Firewall Advice

ashrobbo

ashrobbo

ashrobbo

Associate
Joined
3 May 2009
Posts
805
Hi Guys, We are due to have our broadband line upgraded in the next few months to a 50mb Virgin Business line.

We currently have a 8mb internet line so a big upgrade for us!

We also have several other lines (one dedicated email line, a line for VPN) and we are looking to integrate them at some point.

I am looking into securing this line with some sort of firewall appliance, keeping in mind it may be used for all of these things.

The requirements:
Number of users = 200

Can support atleast 5-6 concurrent IPSEC VPN site-to-site tunnels.
Ideally with some sort of web filtering so we can block websites for certain users (facebook for some but not others)
Ideally under £700 (way too low?)
Branded, want something that is known in the market.
Ideally UK support

We are in the small/medium business sector, so price is always a priority im afraid.

We do have some PIX 515e kicking around but I find them quite difficult to use, im not a great fan of coding and prefer a GUI any day, ive heard good things about Juniper and watchguard but cant find roughly how many users each model is for.

Line will have general internet surfing traffic, and then eventually email traffic (1 exchange server, 7k-10k emails per day in/out) site to site VPN for 5 small branch offices (each less than 20 users using only RDP to a terminal server)

Much appreciated!

Ash
 
Well, as I work for a company that resells, configures and manages SonicWall firewalls for customers, I would be inclined to say SonicWall. GUI based appliance firewalls that range from small units right up to units made for DC use with plenty you can do with them and a good range of units with plenty of customisable features and scope.

Come with the choice of either standard firmware or enhanced.
 
Last edited:
There's not been a choice of standard or enhanced on new SonicWalls for some time DJMK4 ;)

IMHO a budget of under £700 is a problem if you want something that can properly cope with (up to) 50Mbps of mixed traffic and VPN termination. I would be looking at something like the SonicWall NSA 240 which as the Total Secure model (1 year of security services for content filtering (etc) and support) has an RRP of just under £1200+VAT.
 
Not sure if there's a Fortigate UTM that is in budget? They tend to be pretty decent for a cheaper device.

Have also been chatting to someone recently about devices from a company called Cyberoam, and they have been singing their praises

http://www.cyberoam.com/

I know a good reseller for them in the UK too.
 
#Chri5# said:
There's not been a choice of standard or enhanced on new SonicWalls for some time DJMK4 ;)

IMHO a budget of under £700 is a problem if you want something that can properly cope with (up to) 50Mbps of mixed traffic and VPN termination. I would be looking at something like the SonicWall NSA 240 which as the Total Secure model (1 year of security services for content filtering (etc) and support) has an RRP of just under £1200+VAT.
Click to expand...

Haha do excuse me :p, we have a range of older units (TZ170's, TZ150's) but yeh the TZ100 is a good entry level but mainly for a single site, TZ200 if your looking at more traffic and load balancing at a single site, we host customers connections with multiple sites on a private networks which break out through the firewall at the DC which are sometimes NSA2400s but mainly NSA3500s and NSA4500s.

The SonicWall line doesnt stop their though, thats just a few of the ranges, best look on their website really.
 
Seaniboy said:
ASA5505 and if u want a GUI the ASDM is so much better than the old PDM on the PIX
Click to expand...

For a possible 50Mbps of VPN traffic in the real world (rather than the Cisco spec sheet) your looking at a 5510, rather than a 5505. Web filtering would require a subscription to a filtering service, and would bump the cost further.

If you want a all in one solution (UTM) your looking at a Juniper or Sonicwall, work on a budgeting around £1500 ex vat (this is for a business after all and they should be able to claim the vat back).

Alternatively use the 515e as a Firewall and VPN end point (zero cost) and spend some of the £700 on a web filtering box?
Be aware though the 515e though the unit is already effectively EOL/EOS.
 
Thanks for the responses guys, ill take a look into sonicwall, anybody used the netgear stuff?

Not a great fan of PDM or cisco IOS, im sure the asa improved this but we would need the asa5510 which is rather over budget :(

Same as usual though they ant everything for nothing, are software firewalls worth looking at? such as untangle etc?
 
Out of interest, I've not had any experience with Sonicwall firewalls. If I wanted to buy from ebay for playing about with at home, what would be the best model?
 
ashrobbo said:
Thanks for the responses guys, ill take a look into sonicwall, anybody used the netgear stuff?

Not a great fan of PDM or cisco IOS, im sure the asa improved this but we would need the asa5510 which is rather over budget :(

Same as usual though they ant everything for nothing, are software firewalls worth looking at? such as untangle etc?
Click to expand...

5510's can be had for around £1500+vat if you shop around, but I don't think it's the solution your looking for.
A decent Sonicwall of Juniper will run you about the same, though those options should come with a years UTM license (AV for mail, AV for web, url filtering), so £1500 really is the sweet spot.
With the free linux based FW/UTM solutions you get what you pay for in terms of support, you'll notice that most of these distributions monetize themselves by charging for support.
As a side note you could easily spend £25k on a similar solution from Checkpoint (last one I spec'd, was £30k, and is due to be installed on site soon). Which does make the Sonicwall / Juniper pricing seem a lot more reasonable ;)
 
quackers said:
Out of interest, I've not had any experience with Sonicwall firewalls. If I wanted to buy from ebay for playing about with at home, what would be the best model?
Click to expand...

As ever I would say what ever you can get with the latest software revision for a good price. A lot of the equipment on ebay tends to be running old (some very old) software versions, and that holds true for Cisco / Juniper / Fortigate as well.
You need to be aware that most of it will be long out of support (and quite probably be past EOL/EOS), and is been sold on by firms that specialise in disposing of old IT equipment, and as long as it will boot / pass self diagnostics and they can perform a factory reset they can sell it on.
 
Remember aswel SonicWall are licensed units which means some features are licenced, so whoever sells you the SonicWall on ebay if your going down that route would need to transfer the licences that came with your unit to your own sonicwall account when you create one ;)
 
thanks for the advice guys, I think I'll stick with my pix 501 I've just picked up for now and look at sonicwalls in the future.
 
FWIW, you want something that is licensed for SonicOS Enhanced. Enhanced was an option on a lot of older models eg TZ150/170/180, though SonicWall did give it as a free upgrade at one stage on the TZ180.

The new Application Intelligence features start on the TZ200 but the TZ210 or NSA 240 are the models to consider as they have the horsepower (IMHO).
 
Id recommend ether a Juniper SSG-20 or a Cisco ASA 5505. Id recommend the Juniper over the Cisco as it has a better feature set.

Its also worth noting that the ASA only supports 3 VLANs on a base licence. There is one big ish caveat with this though, you can't route traffic from one VLAN to another internally.

As you already have have a PIX here is a good comparison chart.

http://www.netxg.com/Products/Juniper/Firewall-Security/SSG_ASA_CompChart.html
 
I mentioned it because I have one running in our small office.

We only have 20 users, and we're running the UTM5 version and aren't yet making use of the VPN functionality but it's planned in the future. It's very configurable, but I'm only just getting my head around it and we've had in for over 6 months (my background is MS so networking gear is something I'm slowly picking up.)
 
Why not have a look at the watchguard EDGE and CORE range come with a large host of features and have a great BUI tool for managing them.

I manage approx 80 around different sites / clients.
If you ant any more info let me know.
 
You must log in or register to reply here.
Back
Top Bottom