firewall question ? what is best for highly secure bussines ?

tribe_menx

Hi Guys, Need help in finding the best firewall solution, Can you guys suggestion one for me ? so far am thinking of 3

Windows version (ISA server )
Linux Version (Smoothwall)
and of course Pix firewall
I prefer ISA but dont know if its good enough for my network of 50+ users with internal mail and web server and ofcourse one ADSL line
What do you guys use as secure firewall for internet and intrusion detection and so on ?

[Deleted User]

With a PIX you are going to get stateful packet inspection but you are also going to pay a higher premium than Smoothwall for example. I'm not really sure about ISA server but I think the PIX is going to trump that also. If any of my information here is inaccurate, please feel free to correct me. I'm just giving my opinion based on what I know.

DevilWAH

The one you will best implement.

The best "on paper" fire wall in the world will be little better than useless if you leave it set to default and don't correctly use it to secure the network secure it. And even a weak/basic firewall, if set up well can give you all the security you need (especially on the smaller networks with less need for advanced features)

One I really like for small networks is the CISCO IOS based firewall. for a small network you can role your routing, firewall, IPS and VPN gate way all in to one device. And unless you are going to use more why pay out more money?

dynamik

I'd put a fast packet-filtering firewall on your perimeter and then put ISA behind that and use it for publishing Exchange, Sharepoint, etc.

tribe_menx

Thanks guys, problem I have with PIX firewall is how much it cost and for our network outside traffic coming in an out is from the internet mail server and web server, I will employ someone to monitor the network traffic and I hear of hardware firewalls far more superior than software

Kaminsky

Checkpoint

laidbackfreak

Kaminsky wrote: »

Checkpoint

+1

else go for the Cisco ASA over the pix. The pix are eol.

Hyper-Me

Its best to have 2, if possible. A good appliance firewall like a PIX for the general traffic and whatnot.

ISA is very good for Microsoft based networks because you get Application layer functionality that most appliances dont/cant offer. As dynamik said you can publish Exchange, Sharepoint, etc through ISA for added protection.

Ahriakin

An ASA5505 (PIX is EOL) should suffice and would be cheaper than and ISA server (should be more reliable too), but won't provide the same level of application gateway support if you need it (it is a superior network firewall though). Smoothwall of course would be the cheapest if you have server components to spare - I haven't used it and while I always keep open source in mind I've found over the years that unless you're doing a large deployment the learning curve and support woes for it usually end up outweighing the cost of just paying for a decent commercial solution. Still you could try it and see how hard it is to manage or not.

Edit: Yup I know some of this is redundant, I forgot to lick submit when this thread was just a wee babby.

chrisone

Ahriakin wrote: »

An ASA5505 (PIX is EOL) should suffice and would be cheaper than and ISA server (should be more reliable too), but won't provide the same level of application gateway support if you need it (it is a superior network firewall though). Smoothwall of course would be the cheapest if you have server components to spare - I haven't used it and while I always keep open source in mind I've found over the years that unless you're doing a large deployment the learning curve and support woes for it usually end up outweighing the cost of just paying for a decent commercial solution. Still you could try it and see how hard it is to manage or not.

Edit: Yup I know some of this is redundant, I forgot to lick submit when this thread was just a wee babby.

+1

ASA5505 for less than 50 users ASA55010 for more.

ilcram19-2

i will go with a Cisco ISR they are cheaper than the ASA and more flexible the new models come with build in vpn accelator module, you can turn on zone base firewall with packet inspection or cbac firewall with stateful packet inspection also also IPS, ACL, QOS. I been working on my CCSP and im now studing for my 642-524 SNAF and i still dont seem to be in to ASAs maybe once im more deep in but so far i preger an ISR over an ASA

tiersten

ilcram19-2 wrote: »

i will go with a Cisco ISR they are cheaper than the ASA and more flexible the new models come with build in vpn accelator module, you can turn on zone base firewall with packet inspection or cbac firewall with stateful packet inspection also also IPS, ACL, QOS. I been working on my CCSP and im now studing for my 642-524 SNAF and i still dont seem to be in to ASAs maybe once im more deep in but so far i preger an ISR over an ASA

For actual production usage, an ASA + IPS box is generally recommended instead of just using an ISR to do it all. Throughput will drop like a stone if you enable these features in an ISR and to provide a equivalent performance you'll have to get one of the larger more expensive ISR models. You'd need a high end 2800 if you want to do CBAC+IPS on an ISR with an average DSL connection.

mikej412

DevilWAH wrote: »

The one you will best implement.

+1

Personally I'd go with the ASA -- but I'd rather see a mediocre firewall solution implemented correctly then a top of line firewall solution screwed up by incompetent idiots.

crrussell3

We currently have a dual setup for firewalls ourselves and it works nice. Our external hardware firewall, Watchguard, then an internal ISA 2006. This is setup for 300 users. So as others have said, this is the type of setup you want to go with if possible, or something similar.