based on what they cost for all their other devices it should be $30 a client. Keeping in mind that the 110 comes with a different # of SSLVPN clients licenses depending on where you buy it. Overstock.com 's is listed as comeing with all 25 licenses
 
How much is the yearly fee with the Zyxel. Zyxel seems pretty promising; however, I like what I see with the Cisco ASA 5505 with its reliability and maturity.

The Zyxel fees are only for the individual UTM functionality pieces (AV/Web/IDP/etc) or additional SSL-VPN clients beyond the initial 2. Or they have an all inclusive "Total Security" license. Otherwise there are no recurring costs. They are normally available through the major tech outlets are priced by the USG model. If you need help, let us know what USG model and/or any sizing criteria you have and we can help you spec one out.


Regarding the Meraki vs. anything else argument, they make a great product as long as you understand what you are getting and what the required recurring costs will be. Being completely cloud-managed, your "subscription" allows you access to the management website for all of your Meraki gear and then the changes you make are pushed through the web back down to the physical gear. This also means that all Meraki gear requires internet access. That being said, the bells and whistles they provide as well as the reporting ARE quite slick.
 
Fortinet FortiGate 60D is a solid choice for your implementation. I think they are rock solid devices and easy to use.
 
Fortinet FortiGate 60D is a solid choice for your implementation. I think they are rock solid devices and easy to use.

Seconded. I have one at my house and love it and have been rolling them out at Client's offices like they are going out of style.
 
Thanks for the information regarding the Zywall product. I will also look into the FortiGate unit.

It seems like I'll be stuck paying for some additional add-ons if I want antivirus or that sort of thing, correct?
 
Thanks for the information regarding the Zywall product. I will also look into the FortiGate unit.

It seems like I'll be stuck paying for some additional add-ons if I want antivirus or that sort of thing, correct?

Every Fortigate I've used has the first year of UTM features included. After that you will need an annual subscription for AV updates, ips signatures and URL filtering. You may also want to look at the Check Point 1100 and 600. IMO you will find the level of service and support from these enterprise vendors on a different playing field than the consumer / prosumer products that tend to get mentioned in this forum.
 
WatchGuard has appliances that would do what you want and they also have now started incorporating a wireless controller in to there UTM devices for rolling out WatchGuard AP's at the same time. They do HA with pretty simple setup. Documentation is awesome and support is pretty good. The only downside is the subscription but I definitely recommend taking a look.
 
Back
Top