Next Generation Firewalls

E Double U · February 2015

We're currently using Cisco ASA 5510s that will go end of support in 2018 so we're looking at what NGFW to go with when we do the replacement.

I would like the Cisco ASA with FirePOWER, but the CISO is interested in Dell SonicWALL.

What are your thoughts/experiences in regards to these two in particular, but other vendors as well?

busines4u · February 2015

I used to work for a company that had SonicWALL at all the branch sites. For the most part they worked pretty well. We did have a pretty impactful issue at the HQ that at random the HA pair of SonicWALL's would reboot for some unknown reason. This would bring down all of these remote sites that were on a VPN and cause a company wide outage. I tried working with SonicWALL to get this resolved but they were never able to pinpoint the cause. To reduce the impact to the business we finally broke the HA pair and resumed our operations, but were left without the HA pair we had put in place. Based on this experience and some other odd issues that seemed to be cleared up by a reboot of the device, I would advise against going the SonicWALL route. Yes the ASA will be a little more money but for a stability standpoint it is worth it from my point of view.

Since then I have worked at two companies for roughly 4 years total. Both of these had ASA's and I have not had to deal with any odd issues like mentioned above. The ASA's would run without issues and they were much easier for me to troubleshoot & support. This could be due to my background in Cisco networking...

Just thought I would share my experience and offer my 2 cents. Hope this helps.

docrice · February 2015

I have never touched SonicWALL before, but my vague impression is that they're somewhat looked down upon. They're probably cheaper than the bigger names, but I've heard anecdotes about quirky behavior like described above. Quality of vendor support is also something to consider as well, although I've had a mixed bag with Cisco (somewhat depends on the product line though).

Fortinet seems like a good bargain and I think is definitely worth looking at.

Slowhand · February 2015

SonicWall used to be a bit of a toy device, basically a home router on steroids. In 2012 that all changed: I went to the RSA conference in San Francisco and saw SonicWall's offerings of enterprise and service-provider next-generation firewalls, and they were rocking and rolling right along with Barracuda, Palo Alto, etc. . . well, except Cisco, they had nothing to show that year since most of their firewall crew had gone on to start their own company.

Long story short, SonicWall has come a long way. If you find that they have an appliance that suits you, at a price that fits your budget, go for it.

Iristheangel · February 2015

Here's the latest NSS Labs Comparative Firewall Analysis: http://www.fortinet.com/sites/default/files/whitepapers/Next-Generation-Firewall-Comparative-Analysis-SVM.pdf

A good read comparing the two you mentioned. It depends on how much you want to spend and how effective you want your solution to be. I think the Sourcefire acquisition was the best thing Cisco did security-wise in the last decade and I'm excited to see some of the other things coming from this acquisition.

jamthat · February 2015

docrice wrote: »

I have never touched SonicWALL before, but my vague impression is that they're somewhat looked down upon. They're probably cheaper than the bigger names, but I've heard anecdotes about quirky behavior like described above. Quality of vendor support is also something to consider as well, although I've had a mixed bag with Cisco (somewhat depends on the product line though).

Fortinet seems like a good bargain and I think is definitely worth looking at.

FWIW, had similar problems with a pair of FortiGate 600C's as busines4u had with SonicWALL. Strage issues that neither we or Fortinet's support could pinpoint. That said, some of their products are pretty cool and will probably be very much worth looking at when they're a little more mature..

joehalford01 · February 2015

I really like the barracudas we have deployed but their cloud control has been really disappointing. The units constantly get disconnected and can't reconnect without a support call.

E Double U · February 2015

Thanks for all of the input!

RouteMyPacket · February 2015

What kind of shop are you? Cisco? (i.e, Switches, Routers etc?)

How does a point product like SonicWall fit into your overall architecture? What is the learning curve for existing staff? Will the staff need training (an additional cost)? What do you want from your edge device?

If you are a Cisco shop, your staff are already familiar with the product line, there is a very small learning curve moving from legacy hardware to the latest NextGen platforms. Also, you can develop a comprehensive edge security solution that ties into existing identity based services, secure remote access and for IDS/IPS functionality it does not get any better than Sourcefire. Sourcefire has been the standard bearer in IDS/IPS for a long time, you can do some research on Snort and see how Sourcefire simply packaged snort with services etc and that brought about "Sourcefire". That is now Cisco

Again, what is important to you? Manageability? Scalability? if you are already invested in Cisco gear, it's a no brainer to transition to Cisco ASA with FirePOWER services. Also reember to take advantage of the IPP (Investment protection program) or Cisco's TMP (Technology Migration) program.

Since you have the legacy 5510's, TMP will be for you and you can receive a discount by trading in your ASA 5500 platform/s. This is my area of focus (Security/FirePOWER) so let me know if you have any questions. Remember, you can always have Cisco or a Channel Partner perform a demo of FirePOWER/Sourcefire for you. : )

E Double U · February 2015

RouteMyPacket wrote: »

What kind of shop are you? Cisco? (i.e, Switches, Routers etc?)

How does a point product like SonicWall fit into your overall architecture? What is the learning curve for existing staff? Will the staff need training (an additional cost)? What do you want from your edge device?

If you are a Cisco shop, your staff are already familiar with the product line, there is a very small learning curve moving from legacy hardware to the latest NextGen platforms. Also, you can develop a comprehensive edge security solution that ties into existing identity based services, secure remote access and for IDS/IPS functionality it does not get any better than Sourcefire. Sourcefire has been the standard bearer in IDS/IPS for a long time, you can do some research on Snort and see how Sourcefire simply packaged snort with services etc and that brought about "Sourcefire". That is now Cisco

Again, what is important to you? Manageability? Scalability? if you are already invested in Cisco gear, it's a no brainer to transition to Cisco ASA with FirePOWER services. Also reember to take advantage of the IPP (Investment protection program) or Cisco's TMP (Technology Migration) program.

Since you have the legacy 5510's, TMP will be for you and you can receive a discount by trading in your ASA 5500 platform/s. This is my area of focus (Security/FirePOWER) so let me know if you have any questions. Remember, you can always have Cisco or a Channel Partner perform a demo of FirePOWER/Sourcefire for you. : )

Going to copy your post and email it to my boss lol.

We're a Cisco shop (routers, switches, ACS) which is why I want to go with FirePOWER.

Iristheangel · February 2015

Yeah, the integration with FirePower and ISE is getting pretty tight too. Look into ISE 1.3 with pxGrid - If someone is on your network and Firepower discovers them downloading something bad on their computer, it can interact with ISE and effectively blackhole that device until the issue is remediated. Pretty cool stuff. Here's a pretty cool video showing it in action: Put the Network Back in Network Security - Cisco Online Seminar - Cisco Systems

creamy_stew · February 2015

If you want to go with ASA again for ease of migration, so be it.

Otherwise, Fortinet, Juniper or Palo Alto would be my suggestions.

edit: For the love of all that is holy to you: Stay away from SonicWall/Watchguard. This is not not geekspeak, they will bite you in the ass if the watchguards live long enough.

snadam · February 2015

creamy_stew wrote: »

If you want to go with ASA again for ease of migration, so be it.

Otherwise, Fortinet, Juniper or Palo Alto would be my suggestions.

edit: For the love of all that is holy to you: Stay away from SonicWall/Watchguard. This is not not geekspeak, they will bite you in the ass if the watchguards live long enough.

I'm partial to Juniper SRX series myself.

Iristheangel · February 2015

For Juniper, I question how long they're going to continue with their security practice. They started selling off pieces and their security earnings are way down in the last couple of years. They also don't have an advanced malware offering and the SRX's performance takes a beating when IPS is enabled. If I recall correctly, the SRX doesn't have SSL VPN onbox. You need MAG/SA, right? (Spot check me if I'm wrong, folks.)

Palo Alto == Pretty GUI and fun to play with, but questionable protection.

Fortinet isn't bad at all. Scored pretty well on the NSS Labs report as well (linked above)

@Creamy, Have you used an ASA with Firepower yet? I find it's a pretty awesome platform. I have a 5512-X with Firepower services here in my home lab. I would agree that the old ASAs weren't really great at doing much else than VPN and a stateful firewall - they did both of those extremely well but CX and the other features weren't that great imho. I think Sourcefire changes all of it and actually makes it marketable NGFW. I've been reading into the Threadgrid acquisition by Cisco and I'm really excited about that as well. From what I was reading, Sourcefire could send a zero-day file to Threatgrid which could identify a piece of malware that's never been used before in 7 minutes and then send an alert back to Sourcefire which would in turn send a signal to ISE to blackhole that device that downloaded the file until the issue is mitigated. At some point when I have time (aka when I'm not deep in CCIE studies), I'm going to set up ISE 1.3 with my ASA with Firepower and link it up with Threatgrid just to play around. I think it would be pretty badass to play with :P </end nerd>

snadam · February 2015

You are correct in that the SRX does not support SSL VPN (just IPSec VPN). And, they "spun off" their MAG/SA team, and they are their own entity called Pulse Secure with the support of Juniper. While I myself question this move, I've been told its a good thing; only time will tell us.

The closest thing to malware protection on the SRX is Unified Thread Management. I can't say too much about it, as I don't have a whole bunch of 'stick time' with it yet in production. I agree in that I wouldn't consider it "advanced malware protection" by any means.

Depending on which series/model and what modules you have in the SRX, enabling IPS takes a chunk out of your resources. With Branch Series SRX, its roughly half your max sessions, and its unavoidable because they're not modular. On High-end/Datacenter series, however, this is usually mitigated by slapping a bunch of processing power in your chassis to be able to handle the throughput, sessions and features you desire.

I truly don't see them getting rid of the SRX platform any time soon. They seem to be shedding off the excess, and sticking to core features. However, I would say they're due for an overhaul in the next year or so to keep up with the market.

I am also eager to look at other NGFW vendor offerings, specifically Cisco and Palo Alto and Fortinet. I have heard good things about ASA/Firepower, lately. I've been so focused on Juniper offerings for a while and would like to expand my knowledge/experience a little bit and see what else is going on in the Firewall world.

These are only my opinions based of my experience, however.

sorry if I derailed the thread. Not my intent to derail or disrespect anyone.

Iristheangel · February 2015

You didn't derail. It's about NGFWs so good discussion. I like good discussion

creamy_stew · February 2015

@Iris
No, I haven't. I don't even know what Firepower is

Personally, I use Fortigate for Firewall/IPS/Outbound duty, and couple that with ASA/Juniper for site-site VPN/inbound if budget permits.

Unless Firepower radically changes the access-list approach of the ASA, I will probably continue to stay away from ASA for firewall stuff.

RouteMyPacket · February 2015

creamy_stew wrote: »

Unless Firepower radically changes the access-list approach of the ASA, I will probably continue to stay away from ASA for firewall stuff.

creamy_stew · February 2015

I don't get it.

netsysllc · February 2015

The SonicWalls of the last 5 years or so have been really good. They are very powerful and cost effective in the SMB space. I have about 80 of them deployed at different clients and sites. They are simple to configure and understand and offer a lot of features compared to most offerings. The basic support is not that great unless you are certified then you have a direct dial to level 2 support.

RouteMyPacket · February 2015

creamy_stew wrote: »

I don't get it.

Clearly! I was merely trying to understand how access control needs to be "radically" changed? It's one thing to not understand a technology and another to clearly not understand and make such a statement. I'm going to go out on a limb here and state that pretty much every edge security device has access control, it's not rocket science.

By all means, please explain how the ASA platforms access control is lacking, i'm all ears.

Iristheangel · February 2015

creamy_stew wrote: »

@Iris
No, I haven't. I don't even know what Firepower is

Personally, I use Fortigate for Firewall/IPS/Outbound duty, and couple that with ASA/Juniper for site-site VPN/inbound if budget permits.

Unless Firepower radically changes the access-list approach of the ASA, I will probably continue to stay away from ASA for firewall stuff.

So you use a different firewall/security appliance from a different vendor for inbound and outbound traffic?

I'm not sure what you mean by access-list approach. I think every firewall out there has some sort of approach towards access lists. Sorry... I'm trying to understand what you mean.

creamy_stew · February 2015

I just spent like 20 minutes writing well-balanced, thoughtful reply to RouteMyPacket, dispite him being a prick. However, when I pressed "Post Quick Reply", the bit monster ate it.

@Iris: I will PM you my thoughts tomorrow if I remember it, since I don't want to escalate things here

RouteMyPacket · February 2015

creamy_stew wrote: »

I just spent like 20 minutes writing well-balanced, thoughtful reply to RouteMyPacket, dispite him being a prick. However, when I pressed "Post Quick Reply", the bit monster ate it.

@Iris: I will PM you my thoughts tomorrow if I remember it, since I don't want to escalate things here

I simply asked a question, a perfectly valid question. If you are in over your head that's fine, otherwise I am interested in understanding how the ASA platform is lacking in access control? I'll go one step further and admit like Iristheangel, I am interested in how you leverage multiple platforms for "Inbound" and "Outbound" duties, that's a new one and I would be interested in seeing the architecture/design.

creamy_stew · February 2015

OK......

UnixGuy · February 2015

Firewalls newbie here, I'd like to get your thoughts on CheckPoint

Next Generation Firewalls

Comments