Firewall recommendations

it_consultant

Here is the story; my client needs to replace their Watchguard Core 1250e firewall with something that is newer and performs a little better. Normally I have no say in this and they would just end up with an XTM 510 because we are WG partners. However, for this client I am the complete boss of IT, so I may be able to wiggle in a different brand beneath their noses. The XTM 510 is the bar here, I use it at a couple of different clients so I will list the pros and cons as I see them:

Pros:
- Not that expensive for good overall performance
- WG helps set up and scans for PCI compliance (current 1250e is compliant)
- VPN tunnels are RIDICULOUSLY easy to set up
- Overall management extremely easy
- 1-1 NAT rules, port forwarding rules, etc easy enough for a child to set up
- Palo Alto LIKE application blocking
- We get priority tech support

Cons:
- Red spraypaint...our clients have friends and they talk, no one else uses Watchguard
- God help you if you don't have a current live security subscription
- I seem to have to reboot them more than the couple of ASA firewalls I manage
- Questionable hardware quality

In your responses, I don't care about how you hate the interface and logic of the WG, I already know it so it isn't a consideration.

Pash

Go Juniper, Go Netscreen/SSG. Failing that yeh ASA's.

Ohh and I hate the logic and interface for WG

RTmarc

I'm a Fortinet nutswinger so the FortiGate line will always get my vote.

NightShade03

I personally am a huge Cisco fan. Their small business stuff really keeps the costs down and usually comes with some nice web interfaces to help keep the setup really simple. The problem is generally how large the company is, how many VPN tunnels you need, etc. Is you do some hunting on their site you should be able to find a decent find. A big plus is everyone knows Cisco.

You *could* look at Checkpoint as their stuff is really easy to manage and setup. Their costs are pretty low too. My biggest complaint with them is the support is terrible and costs a fortune depending on what you buy. Their management dashboard also takes a little getting used too.

brad-

I was looking for a firewall a month or so ago. The ASA 5505 is about best for the lowest amount...depending on how many VPNs you want. The base amount is just under $400.

it_consultant

I will need at least an ASA 5510 or ASA 5520 to handle the amount of traffic at this client. At that point ciscos can get costly. Remember that with WG I get web filtering for next to nothing while the web filtering modules in the Ciscos are quite expensive. I am partial to junipers but when I went to their website they only listed two netscreen variations.

Knowing the class of cisco I would need, what type of juniper or fortinet should I compare?

Jack2

RTmarc wrote: »

I'm a Fortinet nutswinger so the FortiGate line will always get my vote.

I have managed a number of Fortinet Fortigate firewalls for years. They receive my vote also.

it_consultant

I think this is the one I would like to get. I can get a DOCSIS card which is excellent because that client is on a 100 Meg DOCSIS 3 service.

SRX240 Services Gateway - Dynamic Services Architecture - Juniper Networks

msteinhilber

it_consultant wrote: »

I think this is the one I would like to get. I can get a DOCSIS card which is excellent because that client is on a 100 Meg DOCSIS 3 service.

SRX240 Services Gateway - Dynamic Services Architecture - Juniper Networks

I manage a SRX240H and ~45 SRX100B's and once I got through a combination of some learning pains (first time with Juniper) and some oddities with features bundled in JUNOS I'm pretty happy with them. The only real hangup I have as of yet with them that's somewhat annoying is the requirement of running a RADIUS server if you desire to use Dynamic-VPN. The most recent release (at least it was a couple weeks back or so) finally included the capability to assign a local IP address with Xauth but we're not too keen on running the latest release on our production gear.

Just something to keep in mind if they have the desire to utilize Dynamic-VPN and don't already have a RADIUS server present.

it_consultant

I had never heard of a dynamic VPN before until you just mentioned it. This is NOT something that the watchguard is capable of and one of my principle complaints is that the SSLVPN client is just rebranded openVPN and a TAP driver. It is a really miserable piece of software.

I can handle setting up a RADIUS server - I think this is very interesting...

Dynamic VPN Overview - JUNOS Software Security Configuration Guide

millworx

Personally I'm a big Cisco ASA fan, but depending on your needs, an ASA with IDS/IPS installed could get really pricey.

If not Cisco, I'm also a HUGE HUGE fan of SonicWall. Being a VAR for them I've done so many setups with their firewalls. I personally find the Cisco ASDM to be confusing and more complicated than it needs to be. The Sonicwall web interface is so easy to use. Setting up site to site, or remote access VPNs are so simple, a few clicks really. And depending on the software licensing you buy, you can get IDS/IPS functionality for a fraction of the cost. Access lists, content filtering, etc are so easy to setup too.

Check them out. They have everything from simple SOHO boxes to enterprise solutions. Not to mention their support is pretty great too.

undomiel

I like SonicWalls as well but I would have to give the caveat that their CLI support is a bit lacking. Some things you have to go into the GUI for which is a pain, especially for managing their filtering. If you're going to go for a GUI though I would say that SonicWall has the other ones beat in ease of use, and I have used all of the above mentioned products as well. Juniper's CLI I've found to be the most confusing to use and Watchguard's GUI the most irritating.

it_consultant

I talked to the ol' boss and he was somewhat receptive to a different brand of firewall but he doesn't want me to be the only one with expertise on the platform. Firewalls are firewalls, we should be able to muddle through with manufacturer guidance.

Sonicwalls are a definitely NOT an option. Our company has had terrible experiences with them. I would say Cisco but those are hard for people to figure out, so it kinda leaves Juniper as the only real option.

ajmatson

it_consultant wrote: »

I talked to the ol' boss and he was somewhat receptive to a different brand of firewall but he doesn't want me to be the only one with expertise on the platform. Firewalls are firewalls, we should be able to muddle through with manufacturer guidance.

Sonicwalls are a definitely NOT an option. Our company has had terrible experiences with them. I would say Cisco but those are hard for people to figure out, so it kinda leaves Juniper as the only real option.

What kind of experiences if you don't mind me asking?

NightShade03

Also just want to through out there...if you are looking to keep it cheap and decently ease to manage you can also check out Vyatta Open Networking - Software-based Routing & Security - Open Alternative to Cisco

I have seen a few of these implemented in small business lately.

it_consultant

ajmatson wrote: »

What kind of experiences if you don't mind me asking?

Most of our bad experiences stem from setting up VPN tunnels to unlike devices. I have the same complaint with Sonicwalls that I do with Watchguards - their performance seems pretty anemic when compared to the Junipers and Ciscos of the world.

hypnotoad

NightShade03 wrote: »

Also just want to through out there...if you are looking to keep it cheap and decently ease to manage you can also check out Vyatta Open Networking - Software-based Routing & Security - Open Alternative to Cisco

I have seen a few of these implemented in small business lately.

Multi-functional Firewall Software - Open Source Content Filter & Spam Filter | Untangle.com - its good for small business, not great for enterprise. i have 1000 users behind one. very simple to set up and inexpensive. i wish it ran RIP or OSPF.

it_consultant

I will only deploy mainstream and professionally supported firewalls at my clients. Even though they are a non-profit, they actually have the budget that will allow for a juniper, even a Cisco if I make a really good sales pitch.

Ahriakin

Actually Untangle does have professional support available (directly and by 3rd parties). No HA though which makes it harder to use in the enterprise. I use it at home, and had a small deployment a while back for web filtering a small section of our network.