Older Juniper Replacement

[praetorian]

Hey guys,

Throwing this out there as I have a budget meeting this week and need to get opinions on hardware selection etc.

I'm not the IT manager but work very closely with him but I'm overall in charge of recommending the selection to the company. We're a medium sized IT consultancy company, 70 people maximum at present, that currently use an old out of support Juniper firewall/VPN solution which we need to replace to meet our ISO 27001 compliance next year. We're doing this now as its near financial year so need to build it into the budget for next year.

If you were in the position to select hardware, what would you recommend for a company that uses VPN quite a lot (we have a lot of remote consultants travelling around), which should scale appropriately (probably up to 100-120 concurrent users over the next 3 years) but also allow appropriate logging and interrogation of traffic in the sense of threats, intrusions etc. We don't need IDS as such but we have an in house solution to do passive network sniffing we can utilise for that part.

So far I've looked at Cisco (up to £50k plus ongoing support costs) so I'm trying to get the best bang for the buck. I've personally got experience with Cisco, CheckPoint as well as WatchGuard but outside of that nada

The technical director of the company has recommended a fail over pair of pFSense appliances however after seeing the abortive usage of our technical consultants, to segregate themselves off from the corporate network , its certainly not what I'd call "corporate" polished.

Any insight would be helpful. I'm confident that I can get budget for up to £50k IF the recommendation is sound

I guess the following may help without reading through all my gumpf hehe

* Scales up to 100-120 users;
* Connecting to a 100/100mb synchronous fibre link;
* Should allow interrogation of traffic up to a point (doesn't need DPI);
* Good logging;
* Easy to administer (the IT guy is a bit of a dunce);
* Failover pair;
* VPN client should support all platforms (Windows, Mac, Linux and potentially mobile);
* Site to Site VPN capable (we have two locations in different parts of the UK of which one already uses a Cisco);
* Maximum budget (excluding setup) for a pair of devices.

It's a big ask I know

Cheers for any help
Dino

 

[cytech]

paloalto 500 cluster or 2020 cluster

i work with Juniper ssg/srx, checkpoint, paloalto, astaro and pfsense PA is my fav by far from usabilty to features only scary thing is mostly the price

 

[praetorian]

Have to admit that I'd never heard of them but looking at the prices for the PA-500 cluster doesn't seem TOO extensive even though I'm only seeing specific figures. What's your experience like with the costings? Bear in mind that trying to get a UK reseller is proving difficult to find

 

[RocketTech]

pfSense. I don't understand what you mean by "...however after seeing the abortive usage of our technical consultants, to segregate themselves off from the corporate network , its certainly not what I'd call "corporate" polished."
The question really comes down to whether you want a self-maintained solid solution, or a vendor-maintained solid solution, with yearly/accessory maintenance/upgrades/fees/etc.
Safe choice is Top-tier vendor, compromise is Vendor supported/Contract pfSense, lowest cost is self-supported/implemented pfSense.

 

[Mackintire]

Pair of Juniper SSG140's

 

[praetorian]

Our technical consultants installed a homebrew copy of pfSense to segment themselves off from the corporate network, as they regularly undertake heavy network activity such as infrastructure/application penetration testing, and the pfSense installation they have continually flakes out to the point that the only way to use their segment is to reboot the whole box. As you can imagine, penetration testing isnt the lightest of activities and requires a huge state table.

Ultimately for corporate we need a stable platform that doesn't cost the earth to implement or maintain. I've been looking at a proper pfSense installation that's tuned to our network requirements as well as proper appliances that have support and maintenance contracts.

I personally love pfSense in that I use it at home and its never flaked out on me and its running on an older Atom system but then I'm not stressing it as much as 20-30 consultants doing penetration testing plus VPN users at the same time.

 

[RocketTech]

Yeah, I'm a big fan of pfSense as well as you might've guessed. I'd be interested in seeing their specs for hardware and settings on their test boxes that made them go flaky.
Alot of security appliances are flashy, have a better GUI, maybe a stand-out feature or two, but pfSense always keeps me with its stability and features.
I guess I would say take another look, as a whole department beating on a pfSense for pen testing/app killing/red-headed-stepchildness is surely an edge case scenario.
Honestly, the biggest question is support and who gets the size 12 boot in their posterior when it doesn't work- that will be your decision maker.

 

[feffrey]

Palo Alto is really awesome. Very easy to configure and run. Instead of blocking ports you block "apps" which are certain websites, traffic types, etc. They aren't the only ones doing it now, but their interface is very slick and easy to configure and understand. Pretty cool too is you can decrypted SSL traffic on the fly and filter, log, limit, that data.
They do cost a crap ton.
The hardware is not too expensive (came in cheaper than Juniper), but the services will cost more than the actual hardware.
We demoed a 5020 for a few weeks and really liked it. Working on getting a 3050 put the budget.

 

[Sage2k]

Juniper equipment is awesome till you have to call JTAC. I have had CRAP luck with their support recently.

 

[xcrunner529]

Pair of Juniper SSG140's

Why would you recommend a product line that is EOL? SRX is the new one.

 

[lizardking009]

At that budget, Palo Alto. Something that can do 100mb should be easily doable for your budget. The pair of 3050s we're spec'ing is a bit over that if I recall the exchange rate and we're quoting 3 years of service. The 3050s will do 2gb.

 

[bds1904]

Something to look into is the Routerboard Cloud Core Router.

I know the hardware fits the bill, but the support requirements is what I don't know anything about.

Routeros can also run on x86 hardware, just sayin.

 

[Mackintire]

Why would you recommend a product line that is EOL? SRX is the new one.

SRX 240 then...

 

[kalthak]

I'd second the Juniper suggestion. SRX 240 failover pair for firewall/vpn duties. Juniper's SSL VPN is one of the best in the business and runs on pretty much anything, but the downside is you need one of the SA series to run SSL VPN. SRX does ipsec based. The junos pulse client supports Mac/Windows and about every mobile platform, haven't seen a linux version though.

 

[mayhem87]

I would say either a palo or srx. Palo's are really nice to setup and the gui rocks. they do have some slow commits tho and honestly i think are still buggy so HA is a must. I have had a couple times where a commit has rebooted the firewall. But this was on 4.1.6 and up but havent run anything on v5 yet. The capabilites are pretty nice and the user tracking/firewalling is cool.

I never really setup remote user vpn's on srx so cant chime in but i love the layout of cli and working with it once you get used to it is hard to switch to anything else. Granted the palo was sort of layed out in the same way but still prefer the srx.

 

[videodrone83]

We currently use Juniper and are in the same boat, I sketched out an SSG350M because of more firewall output and with an 8 port pim for extra ports. set it up with an NSM and vpn's are a breeze

 

[videodrone83]

SSG is tried and true and will be around for at least another 3-5 years, SRX has been in the market for a few years but is still buggy, there are differences in features as well