What (enterprise) firewall should I get?

akakjs

akakjs

akakjs

Associate
Joined
18 Oct 2002
Posts
1,044
Hi,

I have a chance to replace our office firewall at work and I'm feeling a little lost in the choices. We currently have a Sonicwall 2040 (Enhanced Firmware) that we use for Routing, VPNs (client & site-to-site) and load-balancing our outbound connections on to our backup ADSL line.

So far I've liked the look of the Juniper Networks SSG 320M as I like the idea of having our backup adsl line connected directly to the firewall rather than having an extra modem/router. Also Cisco have always seemed expensive for what they do and I don't hear good things about the UI on the branch-office sized units.

Are there any other makes / models I should be looking at?

akakjs
 
you cant really go wrong with juniper kit; it's reliable, cost effective, and easy to install maintain and manage. but then i would say that, since i work with the stuff on a regular basis!

that said, the client vpn support isn't brilliant - largely because the client software isn't very good, or so i am led to believe. however, there is another vpn client that you can use (i think it's called shrewsoft) and there is a setup guide for it on the juniper support forums.

you could always get a nice juniper sa unit to give you ssl vpn which would nicely complement the ssg...!
 
Last edited:
i look after a pair of isg 2000 units in active/passive, along with a pair of ssg 140 units also in active/passive, along with several standalone units ranging from the baby 5gt's through 25's and 50's. i think we're due to get another pair of ssg 300 units in fairly soon too. what we have in production just does what it says on the tin, can't fault it really. i have to say, i do quite like the firewall + ipsec vpn + ssl vpn within the new asa code though. i *really* wish juniper would release the sa as a blade to go inside the isg chassis though, grrr!
 
Last edited:
Thanks for the suggestions! I'll give the Cisco PIXs a look,

atomiser said:
that said, the client vpn support isn't brilliant - largely because the client software isn't very good, or so i am led to believe. however, there is another vpn client that you can use (i think it's called shrewsoft) and there is a setup guide for it on the juniper support forums.

you could always get a nice juniper sa unit to give you ssl vpn which would nicely complement the ssg...!
Click to expand...
mm I've always found our Sonicwall Global VPN client to be a little ropey. One of the reasons I'm not too keen of getting another Sonicwall is that they still don't have a working 64-bit client (it's been in beta since July, and still has reports of major issues like BSODs). So a decent VPN client is a must for us (one of the reasons I'm being allowed to spend the money in fact :D). The Jupiter Networks SA looks very interesting!

Is the Checkpoint UTM-1 range worth considering? (looking at the 270 currently).

Thanks again!

akakjs
 
note: I work supplying/building/maintaining/upgrading/managing Cisco & checkpoint firewall solutions for a living, so I may be biased towards their products :D


The ASA's "anyconnect" client is very useful as it features support for win32/win64/mac OSX intel/mac OSX ppc/linux. I've tested the win32/win64 client and it just works (which is nice). A quick list of pro's & Con's.

Pro's
multiple OS support
downloadable direct from the firewall
public terminal support (client can be set not to install, removes itself on log off)

Con's
Requires using 8.x firmware (leading edge)
requires Java be installed on the client machine
Only 2 concurrent connections without licence upgrade (SSL clients are licensed unlike IPSEC clients)

A quick note on Chekpoint, there's still no win64 client, other than that I can't recomend it highly enough it really does show the offerings from other vendors (cisco/juniper/sonicwall etc) how its done. Oh and if you go for a UTM-1 box get the hardware/software support up front in the 3/5 year packs as it works out a good deal cheaper.
 
Do they still sell the Pix FW's as i though they had been replaced by the ASAs.

Ive just bought a ASA 5540 + SSM20 card for work and thus far i am very impressed with it. Small upgrade from the Pix 515 mind haha.

Andy
 
PIX is now end of life so buying one is difficult and shouldn't really be necessary.

ASA is a really nice box and we've just shifted out our last 515s in favour of a nice new ASA failover pair.

I used to see a lot of Juniper kit at my old job and they seemed spot on (especially when it came to price).

Their SSL VPN appliances are pretty ubiquitous these days.

So ASA or Juniper at the lower end. Maybe ASA or Checkpoint if its a true Enterprise deployment.
 
So checkpoint is out because of no 64-bit support then (shocking these days as the 4Gb memory limit is fast approaching!).

sidethink said:
So ASA or Juniper at the lower end. Maybe ASA or Checkpoint if its a true Enterprise deployment.
Click to expand...
The cisco's make me nervous because I always get the the impression you'd need a CCNA to install and maintain one (after getting enough qualifications to workout which model/part number you actually needed). We're not that big a company, so I'd be the one who'd end up managing and installing it, and I'm but a programmer and no network tech (let alone CCNA). Would I have to resort to the CLI all the time?

I found a rough price of about $2500/first year for the SSG 320M's support deep inspection / anti-virus / anti-spam / content filtering, does this sound right? I assume that the Cisco costs are roughly the same?

Thanks everyone again, it's really useful to chat to people who actually use this kind of kit regularly, rather than salesmen!

akakjs
 
akakjs said:
Hi,

I have a chance to replace our office firewall at work and I'm feeling a little lost in the choices. We currently have a Sonicwall 2040 (Enhanced Firmware) that we use for Routing, VPNs (client & site-to-site) and load-balancing our outbound connections on to our backup ADSL line.

So far I've liked the look of the Juniper Networks SSG 320M as I like the idea of having our backup adsl line connected directly to the firewall rather than having an extra modem/router. Also Cisco have always seemed expensive for what they do and I don't hear good things about the UI on the branch-office sized units.

Are there any other makes / models I should be looking at?

akakjs
Click to expand...

Sounds like you need to seperate myth from reality. The ASA gui is the same throughout the entire product line, and its very good. You dont have to use or understand CLI. The ASA series come with a gui driven wizard for setup but you are always going to need to understand networking to install one. That is the case with any firewall.
I would personally look no further than the ASA for your needs. The Checkpoints are also very good, but in terms of getting a piece of kit out of a box and being ready quickly with little experience I would say the ASA is the best bet.
Juniper's are meant to be solid but I have no personal hands-on, though this is going to be changing soon enough.
 
in terms of the management of juniper kit, they also share the same cli and webui across the range. there is also a centralised management tool available called nsm, but since it sounds like your only going to have one device (or a pair if you need ha) this probably wouldn't apply. the cli on the junipers is pretty straightforward to be honest, but you needn't touch it if you don't want to (unless you want to reboot the device, or run a debug or something), the webui is very intuitive. i can also confirm they are very solid pieces of kit! :D

edit: i see you quoted a price in dollars, are you located in the us? if not, and you want to go for a juniper device, then i can recommend talking to a reseller called secon.
 
Last edited:
Rich said:
Sounds like you need to seperate myth from reality.
Click to expand...
In fairness this comment came from someone I've worked with for several years and who's opinion I trust; specifically he described the web UI as being painfully slow. So while it's not conclusive I agree; it's hardly myth.

Rich said:
I would personally look no further than the ASA for your needs.
Click to expand...
I haven't ruled them out by any means; as they clearly have that reputation for being rock solid and they have that built in SSL-VPN. But I'll need to check the ongoing costs of annual licensing for features like Content filtering, IDS etc if those are upfront costs only for Cisco's, I did noticed you have to buy physical modules for deep packet inspection then I can understand the premium prices.

Thanks everybody! I should now be able to start asking for quotes on the right sized kit, and not start down the wrong road!

akakjs
 
akakjs said:
In fairness this comment came from someone I've worked with for several years and who's opinion I trust; specifically he described the web UI as being painfully slow. So while it's not conclusive I agree; it's hardly myth.

I haven't ruled them out by any means; as they clearly have that reputation for being rock solid and they have that built in SSL-VPN. But I'll need to check the ongoing costs of annual licensing for features like Content filtering, IDS etc if those are upfront costs only for Cisco's, I did noticed you have to buy physical modules for deep packet inspection then I can understand the premium prices.

Thanks everybody! I should now be able to start asking for quotes on the right sized kit, and not start down the wrong road!

akakjs
Click to expand...

Sorry, but yes, it is myth ;)
I'm not making this up, I work with them every single day. They are not slow and never have been. PDM for Pix's was a bit ropey but never slow.

Yes you have to buy a dedicated module for true IPS, which is basically a full featured Cisco IPS sensor on a card. It can get expensive quickly if you want to do the whole UTM thing. For example, you wont be able to have a CSC module for Web filtering AND the IPS module in one ASA. What you can do is have the IPS module and use the ASA to offload content filtering to websense. Conversely you can have the CSC module and use the basic attack signatures that come with the ASA, but they are far from being comprehensive enough imho.

By the way, the latest versions of ASDM, which is used to manage ASA's come with a demo mode so you can see how it would be to manage one. You can download it if you have a cisco.com account or know somebody that does.
 
Last edited:
atomiser said:
in terms of the management of juniper kit, they also share the same cli and webui across the range. there is also a centralised management tool available called nsm, but since it sounds like your only going to have one device (or a pair if you need ha) this probably wouldn't apply. the cli on the junipers is pretty straightforward to be honest, but you needn't touch it if you don't want to (unless you want to reboot the device, or run a debug or something), the webui is very intuitive. i can also confirm they are very solid pieces of kit! :D
Click to expand...

Agreed. I work for a Juniper distributor and I deal with most of their kit - the firewalls, SA, WX, EX etc. I have a 5GT at home and deal with pretty much all of the Netscreen and SSG ranges at work and on customer sites and they're great bits of kit. Simple to set up and solid bits of kit :)
 
Phemo said:
Agreed. I work for a Juniper distributor and I deal with most of their kit - the firewalls, SA, WX, EX etc. I have a 5GT at home and deal with pretty much all of the Netscreen and SSG ranges at work and on customer sites and they're great bits of kit. Simple to set up and solid bits of kit :)
Click to expand...

looking at your location, wouldn't happen to be equip would it?! i work for a county council so we have to buy all our stuff through a reseller (we use secon), but fairly sure everything comes from equip, i also did my netscreen training there too. small world!
 
You must log in or register to reply here.
Back
Top Bottom