Firewall and Backup

FrgMstr

FrgMstr

Just Plain Mean
Staff member
Joined
May 18, 1997
Messages
55,764
A buddy of mine that runs a small business is looking for some feedback from me, and I don't thik I am the one to give it to him.

Subject: Sonicwall product such as tz180 vs. other

I was advised by our IT guy that we need a firewall and was given the option of purchasing a sonicwall brand. Any quick thoughts? We have a server running MS Small Bus Server with 10 Workstations. I want protection, but I do not want to gimp my network performance.

Also, any quick online backup solution referrals would be cool. We backup approx. 40GB daily.
Click to expand...

Bueller?

Obviously the backup will not be that big if they go with an offsite service that only backs up changes, but any suggestions there as well?
 
Firewall - Look into Freedom9 Freeguard 100 UTM. Unlimited users comparable if not better (IMO) to the Sonicawall TZ170 or similar. Very cheap, retail is $599 for the firewall, $199 for the extra support package which gives a better antivirus and spam protection. Have him talk to me if hes interested, ill do better price then eBay probably will.

For 10 users even a SOHO router/firewall would perform good. But if you can fit in your budget a real firewall/router is good. I am found on these Freedom9s. Company is great, you call you get someone on the phone usually the same guy in tech support (Andrew). They can connect to a computer and walk you through configuring. Spam package is pretty good, we tried it out for a few months, they rate it at 94% effective. We juts moved over to Postini because its more economical for 2 emails and like 99% effective.

http://www.freedom9.com/products/product.php?p=28

Offsite Backup - The only one that I have stuck with and can recommend is Mozy. Cost wise I dunno about now, they were bought out by EMC and prices went a little higher then normal. I had to buy a bunch of licenses just so I could get grandfathered pricing. Price wise its priced per server and then priced per GB. You can also mess around with something like JungleDisk and a Amazon S3 account but I like the features and reliability of Mozy. All HIPAA compliant and all that jazz. Have like 60 or so clients ranging from parents to lawyers to a few dental and bigger offices. Biggest client has about 60GB and have no problem paying the price for reliable service. Also can backup network shares which is convient if you got a single machine running a specialty pacakge or something. Again im a reseller if he wants he can PM me, I may be able to give him a good price.
 
The company I work for currently has a Sonicwall TZ170 and it's been pretty good. Sonicwalls are cheap to get into but their subscriptions can be a bit pricey if you go for everything. The Sonicwall enforced client uses McAfee so if that's an issue you can always disable that and use whatever you want at the endpoint. If they do go for the TZ180 I highly recommend getting the SonicOS enhanced upgrade.
 
First is the SBS box acting as the router now or does he have a basic router on the network and the sbs box is just pulling dns duty(and maybe dhcp)?

I have 4 or 5 tz170s running at various clients. The clients had them when I started but they seem to be pretty good. Not sure why your friend would need a 180 over the 170 and am not sure what the price difference is.

Overall we are using them as basic firewalls and for vpn. One client has the content filter enabled. They seem to be pretty good overall and easy to configure compaired to ciscos offering.

Some things I don't like about them.

The licensing kinda sucks. I really don't like the stock 10 user limit and ares have been upgraded to 25 users. I really think 10 is too low. In his case he would need the 25 user license for it as he has 11 systems right now. Also I had issues getting one of ours upgraded to 25 users and it took days for them to get it straight. Also almost a lot of the addons for them expire and need to be renewed. Sure updated content filtering list should be paid for but basic site blocking? A lot of features are addons as well. This can be taken as good because you don't need to pay for something you don't use or bad because it means you have to buy the license for each thing.

AV protection. It sucks. They use mcafee and it is junk. Same with their anti-spyware which blocks activex. It just doesn't cut it. Don't use it on the device and just run eset or kaspersky managed off the sbs box.

Generaly speaking when we have needed to go with a sb router we go with something like the cisco 871. Little harder to configure then a sonicwall but finding someone who knows cisco is pretty easy. Things work great for us. I will say since playing with the tz170's though I'd be willing to put some sonicwalls in place over the cisco's when they beat them on price for the features needed.
 
For the firewall, I am a fan of the Cisco ASA5505 firewalls. They are widely deployed and backed by Cisco TAC, which can pretty much cover any issues you encounter. They are also vastly deployed which means you'll find lots of information online. The software is based of the extensively proven PIX code base.

I have one customer that has three SonicWalls at three locations that we inherited. They are pretty decent devices. They UTM features work decently, though PCs sometimes still get infected with malware. One complaint that I have is that it's a pain to set up an IPSec client mode VPN connection with anything other than the SonicWall VPN client.

So in summary, I would suggest a ASA5505, but a SonicWall would be a decent choice as well.

As for backups, I still don't think anything beats a proper tape rotation strategy. There are quite a few pitfalls with depending solely on online backup. First is the amount of data you can transfer over a wan each night. With SBS, quite a few things change continuously, one of which is the Exchange database. Most online backup solutions (if any) don't have proper Exchange integration in order to not have to backup the full DB each night.

The second big issue is recovery in the even of a failure. How long would it take to recover the data across a WAN? How much downtime are you willing to endure? How much will that time cost the business?

Really, I would stick with a tape/cartridge rotation. The Dell RD1000 is a pretty good small business solution. With 7-10 cartridges, you can have a reliable solution for under $2000.

Just my 2 cents. Good luck. :)
 
MorfiusX said:
For the firewall, I am a fan of the Cisco ASA5505 firewalls. They are widely deployed and backed by Cisco TAC, which can pretty much cover any issues you encounter. They are also vastly deployed which means you'll find lots of information online. The software is based of the extensively proven PIX code base.

I have one customer that has three SonicWalls at three locations that we inherited. They are pretty decent devices. They UTM features work decently, though PCs sometimes still get infected with malware. One complaint that I have is that it's a pain to set up an IPSec client mode VPN connection with anything other than the SonicWall VPN client.

So in summary, I would suggest a ASA5505, but a SonicWall would be a decent choice as well.

As for backups, I still don't think anything beats a proper tape rotation strategy. There are quite a few pitfalls with depending solely on online backup. First is the amount of data you can transfer over a wan each night. With SBS, quite a few things change continuously, one of which is the Exchange database. Most online backup solutions (if any) don't have proper Exchange integration in order to not have to backup the full DB each night.

The second big issue is recovery in the even of a failure. How long would it take to recover the data across a WAN? How much downtime are you willing to endure? How much will that time cost the business?

Really, I would stick with a tape/cartridge rotation. The Dell RD1000 is a pretty good small business solution. With 7-10 cartridges, you can have a reliable solution for under $2000.

Just my 2 cents. Good luck. :)
Click to expand...


You hit on some good points I didn't mention. One the ASA5505 is a good device. I would say an 871 would be the cheap option and the ASA5505 would be the next step up if they needed some of the features of it.

Also that is a very good point about the sonicwall vpn. In my case the clients useing them are using site to site but I messed around with the sonicwall at one so we could hit the remote access card in the server through a vpn if needed. I ended up installing the sonicwall client as it wasn't worth the hassell getting it to work without it.

Personaly I would skip the RD1000 though and go for an LTO2 tape drive. You can get one with tapes for about the same price as they hard drive based RD1000. The LTO tapes are going to be a little cheaper if they ever want to expand the backup size as well. Really either will do well though. You can go with smaller tape drives but for the price difference I would go with an LTO drive as it will give you some room to grow.

With that I would recomend a daily backup and a monthly backup set. Go for a 2 week rotation if they can(this might be overkill depending on what they do with it). Get backupexec for sbs and run the encryption and take the tapes offsite.

Are they running exchange? I agree with MorfiusX that exchange is best done via a tape solution(or hd based one).
 
For firewall duties only I would highly recommend the Cisco ASA5505. Cisco TAC is some of the best support you can get, and pay for. :) Rock solid stability and the options for VPN are great.

If they want a UTM appliance I would go with Astaro. You can get an asg120 which can do firewall, IDS/IPS, VPN, Anti-Virus/Malware and Spam protection. Their support is really good too.

As for remote backup, I use iDrive for personal use and we also use their business plans for a few customers. If memory servers you can get about 60GB of storage for one flat yearly fee, I think it was around $500-600.
 
For firewall....10 users..this isn't an enterprise solution. Look for the features you want. Basic NAT router is fine. Something business grade...you don't want some home grade broadband router. Entry level business grade..something like the Linksys/Cisco RV0 series.

IMO...people slapping mega expensive gear like Cisco ASA products in this situation is overkill and throwing away the clients money. 99% of users will not fully configure the features of a high end product...and that's money out the window. Be smart...put in a product that they will use..and don't spend much above that. Seriously....99% of users who slap in some Cisco ASA will not use them any more features than a basic DLink home grade NAT router will provide...NAT firewall.

For larger business networks I've been using *nix routers....Untangle is my favorite.
www.untangle.com

Small Business Server...remote access through Remote Web Workplace, give them OWA, and Outlook over HTTP for their road warriors.

For backup...remote internet based backup solutions are good for a second, redundant backup of critical data. Should not replace a local backup...it should be a secondary backup. For local backup...Small Business Server has its own backup utility that does everything..no need to waste money on a 3rd party product....again..throwing money out the window. The day you need to restore a ton of data from internet based backup..bring a sleeping bag..you'll be there a while.

For local backup drive/media...Dells Powervault RD1000...hot swap removable 2.5" backup drives. Fast..durable, no maintenance like finicky tape drives. Oh yeah..and fast!
 
The big thing about the ASA is that it will grow with them. Say they want a client mode VPN: Done. Say they want single sing on with that VPN: Done. Say they want to create a business to business connection: Done. Say they want to add content filtering with the leading software in the industry: Done.

Don't get me wrong, there are a bunch of other great products out there. But in the business world, I see it as much more than a price tag. If price was the only reason for chosing something, then a cheapo router from Best Buy would do.

I also find the built in backup in SBS sorely lacking for anything other than a basic setup. No tape/cartridge rotation, no Disk-to-Tape rotation, etc.

PS: One more thing you have to consider in the router/firewall department is cost to power the device. A small firewall typically consumes less than 100w of power vs a PC/*Nix firewall that will typically use 200w-500w. Over the course of a year running 24x7, that will add up. The big thing here though is features for the price.
 
Most of the business level *nix distros...client VPN...already there...router to router tunnels..already there, content filtering...in many of them already (and quite mature). Looking ahead for possible growth is a good idea...but being realistic...a small business won't expload to enterprise within a year or two. And if they do....they'll be outgrowing SBS anyways.

I'm a fan of full nightly backup anyways..no rotation, full backup every night...and..we're backing up SBS..not a farm of servers.
 
See the one thing why i recommend my clients Mozy over tape drives is that I only have 1 client that actual puts tapes in each day. So for all the other clients if i was to get em tape drives, the tape would always stay in and what happens if they wanted a document recovered from last week well then they are SOL. So I throw em on Mozy, get 30 day revision, and shit the biggest client I have is like 50GB of data. I could pull that down in a day or so on a good connection, or just have a drive overnighted. Like today I have been proposing a server/new office setup for a client. Told em the pricing of Mozy and then pricing of a tape drive, tapes, software. To get into a tape drive setup your looking at about 2-3grand. And you still need to replace tapes every year or atleast every year and half.

Firewall wise, I looked into the ASA but didn't like the fact that I read that if you didn't know Cisco commands it wouldn't be good. I have been more then happy with the Freedom9s. Have dont very limited stuff with them (site to site vpn, spam protection, basic port fowarding), and it hammers along. Dirt cheap too when I got the reseller account =)
 
YeOldeStonecat said:
For firewall....10 users..this isn't an enterprise solution. Look for the features you want. Basic NAT router is fine. Something business grade...you don't want some home grade broadband router. Entry level business grade..something like the Linksys/Cisco RV0 series.

IMO...people slapping mega expensive gear like Cisco ASA products in this situation is overkill and throwing away the clients money. 99% of users will not fully configure the features of a high end product...and that's money out the window. Be smart...put in a product that they will use..and don't spend much above that. Seriously....99% of users who slap in some Cisco ASA will not use them any more features than a basic DLink home grade NAT router will provide...NAT firewall.

For larger business networks I've been using *nix routers....Untangle is my favorite.
www.untangle.com

Small Business Server...remote access through Remote Web Workplace, give them OWA, and Outlook over HTTP for their road warriors.

For backup...remote internet based backup solutions are good for a second, redundant backup of critical data. Should not replace a local backup...it should be a secondary backup. For local backup...Small Business Server has its own backup utility that does everything..no need to waste money on a 3rd party product....again..throwing money out the window. The day you need to restore a ton of data from internet based backup..bring a sleeping bag..you'll be there a while.

For local backup drive/media...Dells Powervault RD1000...hot swap removable 2.5" backup drives. Fast..durable, no maintenance like finicky tape drives. Oh yeah..and fast!
Click to expand...

For the price difference between some of the better low end business routers which can be 200 bucks or so easy I'd still look at the tz180 which they could find for less then 500 in its basic config. Same with a cisco 871. If you go with new hardware they will not be much more then a unix solution and have better support.
 
Why are the RD1000 tapes so much? Anyone find a cheaper source for the tapes?

You guys should take a look at those Freedom9, another friend of mine has nothing but good things to say about em too. Check out the emulator on their site. Let me know what you guys think.
 
marley1 said:
Why are the RD1000 tapes so much? Anyone find a cheaper source for the tapes?

You guys should take a look at those Freedom9, another friend of mine has nothing but good things to say about em too. Check out the emulator on their site. Let me know what you guys think.
Click to expand...

It is a dell only design. The price of the removable disks(which are just 2.5 inch sata drives in a plastic case(from my understanding) puts the thing in the range of a LTO2 drive setup which is what we normaly go with now. The price difference between that and a smaller drive generaly is not worth it because of the question of growth.

That freeGuard 100 does look interesting. Whats the cost of one?
 
ebay they have em for like 475 to 514. I get em at a little better deal, also great pricing on the extended service package but i have only used that for spam and it works, like 94% effective out of the box, i was getting maybe 10-20 spam messages a day, sometimes less. now its cheaper to use postini and more effective compared to buy the service package.

but pretty good IMO.

yeah when i was pricing out the rd1000, i noticed that you could do lto3 and extra tapes for same price as same capacity rd1000 tapes.

anyway yeah lol, i still like mozy but when you start getting higher GB needs it seems to get kinda crazy in pricing.
 
I was looking at that Dell RD1000 as an option for replacing tape drives for faster recovery while still doing the online backup for retention. I found some RDX removable disk by Tandberg. Looks to be the exact same thing as the Dell RD1000, the disk cartidges look exactly the same too. The RDX comes with an internal bay option that connects via SATA cable, too.

Anyone know if RDX/Tandberg is the OEM for that Dell drive? Looks nice. . . .
 
I don't know if any of you guys have Ingram Micro accounts, but here is what I found:

Internal Bare Drive: SKU H79780, Model 8417
External Bare Drive: SKU H79784, Model 8426

From what I can tell, Dell just re-brands the drive, like many other products they sell. It's considerably cheaper at Ingram.
 
We use Tech Data but I think we have an Ingram Micro account, too, I just have our office manager to look for me or just buy something so I can play with it. I am going to see if I can get a demo unit of the Tandberg model since we used to resell their VXA tape drives up until we got fed up with them last year and went to HP tape drives, which aren't much better, had three of them die on me in the last year . . . ..
 
wats the pricing at ingram micro?

Captain - Was HP a pain to get reseller account too? I applied, got a account to one of the login pages but not HP Direct where you can order stuff cheaper, got dicked around emails back and forth. Thats why i stick to soley Dells.
 
Ingram:
Internal Drive ~145
External Drive ~192

Just double checked and Dell has come down some on the price of their drives. I'd say it's about 25% cheaper from Ingram.
 
marley1 said:
wats the pricing at ingram micro?

Captain - Was HP a pain to get reseller account too? I applied, got a account to one of the login pages but not HP Direct where you can order stuff cheaper, got dicked around emails back and forth. Thats why i stick to soley Dells.
Click to expand...

Honestly I don't know how big of pain it is get an HP reseller account. Our office manager takes care of all that crap and every once in a while she tells me or the other systems engineer to go take an HP test. I know it was a pain to keep our warranty provider status, they want you to sell so many extended warranties a year and we barely made it because we are a smaller shop. Good thing we do all the warranty work for one of the school districts we work with. :D
 
swatbat said:
For the price difference between some of the better low end business routers which can be 200 bucks or so easy I'd still look at the tz180 which they could find for less then 500 in its basic config. Same with a cisco 871. If you go with new hardware they will not be much more then a unix solution and have better support.
Click to expand...

You'd give up some features that a distro like Untangle, Astaro, or even Endian has.
They encourage you to renew your support more...pretty much no support if you drop it.
And based on comparing Sonicwall support...versus Untangle support....from experience I disagree, Untangle was very quick and free.
 
marley1 said:
Why are the RD1000 tapes so much? Anyone find a cheaper source for the tapes
Click to expand...

It's actually a 2.5" SATA hard drive inside...not a tape. Pricing is higher initially compared to a tape..but you don't have the replacement schedule that you would with a tape. Also...even though they haven't been out long enough to show a track record yet...but since it's a hard drive..we can assume it has a long long life. So with these backup units....no replacing tapes at some interval like yearly, you don't need to toss in a tape cleaner which normally you replace at least once a year, plus factor in your time in running the cleaner say..weekly. And these drives are new...pretty much the only kid on the block. As other brands come out..prices will fall. Based on above link..looks like someone already found the OEM source at cheaper rates.
 
MorfiusX said:
I don't know if any of you guys have Ingram Micro accounts, but here is what I found:

Internal Bare Drive: SKU H79780, Model 8417
External Bare Drive: SKU H79784, Model 8426

From what I can tell, Dell just re-brands the drive, like many other products they sell. It's considerably cheaper at Ingram.
Click to expand...

After looking at Tandbergs site....noticed CDW sells them also so John Q Public can get them.
 
Captain Colonoscopy said:
The RDX comes with an internal bay option that connects via SATA cable, too.

Anyone know if RDX/Tandberg is the OEM for that Dell drive? Looks nice. . . .
Click to expand...

Those internal ones are the ones I use for clients....as I don't like to use external USB sourced drives for backup. The internal ones on SATA fly, and much less CPU utilization (which...is desired during backup). For servers without onboard SATA..Belkin makes a nice little PCI SATA card which is server 2003 certified.

That Tandberg sure looks like the OEM for this...I'll have my hands on a Dell server this Fri/Sat as I deploy it...I'll see if I can find something on a cartridge. But the cartridges sure look exactly identicle. I've been curious to see what brand hard drives they actually use inside too.
 
As far as Sonicwall's go I can vouch for them. The company I work for uses them at all of their offices.
They're very reliable, a great suite of apps if you purchase it with the firewall. AV, Anti-spyware, intrusion detection, content filtering and email attachment scanning. The enhanced OS has a packet sniffer which is a nice plus.
Only 2 drawbacks. The annual renewal for service which is $210 (I think) a year for a TZ180. Technical support is not based in the U.S.
No complaints though.
 
We looked at the RD1000 and the Tandberg. It's the same thing. It is a laptop disk in a proprietary cartridge that is sold by a few companies. We went another route because they charged too much for a disk and their capacities were limited. The solution we ended up going with lets us buy our own SATA disks and they are the larger 3.5 disks so we could get up to a 1TB removable disk if needed.

In case you're interested we bought the 2 Bay rack Teralyte for less than an LTO-3 drive - http://www.idealstor.com
 
dodben said:
In case you're interested we bought the 2 Bay rack Teralyte for less than an LTO-3 drive - http://www.idealstor.com
Click to expand...

I was looking at that but dismissed it for most of our smaller clients. They want somehting to pop in/out of their server like a tape. Not another server to manage and power, etc. Looks good for medium to large but the mom-n-pop crowd usually don't want something like that.
 
Understood. I think you are looking at their server based systems though. The unit we got hooks up to our server like a tape drive but it is an external unit. They have a stand alone unit that we are getting for another office that just has one removable bay for up to 1TB of offsite. We plan on putting on a desk next to the server that we need it for and getting a bunch of disks for rotation.

But you're right, none of their units can fit in a server.
 
You must log in or register to reply here.
Back
Top