beginner NGFW questions

Jay_S

Weaksauce
Joined
Jan 9, 2008
Messages
90
I work for a tiny company. My main role is NOT network or IT-related, but I've been tasked with this project. We've used inexpensive consumer routers for NAT and simple firewalling. We do not have any internet-facing applications, no VOIP, no VPN, and I am not overly concerned about intrusion. When my boss goes on vacation, I open & forward a non-standard port for her to RDP to her desktop. While this has served us well for the past 15+ years (since before I started here), two things concern me:

1) accidental internal sabotage (employees browsing stupid sites or opening attachments).

2) BYOD. There are a handful of mobile phones and laptops that join our wireless LAN. My boss brings her (teen & college-age) kids' devices to work for me to maintain - yay security policy.

So I'm looking at next-generation firewalls. The features that I think will help with the above are: deep packet inspection / application-layer filtering, built-in AV & anti-spam.

The gap between consumer NAT routers and UTM/NGFW appliances is pretty big, in terms of deployment complexity and cost. It's been a challenge to find objective information on what to buy, which is the reason for this post...

First things first - do we need a NGFW? I think we'd benefit from having the extra filtering at the router. My boss agrees and is willing to pay for it (DIY is out of the question). But maybe just sticking with Eset on client machines is a better value?

Re: throughput. Our office has a 15/1 internet connection. Even the cheap Zyxel USG40 advertises 40Mb/s UTM performance, which should be plenty. So in my case, I think our primary issues are usability and cost. My thinking is that I should be shopping based on ease of configuration / maintenance and lowest annual AV/spam license subscriptions.

Juniper still sells the SSG-5, which is priced very reasonably. But it's EOL (support ends Jan 2020). There are loud criticisms of its replacement on Juniper's forums.

Our budget is around $500 for hardware. It looks like AV/spam definitions licenses are anywhere from $100-250 annually. Obviously we're looking to minimize the annual license costs as much as possible.

I'd appreciate any advice/feedback.
 
For a small company have you had a look at the sophos UTM firewalls?
 
You could check out the Cisco Meraki MX60 (or maybe even the Z1 - I would go up to the MX60 personally). Its running under $400 for the MX60, plus $350-500 for a 3yr license. We have an MX80 at our office here, which is a bit underpowered I'm finding (I came into the site with this here - I would have stepped up to the MX100 personally). At first I wasn't crazy about it, coming from Cisco ASA lines primarily, but it has quite grown on me.

The support has been great, had two things I've had to call about. Quick to answer, and get me the support I need. Dual-homing is dead simple, VPNs have been very very easy to setup. If you ever need any help with configuration, give support a call and within minutes you're usually talking to a live person.

Plus MDM built in! That has been pretty nice as well. It has all the major features, VLAN off interfaces (public internet on one), Layer 7 filtering and reporting (see who is using all your bandwidth, and specifically what application or website), the reports you can build have been great for our end being on a limited bandwidth set of connections.

Its pretty easy to setup a client VPN for your Boss when he goes on vacation, and leave it on all the time. Support will help you through it.

My Sonicwall and Sophos experience has been pretty limited so I can't comment too much on them. If you are willing to pay the ongoing support costs, I would pick up a Meraki again in a heartbeat.
 
Last edited:
I'd also consider a Fortigate 60D. Hardware is right in the ballpark of what you're looking at and the support isn't too bad, especially if you bundle. For a very small office, this should be sufficient and also allow you to setup a VPN for security, and have the NGFW capabilities you'll want/need.
 
For small company definitely Meraki as Charold suggested. Meraki integrates with SourceFire which is pretty good solution. For bigger companies you need to thing as dedicated box for some services.

Problem of UTM is performance when you enable all enhanced features. Not enough CPU power on those boxes.
 
Problem of UTM is performance when you enable all enhanced features. Not enough CPU power on those boxes.

This! I use a Squid Proxy for web filters and content caching rather than the Meraki for that specifically. Once we get to holiday season and there are a lot of remote VPN users, along with the Layer 7 filtering, and traffic shaping I'm definitely noticing a slowdown. Once this contract is up we may go to a new device, or step up to the MX100 seeing as how this does our MDM as well. Were hitting up to 20 remote VPN users, about 10 max simultaneous, with over 250 nodes accessing internet between wired and wireless, and a decent set of features enabled, and were pushing the MX80 pretty hard.

For your small office, the MX60 should be plenty though.
 
All - thanks for the replies. I'm investigating the Meraki now...

Re: Sophos ... I used to subscribe to the TWiT "Security Now!" podcast with Steve Gibson. Back around 2008-9, maybe. One of their long-term sponsors was Astaro. Naturally, that was the first NGFW/UTM vendor I looked for, only to discover they are now Sophos.

Prior to my OP yesterday, I had contacted Sophos, Dell/Sonicwall, Fortinet and Zyxel for more information and pricing. Literally none have replied. But maybe that's due to the holiday season... I did online chat with a lvl 1 dude at Juniper about SSG EOL details. All they did was read back to me the same EOL document I was already looking at. And offer to connect me with a sale engineer to discuss the SSG's replacement product (which I am convinced I do not want).

Thanks again, everyone.
 
Meraki costs too much. Leasing devices? Cloud based? No thanks.

Go for Sonicwall or Fortinet. That 60D is a nice box.
 
I'd +1 the Fortigate 60D, but as has been mentioned, it could slow down with all UTM options enabled. Our other go to firewall is Watchguard, but I think it would be over your budget (the XTM 26 & XTM30 are within budget, but under-powered for UTM purposes).

I know you said no DIY, but a $500 server off eBay and Untangle might be your best option. It can cover all your needs, plus has support options from Untangle corp and potentially localized partners in your area. So you're not supporting it alone, you would have people to call. Too many of the pay for modules might break your budget, but they do have some Lite versions for free.
 
The big hurdle with DIY is this: should the device need maintaining if/when I'm gone, someone else here needs to be able to fix it. Realistically, "fix" in this scenario means calling the hardware vendor. I completed the CCNA curriculum years ago (never took the cert exams - employer sent me in a different direction. I should have just taken them on my own, but that's a long story) and am comfortable with basic networking. But the next most technically-skilled employee we have is my boss, who still thinks windows comes with office. So anyway, if something breaks while I'm on vacation or whatever, someone else here needs to be able to make a phone call to get it fixed. Absent this level of support, this project probably can't happen.

All that said, I'll take a look at Untangle. The whiff of DIY, however slight, will make it a hard sell though.

And I'll put the Fortigate 60D on my short list.

Thanks again for the replies everyone.
 
Meraki costs too much. Leasing devices? Cloud based? No thanks.

Go for Sonicwall or Fortinet. That 60D is a nice box.

If you're running any mission critical device (i.e. a firewall) without a hardware/support contract, I think you are making a big mistake. When looking at the price of SmartNet vs licensing costs for the Meraki, it came out to be about the same (slightly cheaper in the Meraki case sometimes). The same as none of our mission critical servers are out of warranty, most with 4hr response times for hardware failure. In those cases, I think the cost is rightly justified. I came into this situation with the Meraki already install, so I didn't have much of a choice. But the more I've played with them, and looked at TCO, it's about par for the course for this level of equipment.
 
Back
Top