Firewall/UTM recommendations

dataplumber · 19 May 2010 at 17:20

We currently have a Draytek 3300 for firewall/vpn/WAN load balancing but it's always locking up requiring a power cycle to fix so I've decided it's time to replace it.

Requirements are :-
50 LAN users that require Internet access.
5 IPSec site to site VPNs
10 PPTP client to site VPNs
UTM
Load balancing/WAN failover (not essential)

I've been looking at the Fortigate (80C & 110C) and Juniper (SRX210 & SRX240).
Would any of these be suitable? Any other recommendations?

bigredshark · 19 May 2010 at 17:31

I'd say unless you have money you need to get rid off then the 110C and SRX240 are both way over the top for your requirements. The SRX210 is excellent, good performance and feature set at a competitive price point. You could look at the Juniper SSG series as well, not as good as the SRX but JUNOS isn't really an OS for beginners and ScreenOS is a bit friendlier.

Feature wise nothing beats the fortigate but they come with a horrible GUI, worse CLI and they're rubbish routers, we have a few and OSPF regularly just gives up and refuses to work any more (that's brand new devices and firmware and fortigate still have no idea why it's happening to date). Good feature set, great price, questionable real world ability...

Right now they're the two in my book, you could look at the Cisco ASA but Cisco have yet to make a really good firewall in my view and the ASA isn't a great leap forwards, capable and fair enough if you have loads of Cisco knowledge but far from the best around.

Sonicwall and Watchguard - Sorry but I regard them as toy firewalls and not to be used for serious things (maybe it's snobbery but most of the ISP community seems to take this view of them).

Checkpoint - lovely devices if you can afford to buy all the management software and stuff, great if you need some of the advanced features that gives you, otherwise just expensive.

That's about it in the serious market today...

dataplumber · 20 May 2010 at 09:17

Thanks for the advice.
I'm leaning towards the SRX210. I don't have any experience with Juniper devices or JUNOS but learning new stuff is what makes the job interesting.

Can you recommend any suppliers in the UK (possibly with support options) and any learning material/resources?

Cheers.

bigredshark · 20 May 2010 at 19:12

I can't really recommend anyway for that sort of purchase, we spend a couple of million a year with Juniper and have an appropriate relationship with them so I wouldn't really know where to go these days for a single firewall.

I'm a bit stuck for learning material too, JUNOS is a really nice OS, it's carrier grade, rock solid and once you know how it works it's an absolute joy to use but it's not for beginners as possibly more than any other it requires you to know the concepts and protocols to understand how it fits together. The JUNOS cookbook (google it) is an excellent resource as are the Juniper certification books (JNCIP and JNCIE are still my JUNOS bibles of choice long after I did the exams)...

Also bear in mind the extension of JUNOS to do firewalling is fairly new so it won't be so well documented currently. I assume the web GUI is pretty good, I haven't touched it and don't know a lot about it except that it's a evolution of j-web rather than a port of the screenOS GUI. I expect it'll be fairly powerful (but like ScreenOS it's most logical if you know the concepts).

Mr_Orange · 21 May 2010 at 09:49

I got an SRX210 a few months ago.

It's a great unit but if you need to use dynamic vpn and have any kit that needs to run on default https ports you will either have to change the port that kit runs on or abandon that kit. This is because dynamic vpn uses the default https port and cannot be changed to use a non default port.

I had this issue with RPC over HTTP with exchange 2003. Outlook can't specify a port for for https connections so it goes with the default which is set to dynamic vpn. Luckily I managed to get round this issue by changing the port our webmail works on.

Outside of that the web gui is functional but slow. The most useful bit of it is the point and click cli. Dynamic VPN is easy to deply. Overall a good unit but the lack of port options for dynamic VPN has soured the experience somewhat.

I'm not 100% sure if this counts as competitor as they are IT support but we went with a company called Quantix. No complaints.

bigredshark · 21 May 2010 at 10:11

Mr_Orange said:
I got an SRX210 a few months ago.

It's a great unit but if you need to use dynamic vpn and have any kit that needs to run on default https ports you will either have to change the port that kit runs on or abandon that kit. This is because dynamic vpn uses the default https port and cannot be changed to use a non default port.

I had this issue with RPC over HTTP with exchange 2003. Outlook can't specify a port for for https connections so it goes with the default which is set to dynamic vpn.

If you've only got a single IP...I'd expect most people with one of these have more than one WAN IP to work with (hell I've got 30 odd at home...)

howler · 21 May 2010 at 11:19

Another vote for Juniper, we only use the SSG stuff and it suits our needs very well

Mr_Orange · 2 Jun 2010 at 11:03

Well just incase you are still thinking on what to get we have hit a MAJOR stumbling block with the SRX210 with regards to VPNs.

Basically you can't have multiple accounts using dynamic VPN. It will only authenticate one account and "forget" that others exist until you delete tokens-info and restart the web-management via CLI on the unit. Even then, we have one user who can connect once but cant connect subsequently. I hope they put L2TP back into the low end SRX range as dynamic VPN is a complete bust and it's affecting the way our business runs.

Juniper know about this and have neglected to do anything about it in any of their recent firmware updates and there's no sign that they will do anything about it.

In short don't buy any of the SRX range with dynamic VPN if you are looking to use the dynamic VPN side of things.

Peace · 2 Jun 2010 at 20:46

SRX are a good idea but riddled with too many problems if you ask me, Juniper even rebranded them now to 'Secure Routers' which in my opinion isn't a good sign either.
SSG's have been around for some time now and are definatly the more stable solution and far easier to understand and troubleshoot than SRX.
The bigger models of SSG will also run JUNOS so if you want to switch to it you can at a later stage.

bigredshark · 3 Jun 2010 at 09:56

Well, IPSEC VPNs to firewalls are dying a death, the trend is towards SSL VPN (for good reason too, it's long overdue and the mindset of seeing VPN as part of the firewall feature set rather than a separate and distinct service needs to go away.) Juniper have long been slightly disinterested in fixing VPN issues (Netscreen remote is as rubbish as ever and they show no signs of changing that for instance).

The SRX range do and have had some teething problems but buying an SSG instead is a bit silly, ScreenOS is on the way out and only the very high end SSGs have JUNOS upgrade paths (and inferior performance at the price point). The lower end SSGs never will get an upgrade path (the lower end SRXs are on the edge of being able to run JUNOS themselves, committing an average configuration isn't fast...)

Mr_Orange · 7 Jun 2010 at 10:15

Funny enough I've just ordered an SSL VPN box. The major issues with most of them at the moment is that they don't like 64 bit OS'. Luckily it has an IPSEC implementation too.