What (enterprise) firewall should I get?

akakjs

akakjs

akakjs

Associate
Joined
18 Oct 2002
Posts
1,044
Hi,

I have a chance to replace our office firewall at work and I'm feeling a little lost in the choices. We currently have a Sonicwall 2040 (Enhanced Firmware) that we use for Routing, VPNs (client & site-to-site) and load-balancing our outbound connections on to our backup ADSL line.

So far I've liked the look of the Juniper Networks SSG 320M as I like the idea of having our backup adsl line connected directly to the firewall rather than having an extra modem/router. Also Cisco have always seemed expensive for what they do and I don't hear good things about the UI on the branch-office sized units.

Are there any other makes / models I should be looking at?

akakjs
 
Thanks for the suggestions! I'll give the Cisco PIXs a look,

atomiser said:
that said, the client vpn support isn't brilliant - largely because the client software isn't very good, or so i am led to believe. however, there is another vpn client that you can use (i think it's called shrewsoft) and there is a setup guide for it on the juniper support forums.

you could always get a nice juniper sa unit to give you ssl vpn which would nicely complement the ssg...!
Click to expand...
mm I've always found our Sonicwall Global VPN client to be a little ropey. One of the reasons I'm not too keen of getting another Sonicwall is that they still don't have a working 64-bit client (it's been in beta since July, and still has reports of major issues like BSODs). So a decent VPN client is a must for us (one of the reasons I'm being allowed to spend the money in fact :D). The Jupiter Networks SA looks very interesting!

Is the Checkpoint UTM-1 range worth considering? (looking at the 270 currently).

Thanks again!

akakjs
 
So checkpoint is out because of no 64-bit support then (shocking these days as the 4Gb memory limit is fast approaching!).

sidethink said:
So ASA or Juniper at the lower end. Maybe ASA or Checkpoint if its a true Enterprise deployment.
Click to expand...
The cisco's make me nervous because I always get the the impression you'd need a CCNA to install and maintain one (after getting enough qualifications to workout which model/part number you actually needed). We're not that big a company, so I'd be the one who'd end up managing and installing it, and I'm but a programmer and no network tech (let alone CCNA). Would I have to resort to the CLI all the time?

I found a rough price of about $2500/first year for the SSG 320M's support deep inspection / anti-virus / anti-spam / content filtering, does this sound right? I assume that the Cisco costs are roughly the same?

Thanks everyone again, it's really useful to chat to people who actually use this kind of kit regularly, rather than salesmen!

akakjs
 
Rich said:
Sounds like you need to seperate myth from reality.
Click to expand...
In fairness this comment came from someone I've worked with for several years and who's opinion I trust; specifically he described the web UI as being painfully slow. So while it's not conclusive I agree; it's hardly myth.

Rich said:
I would personally look no further than the ASA for your needs.
Click to expand...
I haven't ruled them out by any means; as they clearly have that reputation for being rock solid and they have that built in SSL-VPN. But I'll need to check the ongoing costs of annual licensing for features like Content filtering, IDS etc if those are upfront costs only for Cisco's, I did noticed you have to buy physical modules for deep packet inspection then I can understand the premium prices.

Thanks everybody! I should now be able to start asking for quotes on the right sized kit, and not start down the wrong road!

akakjs
 
I thought I'd report back with the outcome.

We went with the Juniper Networks SSG 320M in the end, it seemed to match our needs better, and I was was put off the Cisco ASA series after a pair of failures of our ASA5505 at our web site host (first time it just kept rebooting when the config was loaded, the second the power supply died).

After a week of playing with the Juniper I can honestly say it's a really good bit of kit. I now know far more about networking & routing than I ever have in the past thanks to the huge (2000 page) manual. It's leagues ahead of our old Sonicwall and the VPNs just work! which is nice :)

We also got the Deep Inspection/IDS & Web-filtering options, which I noticed on the lower cisco ASA where mutually exclusive due to the one expansion slot on the ASA5510.

So thanks for all the help!

akakjs
 
You must log in or register to reply here.
Back
Top Bottom