Firewall Replacement

T

timberdoodle

Gawd
Joined
Sep 22, 2008
Messages
878
We have a Sonicwall e5500 currently that is about 4 years old. We are looking at replacements for next year. I am curious what people have out there or what we might want to look at.

We currently have 2 WAN connections for 50/20 and 35/35 one at Comcast and one at Verizon. We have a block of static IPs for several public sites.

One priority is content filtering, although I assume antivirus, etc is a good thing? I have no idea what virus inspection does on tcp packets though.

I am curious what people think of UTM vs basic firewall + a websense or similar filtering device.

So far I am looking at Fortinet and Juniper devices, everything seems to do exactly the same thing and have the exact same UI.

School me please
 
timberdoodle said:
We have a Sonicwall e5500 currently that is about 4 years old. We are looking at replacements for next year. I am curious what people have out there or what we might want to look at.

We currently have 2 WAN connections for 50/20 and 35/35 one at Comcast and one at Verizon. We have a block of static IPs for several public sites.

One priority is content filtering, although I assume antivirus, etc is a good thing? I have no idea what virus inspection does on tcp packets though.

I am curious what people think of UTM vs basic firewall + a websense or similar filtering device.

So far I am looking at Fortinet and Juniper devices, everything seems to do exactly the same thing and have the exact same UI.

School me please
Click to expand...

UTM firewalls.....hmm this thread outta be interesting.

So it comes down to:
Priority of what is important to you
Requirements
Costs, both up front and reoccurring

This is a huge oversimplification but....

Examples:

Sonicwalls: inital investment price is good, reoccuring fees are high, layer 2 routing is great, ease of use is great, layer 3 routing is crappy, VPN is good but requires active subscription. UTM ability is good.

Juniper: inital investment price is good, reoccuring fees are above avg, layer 2 routing is fair, layer 3 routing is fair (when compared to the price), VPN is above avg to great depending on model and does not require a subscritopn. ease of use is fair. UTM ability is avg (compared to price)

Fortinet: inital investment is high, reoccuring fees are fair, layer 2 routing is good, layer 3 routing is good, VPN is avg, ease of use is fair, UTM ability is avg (c2p)

Zyxel USG: initial investment price is great, reoccuring fees are high, layer 2 routing is fair, ease of use is below avg, layer 3 routing is fair, VPN is good and does not require a subscription, UTM ability is fair but UTM performance is poor when price is considered.


Cisco ASA: initial investment price is high, reoccuring fees are high, layer 2 routing is fair, ease of use is good, layer 3 routing is fair, VPN is good, UTM ability is fair to poor, UTM performance where available is avg when price is considered.

PFsense: inital investment price is low-high, reoccuring fees are not required, layer 2 routing is fair to above avg, layer 3 routing is fair to above avg (both dependent on hardware specs) VPN is good, UTM ability is fair, UTM performance is dependant on hardware, ease of use is below avg to way below avg.


Untangle: inital investment price is low-high, reoccupying fees are high, layer 2-3 routing performance is hardware dependent VPN is good, UTM ability is good, UTM performance is hardware dependent, ease of use is good.


Fortigate primarily makes UTM firewalls. Juniper make a little of everything from $200 on up to $150,000 routers

I would define what you need in both price and your performance expectations. Please give us some clue of what you have used in the past, what about it you liked/disliked and what you would like to have, number of users to support, etc.
 
Buy a shitty prebuilt p3/p4, stick 2 dedicated network cards in it, install fedora, masq interfaces, install dnsmasq, be amazed.

I've done this using a 700mhz p3 and a 1ghz p4. Both worked equally awesomely with 50mbit

[edit] something slightly more powerful might be needed for your filtering needs. i'd also recommend checking out the linux 'firewall distros', though i am sure fedora will have most, if not all of what you need, in the repos
 
Last edited:
if its a business then some homebrew solution is not what you want protecting your ecommerce, company vpn, intellectual property etc
 
Mackintire said:
Cisco ASA: initial investment price is high, reoccuring fees are high, layer 2 routing is fair, ease of use is good, layer 3 routing is fair, VPN is good, UTM ability is fair to poor, UTM performance where available is avg when price is considered.
Click to expand...

Umm, I would say reoccuring fees are low, 8x5xNBD smartnet on a ASA5505 is like $100 bucks a year, thats cheap compaired to any others you listed.

UTM ability isn't really there unless you buy an addon module,

Untangle: inital investment price is low-high, reoccupying fees are high, layer 2-3 routing performance is hardware dependent VPN is good, UTM ability is good, UTM performance is hardware dependent, ease of use is good.
Click to expand...

I would say their reoccuring costs are very high. Retail cost for standard 10-50 user is what, over $800 a year? thats insane and is the main reason I don't deploy them much, Their spyware protection is what makes them worth putting in, this is a place I wish Cisco would get their game together on the 5505 series firewall.
 
scottd34 said:
if its a business then some homebrew solution is not what you want protecting your ecommerce, company vpn, intellectual property etc
Click to expand...

why? 'homebrew' will get the most out of the link itself. and if you want hardcore deep packet inspection, it'll cost like $10,000+ to do what it costs a $50-100 'homebrew' solution, especially on fast links.
 
Cisco ASAs still my favorite... definitely better than Checkpoint or Monowall...

Homebrew toys have no place in a serious business environment. Here's the summary of my experience with "one off custom homebrew" junk over the years: Basement-Billy somehow convinces management his Lunix/Ubuntu/BSD-whatever "firewall IPS router" is eleventy-times better than an expensive top-tier product. He builds it, deploys it, no one else knows how to configure it, he doesn't document anything, he goes on vacation/quits/etc, it breaks, it takes down the network, it gets shit-canned, management gets pissed, buys top-tier product that they should have purchased in the first place along with a support contract and same-day hardware replacement...
 
mattjw916 said:
Cisco ASAs still my favorite... definitely better than Checkpoint or Monowall...

Homebrew toys have no place in a serious business environment. Here's the summary of my experience with "one off custom homebrew" junk over the years: Basement-Billy somehow convinces management his Lunix/Ubuntu/BSD-whatever "firewall IPS router" is eleventy-times better than an expensive top-tier product. He builds it, deploys it, no one else knows how to configure it, he doesn't document anything, he goes on vacation/quits/etc, it breaks, it takes down the network, it gets shit-canned, management gets pissed, buys top-tier product that they should have purchased in the first place along with a support contract and same-day hardware replacement...
Click to expand...

i'd think a couple lunix classes would be cheaper :p

top tier shit makes me think of apple fanboiz, only their cpus are RISC based

[edit] Cisco ASA seems decent, the 5585 only msrp's for $30,000; holy crap
 
Last edited:
SinShiva said:
i'd think a couple lunix classes would be cheaper :p

top tier shit makes me think of apple fanboiz, only their cpus are RISC based

[edit] Cisco ASA seems decent, the 5585 only msrp's for $30,000; holy crap
Click to expand...


And what if the company loses $100k+ per day if the firewall goes down? The savings is not worth the risk.
 
mattjw916 said:
Homebrew toys have no place in a serious business environment.QUOTE]

I'll give you that, but what you think of as 'homebrew' and I think of as 'homebrew' may be different.
I use and deploy pfSense, so that is where my experience comes from. I deploy on servers with redundant hardware (power supplies, storage, memory, NICs) and can even make redundant servers for truly mission critical deployments. I can put the money from service contracts and deployment in my pocket, instead of sending it to Cisco, Sonicwall, Juniper, et al.
Any tool/product/solution can be mis-used or deployed incorrectly. With your scenario above, the problem isn't necessarily with the 'homebrew', the problem is with the 'professional' implementing and maintaining the solution. True professionals document their work so it can be repeated/diagnosed by other professionals- including yourself at a later date. Sticking a box in a network and walking away- no matter the name on the box- seldomly turns out well. The same person that hodge-podges a network together can make all name-brand gear fail just as easily as no-name gear. Nothing is truly fool-proof because fools are so darned ingenious.
Click to expand...
 
Biznatch said:
And what if the company loses $100k+ per day if the firewall goes down? The savings is not worth the risk.
Click to expand...

i certainly understand in that type of situation, but i think it's safe to assume there's probably an exponentially larger amount of businesses making dramatically less than that in daily transactions. and those are probably going to be the businesses that have to ask what firewall they should be using. i think it's unfair they have to pay 10-20k on a firewall for their 10mbit or less business connection. there's a HUGE performance difference between what's in a lot of low-mid end firewalls compared to an old P4. then it just jumps up to like i5+ quad cores, dual sockets and all sorts of other craziness. cisco discontinued their 1ghz pix firewalls, so they aren't making an effort to fill the 'niche', which i'd say is where most businesses likely fall under as far as firewall requirements
 
Why not stay with sonicwall ? like a NSA2400 or higher ?

I personally love my TZ210, just wish it had more power for layer 3 and Vlan..
 
SinShiva said:
i certainly understand in that type of situation, but i think it's safe to assume there's probably an exponentially larger amount of businesses making dramatically less than that in daily transactions. and those are probably going to be the businesses that have to ask what firewall they should be using. i think it's unfair they have to pay 10-20k on a firewall for their 10mbit or less business connection. there's a HUGE performance difference between what's in a lot of low-mid end firewalls compared to an old P4. then it just jumps up to like i5+ quad cores, dual sockets and all sorts of other craziness. cisco discontinued their 1ghz pix firewalls, so they aren't making an effort to fill the 'niche', which i'd say is where most businesses likely fall under as far as firewall requirements
Click to expand...


The OP doesn't have a single 10Mb connection, but he didn't list number of users/workstations.

Take a look at the untanlge appliances. They aren't cheap, but they aren't $10k either. They should be able to do everything the OP is looking for.
 
Hey guys thanks for the posts so far. Sorry I didn't update sooner, had some exchange issues this morning. Anywho, here are some of what I think is required for firewall sizing:

Bandwidth Max is 50mb/s, average is 30mb/s
PPS Max has been 50k, average is 5k

Don't have a record of the other stuff but it looks like average connections are 4k and average rate is 250cps

Priorities out of Firewall:
NAT (obviously)
WAN Failover for at least 2, preferrably 4 connections.
Content Filter - again this relates to if we go with a straight firewall and get another device for filtering or not
Scanning for Antivirus, Antispyware - again is this something even useful for a firewall to do?
At least 4 WAN connections, 2 LAN
Rackmounted

Nice to Have:
Redundant power supplies

Just to put some of this to rest, we are not going to cobble together something. This needs to be a medium to enterprise level solution with 8x5 or 24x7 support, rackmounted, and well documented online, etc. Also when it comes to the UTM features, updates of the CF, AV, etc are important.
 
Last edited:
Dash suggesting Sonicwall? I'm shocked! Let me just say I don't have anything against them and I do have my CSSA but I just want to trial my options. Also if I learned some IOS or JUNOS I wouldn't be upset. Mac, thanks for your suggestions. I am going to talk with Juniper engineer to see if I can get a demo or see how the UI looks. Based on what I see between Sonicwall and Fortinet UI there are very few differences. Never touched a juniper.

What would I be looking at for an ASA? Knowing full well that I'll be getting another device for CF, AV, IPS.
 
First off a Fortigate 600C is way overkill for what you've listed here. Though only a single power supply a 300C will do and very possibly even a 100D. I'd lean toward the 300C unless money is VERY tight. I only mention this second item as today I've been dealing with an account team for a customer who doesn't realize this. I see mention of internal servers with public IPs and asymmetric circuits from different providers. I'm guessing you don't have an ASN and that the IP block likely comes from Verizon thus wan failover will be outbound only and even then without proper planning can result in asymmetric routing and causing drops due to non established sessions.
 
You think the 600c is overkill? I speced that before he gave us details and then changed that to the 300C. Also keep in mind he's running a 5500e right now.


If you're looking at Cisco I'd suggest the ASA 5512 security plus and run something else for AV.



The Sonicwalls are way friendlier to manage, but the fortigate is more flexible in routing abilities.

Explore all the options and pick what you think you;d like..
 
timberdoodle said:
We have a Sonicwall e5500 currently that is about 4 years old. We are looking at replacements for next year. I am curious what people have out there or what we might want to look at.

We currently have 2 WAN connections for 50/20 and 35/35 one at Comcast and one at Verizon. We have a block of static IPs for several public sites.

One priority is content filtering, although I assume antivirus, etc is a good thing? I have no idea what virus inspection does on tcp packets though.

I am curious what people think of UTM vs basic firewall + a websense or similar filtering device.

So far I am looking at Fortinet and Juniper devices, everything seems to do exactly the same thing and have the exact same UI.

School me please
Click to expand...

Did you take a peak at the PaloAlto gear yet?

http://www.paloaltonetworks.com/products/features/

Given your description a PA-500 should be fine however you might want something to grow in so a PA-2000 or even the soon to be released PA-3000 might be a better option (the later is for +1Gbit/s throughput with everything enabled which is appid, userid, IPS, AV, URL-db, SSL-termination etc). The PA-3000 will most likely be 2-3x the price of a PA-500 unit.

http://www.paloaltonetworks.com/products/platforms/PA-500.html
 
You must log in or register to reply here.
Back
Top