Webserver firewall advice

[huppy]

I'm just about to colocate a single webserver and I'm looking for some advice on the firewall to buy.

I've got my eyes on these:

Juniper Netscreen SSG 140
or
Cisco ASA5510

They're a similar price range and featureset, I just can't pick. I'm tending towards the juniper.... but I'm still open to the cisco and others aswell.

As background its a single webserver hosting 6 or 7 relatively low-bandwidth websites and an email server. I have a feeling these firewalls might be overkill for the traffic as it is, but I'm planning to buy a second webserver in the coming months along with dedicated email and database servers for sites that are in the process of getting readied and copied. I'm looking for a bit of future proofing with the firewall for when things do grow.

Any advice would be warmly received.

 

[huppy]

Cheers atomiser, that's good to hear. In particular the fact that its easy to work with - I've not had much experience with firewalls.

Have you used the SSG 140 itself? One thing I'm still not sure about is all the features it has - I always thought a firewall was just a firewall. This one VPNs, Antiviruses, Antispywares, Anti-keylogs, Anti-spams, URL filters, ISDN's, T1's, E1's.. the list seems to go on.

I'm not sure if I need to pay for all those features - in particular the VPN, ISDN, T1, E1 connectivity (unless I'm mis-interpreting the specs). Have you got any thoughts on this?

 

[huppy]

The ones I've been looking at have been around about the £1500 mark - the cisco is slightly cheaper. Cheers Chris for that SonicWall - I haven't heard of them before but I'll check that out too.

Atomiser all that info's great, it sounds like I can't really go wrong with a Juniper. I may well take you up on that configuration help offer if I do go Juniper and I hit any stumbling blocks.

 

[huppy]

I'm ideally looking for one that rackmounts in 1u just for piece of mind (I think) more than anything - the thought of having a smaller non-rackmounted key piece of network hardware loose, lying on things in the datacentre fills me with worry.

- I can see my thought pattern that each time the server's down it's because someone's been a bit clumsy and accidentally knocked the firewall off its perch, and its got unplugged and they don't know where the cables should plug back in.

It's completely irrational and probably sounds ridiculous but I want to rule out as many potential risks as possible - and I'm happy to pay the extra for this piece of mind.

Also, a firewall that can be paired and load-balanced if it requires to be in the future I'm also aiming for - the lower end firewalls, from what I've checked so far, on the whole don't seem to support this. From what I've read the SSG140's do, though have you ever set this up atomiser? This will happen before too long - I guess the question is whether, by the time it does, some better firewall technology will be available which would make it cheaper at and easier at that point to go with the new technology. Only in this case would it be worth not spending so much on the firewall now, if this makes any sense. It's a tricky one but at the moment I think I'm leaning towards an SSG 140.

 

[huppy]

Cheers atomiser, you've been a fountain of knowledge. Just out of interest, what's your dayjob? - I've gathered by now its network-based but is it specifically internet/datacentre-network-based?