What (enterprise) firewall should I get?
- Thread starter akakjs
- Start date
Man of Honour
- Joined
- 30 Jun 2005
- Posts
- 9,515
- Location
- London Town!
That's simply not true, everybody has a prefered brand but Cisco have no compelling advantages over the other big players. Checkpoint (despite the licensing black hole and complexity) are very popular indeed with big corporates (BA for instance are a checkpoint user...).
Juniper have dial in IPSEC VPN issues but this isn't an issue for big companies as they're using dedicated appliances for their VPNs anyway, not their main firewalls. It's a potential issue for small companies though.
The PIX/ASA is good but not stand out brilliant. If I was buying core firewalls today I'd buy Juniper or Checkpoint unless I need VPN and couldn't buy dedicated SSL VPN kit as well, then I'd probably go for an ASA.
Man of Honour
- Joined
- 30 Jun 2005
- Posts
- 9,515
- Location
- London Town!
Oh, two things to add - for small companies the built in interface options are a nice benefit on the Juniper. For real enterprise installations not really because you'd want your edge routers but for small companies sure.
And I don't like the GUI on the ASA much at all, much prefer the Juniper GUI but the CLI on both is pretty good (and there are things you'll need to do in the CLI, I know a few VPN configurations which require CLI usage as the GUI won't let you complete them)
And I don't like the GUI on the ASA much at all, much prefer the Juniper GUI but the CLI on both is pretty good (and there are things you'll need to do in the CLI, I know a few VPN configurations which require CLI usage as the GUI won't let you complete them)
We mostly work with Sonicwall's so I was a little curious as to why you wanted to change the firewall. Unless your need for throughput / VPN tunnels has gone up a lot then I wouldnt really see the need to upgrade from a 2040 but as you said the VPN client is a little pants.
We dont tend to use it much :/ if clients really want VPN access then a lot of the time they used to be given PPTP access instead of using the Global VPN client from Sonicwall.
These days we dont have much need for the VPN clients though since we tend to get people who need remote access to get a Citrix server instead. Users just log into the portal and run whatever applications they need from there.
We dont tend to use it much :/ if clients really want VPN access then a lot of the time they used to be given PPTP access instead of using the Global VPN client from Sonicwall.
These days we dont have much need for the VPN clients though since we tend to get people who need remote access to get a Citrix server instead. Users just log into the portal and run whatever applications they need from there.
strictly speaking they don't have to be... at the most basic level most routers can provide some level of firewalling functionality through access control lists and address translation... and if they support the right level of cryptography they can also participate in vpn's too.
with cisco kit you can buy a fwsm which is a blade you slot into a router, that will give you an asa within the chassis. not sure if this exists in juniper kit too, but i know they do have the srx gateway which has lots of routing functionality, but lots of firewalling functionality too.
i suppose it largely comes down to what functionality you actually need, where it's going within the infrastructure, and having the right tool for the job. personally i am a fan of letting a router be a router, and a firewall be a firewall.
Man of Honour
- Joined
- 30 Jun 2005
- Posts
- 9,515
- Location
- London Town!
Depends what you mean by enterprise. If you mean SME then it's perfectly possible, if you actually mean enterprise then you have separate devices because they sit in different positions in the network and there's no reason to combine them.
Also firewalls are designed to do deep inspection in hardware at high speed, routers are designed to forward traffic as quickly as possible, that's different specialist hardware requirements.
The Cisco way of combining the two with the FWSM for the 6500s is simply installing a firewall hardware blade into a switch. It's not so much combining the two as having both in the same box managed by the same interface.
Man of Honour
- Joined
- 30 Jun 2005
- Posts
- 9,515
- Location
- London Town!
I'm positively amazed there are still business IT environments out there where anybody considers it acceptable to run a protocol like PPTP and they aren't immediately taken out and beaten...let's use a hopelessly insecure protocol for tunneling traffic because the IPSEC features on our firewall are hard work, and we'll never have to worry about it until we loose some confidential data. This is why IT security has such a bad name...
That really is a matter of opinion. the PIX i have found to have THE worst UI of any business grade firewall. I've always gone for checkpoint products, either running on a standard server or a appliance but the juniper kit is quality too.
Well if they dont want to pay for it then there isnt much to be done about it!
Tends to be the smaller customers with smaller budgets :/ theyve had it that way for a while and dont see the reason to upgrade if it still works and does the job.
Can recommend the best security in the world but if they dont want to pay for it then youre kinda limited with your options. You do your best to accomodate the customer or lose them :/
I thought I'd report back with the outcome.
We went with the Juniper Networks SSG 320M in the end, it seemed to match our needs better, and I was was put off the Cisco ASA series after a pair of failures of our ASA5505 at our web site host (first time it just kept rebooting when the config was loaded, the second the power supply died).
After a week of playing with the Juniper I can honestly say it's a really good bit of kit. I now know far more about networking & routing than I ever have in the past thanks to the huge (2000 page) manual. It's leagues ahead of our old Sonicwall and the VPNs just work! which is nice
We also got the Deep Inspection/IDS & Web-filtering options, which I noticed on the lower cisco ASA where mutually exclusive due to the one expansion slot on the ASA5510.
So thanks for all the help!
akakjs
We went with the Juniper Networks SSG 320M in the end, it seemed to match our needs better, and I was was put off the Cisco ASA series after a pair of failures of our ASA5505 at our web site host (first time it just kept rebooting when the config was loaded, the second the power supply died).
After a week of playing with the Juniper I can honestly say it's a really good bit of kit. I now know far more about networking & routing than I ever have in the past thanks to the huge (2000 page) manual. It's leagues ahead of our old Sonicwall and the VPNs just work! which is nice
We also got the Deep Inspection/IDS & Web-filtering options, which I noticed on the lower cisco ASA where mutually exclusive due to the one expansion slot on the ASA5510.
So thanks for all the help!
akakjs
Associate
- Joined
- 5 Mar 2009
- Posts
- 290
- Location
- Wakefield
turn an old box (p4 or equivallent) into an open source firewall.
use ipcop or smoothwall they're great!
all you need is 2 + NICs
use ipcop or smoothwall they're great!
all you need is 2 + NICs