Small Business Firewall

Discussion in 'Networking & Security' started by AMD_RULES, Dec 16, 2013.

  1. AMD_RULES

    AMD_RULES 2[H]4U

    Messages:
    3,010
    Joined:
    Mar 26, 2007
    Looking for a recommendation on a small business firewall for a very small office. There will be one server, two desktops, one laptop, and a total of five users. I'm looking more for a solid hardware firewall that doesn't necessarily have all of the UTM bells and whistles; however, the ability to block URLs or certain websites that could potentially distract from productivity would be great. VPN is a must for remote access. I was eyeing up the Sonicwall TZ 105, but the additional add-ons are almost more than the device costs. I've played around with pfsense on a spare machine at my home, but one thing that concerns me about a white-box firewall is if it is HIPAA-compliant.

    What would you recommend? I am not opposed to a linux firewall, if you can convince me that it would be the ideal solution. A general budget would be somewhere under the $500 mark.

    Thanks!
     
  2. Riccochet

    Riccochet Off Topic Award

    Messages:
    21,687
    Joined:
    Apr 11, 2007
  3. Metraon

    Metraon Limp Gawd

    Messages:
    307
    Joined:
    Feb 23, 2011
    I would go with a Zyxell ZYWALL110
     
  4. Mackintire

    Mackintire 2[H]4U

    Messages:
    2,893
    Joined:
    Jun 28, 2004
    Zyxel Zywall 110. BSD based, will run for years without a restart, fantastic VPN capabilities. Its a newer model and it's speed alone puts the ASA5505 to shame. The only gotcha is that it comes with 30 days of setup support and warranty replacement is not overnight. But considering it costs 1/2 that of the ASA and a paid subscription is not required, I find it to be a much better value.

    It also has a more user friendly than the ASA. Zyxel support will setup and configure the entire thing for you if you want within the first 30 days.

    Nothing wrong with a Sonicwall but they are two different devices meant for two different sets of requirements. Sonicwall is a layer 2 UTM.


    Router + VPN under $700 (mission critical) = Zyxel Zywall 110 (Buy two for $700) and configure them as a HA pair. Updates are free, support after 90 days costs money.

    Router + VPN under $1000 (mIssion critical) = ASA with smartnet contract and HA spare (smartnet is about $80 per unit for 5 day a week, 8 hour, NBD service.
     
  5. AMD_RULES

    AMD_RULES 2[H]4U

    Messages:
    3,010
    Joined:
    Mar 26, 2007
    I looked into this device, but my lack of experience and knowledge of the Cisco interface made me think this would not be an ideal product to implement.

    I am not quite familiar with this brand; however, I will dig into them more. How hard would the high availability be to setup?
     
  6. joblo37pam

    joblo37pam [H]ard|Gawd

    Messages:
    2,047
    Joined:
    Jun 28, 2002
    I haven't used the 110 specifically, but I have been surprised at the quality of the Zyxel appliances I have dealt with for the price. The USG line has served very well for the SMB crowd I support.
     
  7. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,727
    Joined:
    Feb 15, 2003
    Meraki MX60. Big features, good support, smaller price, Cisco backed. Easy to manage. Save time doing important stuff.
     
  8. Liger88

    Liger88 2[H]4U

    Messages:
    2,657
    Joined:
    Feb 14, 2012

    New ZyXel customer myself and I can say they are solid for the price and the 110 will fill a necessary void for those who don't need the UTM crap that really just destroys throughput on the old ZyXel line anyways. They're do for a refresh this year according to word on the street, so I'd disregard the USG line to anyone just because the hardware is starting to really show its age unless you pay the premium for the 300 line on up.

    The 110 is powerful under the hood, however, being adapted to the Cisco world myself switching to ZyXel takes some getting used to. There are times you'll love dealing with the object-oriented interface and times you'll absolutely loathe it. I hear Site-to-Site VPN is a breeze to set up, but thus far remote VPN has been a pain in the ass fruitless process. You really need to know what you're doing with complete understanding or you'll quickly get lost. I don't want to push you away from the ZyXel line, but I'd do some homework because there are really only two communities for support. Here, through people often using them in the field, and the DSLReports forums. I think the website blocking feature only comes with the Content Filtering package and I don't know if the 110 supports that given its slim approach. Else it might take more work to implement.

    If you just need something solid with minimal configuration the 110 will last for many years to come with plenty of power to spare.
     
  9. r00tbeer

    r00tbeer n00b

    Messages:
    24
    Joined:
    Mar 20, 2013
  10. Riccochet

    Riccochet Off Topic Award

    Messages:
    21,687
    Joined:
    Apr 11, 2007
    Yeah, the Zyxel's are decent for the price. The only reason I recommend Cisco, especially when using site-to-site and remote VPN, is the support. Cisco remote VPN works and works well. The CLI can be a bit overwhelming if you aren't used to it, but there are tons of guides online for setting up a 5505. Plus you can find 50 user security plus 5505's for under $500 if you look hard enough.
     
  11. AMD_RULES

    AMD_RULES 2[H]4U

    Messages:
    3,010
    Joined:
    Mar 26, 2007
    Does the ASA-5505 offer content filtering or is that not available?
     
  12. Riccochet

    Riccochet Off Topic Award

    Messages:
    21,687
    Joined:
    Apr 11, 2007
    Not available as far as I know. You can use a websense server to accomplish that.
     
  13. AMD_RULES

    AMD_RULES 2[H]4U

    Messages:
    3,010
    Joined:
    Mar 26, 2007
    Can the 5505 be set up in a HA configuration?
     
  14. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,727
    Joined:
    Feb 15, 2003
    Meraki does.
     
  15. schizrade

    schizrade [H]ardness Supreme

    Messages:
    4,727
    Joined:
    Feb 15, 2003
    Meraki also does.
     
  16. firedrow

    firedrow Limp Gawd

    Messages:
    161
    Joined:
    Oct 11, 2013
    Learn a little bit of the CLI and spend $100 on the Ubiquiti EdgeRouter Lite.
    or
    Go for something that's had loads more time to mature, the MikroTik Routerboard (450 would work great).

    Whatever you do, I would suggest getting a free OpenDNS account and then block all DNS requests unless coming from/going to OpenDNS. Then you can setup your whitelist/blacklist there.
     
  17. Dark Shade

    Dark Shade [H]ard|Gawd

    Messages:
    1,872
    Joined:
    May 2, 2006
    Ubiquiti Edgemax Lite - $100
     
  18. mayhem87

    mayhem87 Limp Gawd

    Messages:
    350
    Joined:
    Oct 21, 2008
    I would stay away from a cisco asa unless its an x series (even then personally i would chose a different firewall). Too old of hardware that can be out performed by newer cheaper products and you don't have to pay the cisco tax. I work with ASA's day in and out so feel I have some credibility to chime in on its performance.

    URL filtering is probably going to be an added feature so expect to pay for the license additionally. Perhaps setup a proxy server instead and have users go through it where you can limit the sites or mess with your DNS for blocking known bad sites. Palo had a cool idea where you can just throttle the connection to those sites rather than blocking all together. Reason being is if you block it users will probably try to find a way around it. If you limit the bandwidth to it and make it crawl they will just think your network sucks and will probably stop beyond that.

    The Zyxell seems nice however, I have never messed with one. On the lower end firewalls I tend to see sonicwall the most with some fortinet here and there. My vote would probably go to sonicwall just cause I have seen them more.
     
  19. Nate7311

    Nate7311 2[H]4U

    Messages:
    3,312
    Joined:
    Jan 11, 2001
    The Zyxel USG-Series is getting a touch long in the tooth, especially for the UTM functionality. But, as others have said they are fairly bulletproof and not too bad to set up with examples from Zyxel all over the internet.

    I've also had some good luck with the Fortinet Fortigate firewalls. The new v.5 series firmware has really brought them far in UTM capability and reliability. They still have a few random bugs, but have been reliable for my clients.
     
  20. theonlybabyface

    theonlybabyface [H]Lite

    Messages:
    104
    Joined:
    Dec 12, 2007
    Meraki are easy to set up and are Cisco driven.
     
  21. Mackintire

    Mackintire 2[H]4U

    Messages:
    2,893
    Joined:
    Jun 28, 2004
    Zyxel's Zywall and the USG VPNs are rock solid. I have to admit, the first time I set one up it took me 3 weeks. 9 months later (fall 2009) they produced a new 300+ page VPN manual that has all the examples and missing details.

    Finding the manuals on there website is the hardest part, but we also did not use the startup support.... I discovered that later on, as they do not advertise it.

    We have used "The greenbow VPN" for client IPsec. Evidently the normal Cisco client works or so I have been told.

    The L2TP VPN is brain dead easy to setup and the client is built into windows.

    The SSL VPN is fairly easy to setup, but you have to pay for extra licenses. The client automatically installs when you hit the portal page.

    The part that most of you are forgetting is that Zyxel will hold your hand when you first buy the device and darn near set the thing up for you, VPN and all. They know that the Zywall 110 target audience is SMB, and so they offer excellent setup and configuration support.
     
  22. Nate7311

    Nate7311 2[H]4U

    Messages:
    3,312
    Joined:
    Jan 11, 2001
    Does Zyxel require yearly fees to manage the device?

    Meraki does...
     
  23. Liger88

    Liger88 2[H]4U

    Messages:
    2,657
    Joined:
    Feb 14, 2012

    Have you ever considered making a tutorial? They are very few and far between after all my searching. It would benefit a lot of people even on DSLReports where that seems to be the main issue and difficulty with the VPN aspect, myself included. I've personally read through at least 3 tutorials from DSLReports and watched a few foreign Youtube clips (as most of them seem to be for ZyXel) and no matter how much I've tried emulating others nothing seems to work for L2TP with Windows. Apparently the settings have to be dead on or you're going to have issues.

    I think it's just the object orientedness that makes it challenging. Some things are just better dealing with numbers rather than strange titles representing services and addresses. I don't know about the 300 page specific guide for VPN's ZyXel puts out, but their manual was absolute garbage when I looked at it. They almost seem to go into a half explaining this feature and half tutorial kinda presentation that ultimately leaves you with more questions than answers.
     
  24. DermicSavage

    DermicSavage [H]ard|Gawd

    Messages:
    1,105
    Joined:
    Jun 8, 2004
    That yearly fee also acts as a maintenance and warranty plan. The Meraki stuff is really good so long as you're not doing anything really uncommon for networking tasks.

    What you do get for the price is a solid firewall that takes out all the guesswork for admins that are not trained or know the nuances of firewalls. Another big bonus is uninhibited client vpn connections without buying any extra licenses.

    I never heard of Meraki until I started my job here in Atlanta, but my boss loves then. I admit they are too simple for a network engineer's liking, but in SMB locations they are a godsend to most admins who aren't network engineers

    Depending on your budget it wouldn't hurt to do a trial with them to try it out. Meraki is surprisingly flexible with trials. Just installed five APs in a county library for a trial eval. I'd say it's worth a try to see if it'll work for your environment
     
  25. AMD_RULES

    AMD_RULES 2[H]4U

    Messages:
    3,010
    Joined:
    Mar 26, 2007
    How much is the yearly fee with the Zyxel. Zyxel seems pretty promising; however, I like what I see with the Cisco ASA 5505 with its reliability and maturity.
     
  26. Jay_2

    Jay_2 2[H]4U

    Messages:
    3,583
    Joined:
    Mar 20, 2006
    I haven't used the other devices talked about here but I have used the 5505, even have one at home and they are rock solid devices.
     
  27. /usr/home

    /usr/home [H]ardness Supreme

    Messages:
    6,164
    Joined:
    Mar 18, 2008
    Not really. Sure Cisco bought them, but they are still fully "Meraki."
     
  28. Valnar

    Valnar 2[H]4U

    Messages:
    3,058
    Joined:
    Apr 3, 2001
    If you like to do anything yourself, you won't like Meraki. It's a full blown subscription model to the Nth degree.
     
  29. Mackintire

    Mackintire 2[H]4U

    Messages:
    2,893
    Joined:
    Jun 28, 2004
    The manual is a VPN guide for the USG line. The code base and VPN features are identical and thus applicable.

    I just pulled this for the new Zywall line: ftp://ftp.zyxel.com/ZyWALL_310/user_guide/ZyWALL%20310_V3.10_Ed2.pdf
     
    Last edited: Dec 17, 2013
  30. Mackintire

    Mackintire 2[H]4U

    Messages:
    2,893
    Joined:
    Jun 28, 2004
    No reoccurring subscription for the Zywall 110. The prices are part #s for the SSL VPN upgrades are not yet posted. You'll probably have to call Zyxel to ask for the price and part #. Based on what they cost for all their other devices it should be $30 a client. Keeping in mind that the 110 comes with a different # of SSLVPN clients licenses depending on where you buy it. Overstock.com 's is listed as comeing with all 25 licenses
     
  31. Mackintire

    Mackintire 2[H]4U

    Messages:
    2,893
    Joined:
    Jun 28, 2004
  32. Nate7311

    Nate7311 2[H]4U

    Messages:
    3,312
    Joined:
    Jan 11, 2001
    The Zyxel fees are only for the individual UTM functionality pieces (AV/Web/IDP/etc) or additional SSL-VPN clients beyond the initial 2. Or they have an all inclusive "Total Security" license. Otherwise there are no recurring costs. They are normally available through the major tech outlets are priced by the USG model. If you need help, let us know what USG model and/or any sizing criteria you have and we can help you spec one out.


    Regarding the Meraki vs. anything else argument, they make a great product as long as you understand what you are getting and what the required recurring costs will be. Being completely cloud-managed, your "subscription" allows you access to the management website for all of your Meraki gear and then the changes you make are pushed through the web back down to the physical gear. This also means that all Meraki gear requires internet access. That being said, the bells and whistles they provide as well as the reporting ARE quite slick.
     
  33. Cmustang87

    Cmustang87 [H]ardness Supreme

    Messages:
    4,405
    Joined:
    Oct 4, 2007
    Fortinet FortiGate 60D is a solid choice for your implementation. I think they are rock solid devices and easy to use.
     
  34. Liger88

    Liger88 2[H]4U

    Messages:
    2,657
    Joined:
    Feb 14, 2012


    Wow, that...........actually........worked! They really need to make the firmware and proper PDF's more available. I had no idea this even existed. It was ludicrous how bad the confusion was prior.

    Me love you long time.
     
  35. Soldier101

    Soldier101 Gawd

    Messages:
    621
    Joined:
    Jan 8, 2002
    Seconded. I have one at my house and love it and have been rolling them out at Client's offices like they are going out of style.
     
  36. AMD_RULES

    AMD_RULES 2[H]4U

    Messages:
    3,010
    Joined:
    Mar 26, 2007
    Thanks for the information regarding the Zywall product. I will also look into the FortiGate unit.

    It seems like I'll be stuck paying for some additional add-ons if I want antivirus or that sort of thing, correct?
     
  37. marley1

    marley1 [H]ardness Supreme

    Messages:
    5,447
    Joined:
    Jul 18, 2000
    ZyXEL, I don't use the UTM functions
     
  38. Cerulean

    Cerulean [H]ardForum Junkie

    Messages:
    9,218
    Joined:
    Jul 27, 2006
    mmmmmmmmmm Zyxel Zywall 110...

    subscribed

    Could those of you with the 110 tell me how a pfSense box such as a Netgate m1n1wall 2D3 / 2D13 compares? (Not looking at price.)
     
  39. Nicklebon

    Nicklebon Gawd

    Messages:
    563
    Joined:
    May 22, 2006
    Every Fortigate I've used has the first year of UTM features included. After that you will need an annual subscription for AV updates, ips signatures and URL filtering. You may also want to look at the Check Point 1100 and 600. IMO you will find the level of service and support from these enterprise vendors on a different playing field than the consumer / prosumer products that tend to get mentioned in this forum.
     
  40. bmore1777

    bmore1777 n00b

    Messages:
    34
    Joined:
    Sep 11, 2003
    WatchGuard has appliances that would do what you want and they also have now started incorporating a wireless controller in to there UTM devices for rolling out WatchGuard AP's at the same time. They do HA with pretty simple setup. Documentation is awesome and support is pretty good. The only downside is the subscription but I definitely recommend taking a look.