Spec me a firewall

[iaind]

Our existing firewall is going to cost a silly amount to maintain and it needs a load of software upgrades (which need to be done in sequence) to get it to where we want it to be...even then, it's struggling with 10mb internet bandwidth, so it has to go!

I haven't looked at firewalls for a while so dont really know what's best, so for a budget of ~£2k, looking for something to do:

- Internet access for 10 users on a 10mb leased line
- 10 IPSEC VPN tunnels (Cisco 877 ADSL routers at the endpoint) which carry voice and data
- Web based SSL VPN for about 10 users
- Preferably antivirus/antispam etc

Was looking at the Firebox X Core, but mostly because they're red and shiny and I know how to use them.

What's good out there at the moment?

 

[mysticsniper]

You could pick up an Cisco ASA5505 VPN Edition for around a grand, and could be a starting point for you.

 

[#Chri5#]

I'd be thinking SonicWall NSA 240 or 2400.

2400 is more expensive but you don't need a rack mount kit (it's a 1U device) and has 10 IPSEC clients (concurrent) out of the box (240 has 2). SonicOS 5.5 onwards add SSL-VPN into the appliance.

If you buy the Total Secure version of the appliance, then you get CGSS which adds gateway AV etc. Anti-spam is an option as well.

{Awaits BRS to arrive and rubbish anything other than Juniper}

 

[dhill]

I can personally recommend the SonicWall 2400's as well, am currently running a pair in HA.

Easy to setup and maintain, and we are using ours on a 10Mb leased line.

 

[iaind]

A certain competitor is showing the Watchguard XCS 770 at 22p

Think I should order that?

 

[dhill]

Sonicwall 2400


Appliance Features
Deep Packet Inspection & Multi-Threat Protection

* Patented Reassembly-free Deep Packet Inspection (RFDPI) technology
* Fully integrated deep packet inspection firewall, including gateway anti-virus, anti-spyware, intrusion prevention, and Application Intelligence for perimeter and internal protection
* Application Intelligence Feature Set for Application Inspection and Control
* Automated and Dynamic Security Updates

Powerful Performance

* High-performance 2-core Architecture
* 775 Mbps Stateful Packet Inspection Firewall1
* 300 Mbps 3DES and AES VPN Throughput1
* 150 Mbps Full Unified Threat Management (UTM) Inspection
* Six (6) 10/100/1000 Copper Gigabit Ethernet Interfaces

Networking & Complete Business Continuity

* Business Application Prioritization and QoS
* Multi-WAN Support, ISP Failover and WAN Load Balancing
* Stateful Hardware Failover
* Integrated Server Load Balancing Feature Set
* IPSec VPN for Secure Site-to-Site Connectivity
* SSL VPN and IPSec VPN Clients for Secure Remote Access

Integration & Simplified Management

* Route-based VPN
* Single Sign-On for Transparent User Authentication
* Integrated Network Security Policy and Management
* Next-Generation Streamlined GUI
* Powerful Wizards - Set-up, Firewall Policies, VPN, NAT

Deployment Flexibility

* Branch Office and Department Network Applications
* Terminal Services Authentication and Citrix Support
* Transparent Layer 2 Bridge Mode
* Layer 2 Wireless Bridging
* Integrated Secure Wireless Switch Deployment

 

[iaind]

What's the SSL VPN like on the Sonicwall? Web based I assume?

 

[paradigm]

I can personally say that I'll NEVER touch another sonicwall again.

Utter garbage products, especially given their target audience.

Iain, see my similar thread http://forums.overclockers.co.uk/showthread.php?t=18121453, I'm desperate to RID myself of a SonicWall.

 

[dhill]

i have been using SonicWall products for over 6yrs now, and have never ever had any problems with them what so ever. I also have a friend who's an IT consultant and he's never had any problems with SonicWalls either.

The new'ish SonicWall Enhanced OS is a godsend as well.

 

[paradigm]

The new'ish SonicWall Enhanced OS is a godsend as well.

Ahahahaha.

SonicWall's are over-bloated, under-performing, badly implemented bags of crap.

See this post by bigredshark http://forums.overclockers.co.uk/showpost.php?p=15494291&postcount=11

 

[iaind]

Could you elaborate on what sort of problems you've had?

 

[dhill]

I still don't see a valid argument stating why the SonicWall's are so bad.

Lots of people use them, and use them successfully and all the reviews I've read on them have all been good.

Although, I will say that I haven't used them in an enterprise sized environment myself.

 

[bigredshark]

Ahahahaha.

SonicWall's are over-bloated, under-performing, badly implemented bags of crap.

See this post by bigredshark http://forums.overclockers.co.uk/showpost.php?p=15494291&postcount=11

I stand by my previous comments still

Juniper are the best in this market, unless you're wedded to Cisco for business or familiarity reasons (in which case an ASA or higher end ISR is an OK option, getting used to something better being the other option)

 

[paradigm]

Could you elaborate on what sort of problems you've had?

I still don't see a valid argument stating why the SonicWall's are so bad.

Lots of people use them, and use them successfully and all the reviews I've read on them have all been good.

Heavy CPU utilization with anything more than a moderate set of NAT policies. Random dropping of packets from VPN-tied interfaces, needlessly over-complicated setup of port forwarding, incredibly unreliable content filtering which is also very difficult to customise.

I could go on, but I won't.

I'm leaning toward Juniper assuming I can get some exposure to JUNOS before we have to go live with the appliance. But I've not fully discounted an ASA yet.

 

[#Chri5#]

What's the SSL VPN like on the Sonicwall? Web based I assume?

Yes. SonicOS 5.6 adds:

o Bookmarks for SSH and RDP – Provides support for users to create bookmarks on the SSL VPN Virtual Office to access systems using SSH, RDP, VNC, and Telnet services.
o Granular User Controls – Allows network administrators to configure different levels of policy access for NetExtender users based on user ID.
o One-Time Password – Provides additional security by requiring users to enter a randomly generated, single-use password in addition to the standard user name and password credentials.
o Separate Port and Certificate Control – Provides separate port access for SSL VPN and HTTPS management certificate control, allowing administrators to close HTTPS management while leaving SSL VPN open.

I've had grief with a Cisco 857 that wouldn't sync when a Speedtouch would. Does one experience on one model make all Cisco routers bad?

 

[dhill]

- Internet access for 10 users on a 10mb leased line
- 10 IPSEC VPN tunnels (Cisco 877 ADSL routers at the endpoint) which carry voice and data
- Web based SSL VPN for about 10 users
- Preferably antivirus/antispam etc

The SonicWall 2400 would do this function without any problems at all, IMHO.

 

[paradigm]

The SonicWall 2400 would do this function without any problems at all, IMHO.

So would a draytek 2820, but yet I'd still not recommend it.

 

[iaind]

I stand by my previous comments still

Juniper are the best in this market, unless you're wedded to Cisco for business or familiarity reasons (in which case an ASA or higher end ISR is an OK option, getting used to something better being the other option)

The Junipers look good and a nice price too - what is the support like?

I'm also a bit concerned about learning to use something new when my timescales for reimplementation are fairly tight - is a Juniper firewall something someone with common sense could figure out or is it complicated?

Am happy with any web based interface, plus IOS and WSM so this sort of thing isnt new to me, but Juniper is

 

[dhill]

So would a draytek 2820, but yet I'd still not recommend it.

Thats because its a ADSL router, and iand is looking for a firewall!

 

[dhill]

Surely with the Juniper boxes you have to know/learn Junos to setup and maintain them though don't you? Not knowing the Juniper boxes myself, how easy is Junos to pick up?