Options
Firewall recommendations
it_consultant
Member Posts: 1,903
in Off-Topic
Here is the story; my client needs to replace their Watchguard Core 1250e firewall with something that is newer and performs a little better. Normally I have no say in this and they would just end up with an XTM 510 because we are WG partners. However, for this client I am the complete boss of IT, so I may be able to wiggle in a different brand beneath their noses. The XTM 510 is the bar here, I use it at a couple of different clients so I will list the pros and cons as I see them:
Pros:
- Not that expensive for good overall performance
- WG helps set up and scans for PCI compliance (current 1250e is compliant)
- VPN tunnels are RIDICULOUSLY easy to set up
- Overall management extremely easy
- 1-1 NAT rules, port forwarding rules, etc easy enough for a child to set up
- Palo Alto LIKE application blocking
- We get priority tech support
Cons:
- Red spraypaint...our clients have friends and they talk, no one else uses Watchguard
- God help you if you don't have a current live security subscription
- I seem to have to reboot them more than the couple of ASA firewalls I manage
- Questionable hardware quality
In your responses, I don't care about how you hate the interface and logic of the WG, I already know it so it isn't a consideration.
Pros:
- Not that expensive for good overall performance
- WG helps set up and scans for PCI compliance (current 1250e is compliant)
- VPN tunnels are RIDICULOUSLY easy to set up
- Overall management extremely easy
- 1-1 NAT rules, port forwarding rules, etc easy enough for a child to set up
- Palo Alto LIKE application blocking
- We get priority tech support
Cons:
- Red spraypaint...our clients have friends and they talk, no one else uses Watchguard
- God help you if you don't have a current live security subscription
- I seem to have to reboot them more than the couple of ASA firewalls I manage
- Questionable hardware quality
In your responses, I don't care about how you hate the interface and logic of the WG, I already know it so it isn't a consideration.
Comments
-
OptionsPash Member Posts: 1,600 ■■■■■□□□□□Go Juniper, Go Netscreen/SSG. Failing that yeh ASA's.
Ohh and I hate the logic and interface for WGDevOps Engineer and Security Champion. https://blog.pash.by - I am trying to find my writing style, so please bear with me. -
OptionsRTmarc Member Posts: 1,082 ■■■□□□□□□□I'm a Fortinet nutswinger so the FortiGate line will always get my vote.
-
OptionsNightShade03 Member Posts: 1,383 ■■■■■■■□□□I personally am a huge Cisco fan. Their small business stuff really keeps the costs down and usually comes with some nice web interfaces to help keep the setup really simple. The problem is generally how large the company is, how many VPN tunnels you need, etc. Is you do some hunting on their site you should be able to find a decent find. A big plus is everyone knows Cisco.
You *could* look at Checkpoint as their stuff is really easy to manage and setup. Their costs are pretty low too. My biggest complaint with them is the support is terrible and costs a fortune depending on what you buy. Their management dashboard also takes a little getting used too. -
Optionsbrad- Member Posts: 1,218I was looking for a firewall a month or so ago. The ASA 5505 is about best for the lowest amount...depending on how many VPNs you want. The base amount is just under $400.
-
Optionsit_consultant Member Posts: 1,903I will need at least an ASA 5510 or ASA 5520 to handle the amount of traffic at this client. At that point ciscos can get costly. Remember that with WG I get web filtering for next to nothing while the web filtering modules in the Ciscos are quite expensive. I am partial to junipers but when I went to their website they only listed two netscreen variations.
Knowing the class of cisco I would need, what type of juniper or fortinet should I compare? -
OptionsJack2 Member Posts: 153I'm a Fortinet nutswinger so the FortiGate line will always get my vote.
I have managed a number of Fortinet Fortigate firewalls for years. They receive my vote also.WGU Courses Completed at WGU: CPW3, EWB2, WFV1, TEV1, TTV1, AKV1, TNV1| TSV1, LET1, ORC1, MGC1, TPV1, TWA1, CVV1, DHV1, DIV1, DJV1, TXP1, TYP1, CUV1, TXC1, TYC1, CJV1
Classes Transferred: BAC1, BBC1, LAE1, LAT1, LUT1 ,1LC1, 1MC1, QLT1, IWC1, IWT1, INC1, INT1, SSC1, SST1, CLC1
WGU Graduate - BSIT 2014 -
Optionsit_consultant Member Posts: 1,903I think this is the one I would like to get. I can get a DOCSIS card which is excellent because that client is on a 100 Meg DOCSIS 3 service.
SRX240 Services Gateway - Dynamic Services Architecture - Juniper Networks -
Optionsmsteinhilber Member Posts: 1,480 ■■■■■■■■□□it_consultant wrote: »I think this is the one I would like to get. I can get a DOCSIS card which is excellent because that client is on a 100 Meg DOCSIS 3 service.
SRX240 Services Gateway - Dynamic Services Architecture - Juniper Networks
I manage a SRX240H and ~45 SRX100B's and once I got through a combination of some learning pains (first time with Juniper) and some oddities with features bundled in JUNOS I'm pretty happy with them. The only real hangup I have as of yet with them that's somewhat annoying is the requirement of running a RADIUS server if you desire to use Dynamic-VPN. The most recent release (at least it was a couple weeks back or so) finally included the capability to assign a local IP address with Xauth but we're not too keen on running the latest release on our production gear.
Just something to keep in mind if they have the desire to utilize Dynamic-VPN and don't already have a RADIUS server present. -
Optionsit_consultant Member Posts: 1,903I had never heard of a dynamic VPN before until you just mentioned it. This is NOT something that the watchguard is capable of and one of my principle complaints is that the SSLVPN client is just rebranded openVPN and a TAP driver. It is a really miserable piece of software.
I can handle setting up a RADIUS server - I think this is very interesting...
Dynamic VPN Overview - JUNOS Software Security Configuration Guide -
Optionsmillworx Member Posts: 290Personally I'm a big Cisco ASA fan, but depending on your needs, an ASA with IDS/IPS installed could get really pricey.
If not Cisco, I'm also a HUGE HUGE fan of SonicWall. Being a VAR for them I've done so many setups with their firewalls. I personally find the Cisco ASDM to be confusing and more complicated than it needs to be. The Sonicwall web interface is so easy to use. Setting up site to site, or remote access VPNs are so simple, a few clicks really. And depending on the software licensing you buy, you can get IDS/IPS functionality for a fraction of the cost. Access lists, content filtering, etc are so easy to setup too.
Check them out. They have everything from simple SOHO boxes to enterprise solutions. Not to mention their support is pretty great too.Currently Reading:
CCIE: Network Security Principals and Practices
CCIE: Routing and Switching Exam Certification Guide -
Optionsundomiel Member Posts: 2,818I like SonicWalls as well but I would have to give the caveat that their CLI support is a bit lacking. Some things you have to go into the GUI for which is a pain, especially for managing their filtering. If you're going to go for a GUI though I would say that SonicWall has the other ones beat in ease of use, and I have used all of the above mentioned products as well. Juniper's CLI I've found to be the most confusing to use and Watchguard's GUI the most irritating.Jumping on the IT blogging band wagon -- http://www.jefferyland.com/
-
Optionsit_consultant Member Posts: 1,903I talked to the ol' boss and he was somewhat receptive to a different brand of firewall but he doesn't want me to be the only one with expertise on the platform. Firewalls are firewalls, we should be able to muddle through with manufacturer guidance.
Sonicwalls are a definitely NOT an option. Our company has had terrible experiences with them. I would say Cisco but those are hard for people to figure out, so it kinda leaves Juniper as the only real option. -
Optionsajmatson Member Posts: 289it_consultant wrote: »I talked to the ol' boss and he was somewhat receptive to a different brand of firewall but he doesn't want me to be the only one with expertise on the platform. Firewalls are firewalls, we should be able to muddle through with manufacturer guidance.
Sonicwalls are a definitely NOT an option. Our company has had terrible experiences with them. I would say Cisco but those are hard for people to figure out, so it kinda leaves Juniper as the only real option.
What kind of experiences if you don't mind me asking?Working on currently:
Masters Degree Information Security and Assurance (WGU) / Estimated 06/01/2016
Next Up: CCNP Routing Exam | Certified Ethical Hacker Exam
Cisco Lab: ASA 5506-X, GNS3, 1x 2801 Router, 1x 2650XM, 1x 3750-48TS-E switch, 2x 3550 EMI Switches and 1x 2950T swtich.
Juniper Lab: 1x SRX100H2, 1x J2320 (1GB Flash/1GB RAM, JunOS 11.4R7.5), and 4 JunOS Firefly vSRX Routers in VMWare ESXi 5.1 -
OptionsNightShade03 Member Posts: 1,383 ■■■■■■■□□□Also just want to through out there...if you are looking to keep it cheap and decently ease to manage you can also check out Vyatta Open Networking - Software-based Routing & Security - Open Alternative to Cisco
I have seen a few of these implemented in small business lately. -
Optionsit_consultant Member Posts: 1,903What kind of experiences if you don't mind me asking?
Most of our bad experiences stem from setting up VPN tunnels to unlike devices. I have the same complaint with Sonicwalls that I do with Watchguards - their performance seems pretty anemic when compared to the Junipers and Ciscos of the world. -
Optionshypnotoad Banned Posts: 915NightShade03 wrote: »Also just want to through out there...if you are looking to keep it cheap and decently ease to manage you can also check out Vyatta Open Networking - Software-based Routing & Security - Open Alternative to Cisco
I have seen a few of these implemented in small business lately.
Multi-functional Firewall Software - Open Source Content Filter & Spam Filter | Untangle.com - its good for small business, not great for enterprise. i have 1000 users behind one. very simple to set up and inexpensive. i wish it ran RIP or OSPF. -
Optionsit_consultant Member Posts: 1,903I will only deploy mainstream and professionally supported firewalls at my clients. Even though they are a non-profit, they actually have the budget that will allow for a juniper, even a Cisco if I make a really good sales pitch.
-
OptionsAhriakin Member Posts: 1,799 ■■■■■■■■□□Actually Untangle does have professional support available (directly and by 3rd parties). No HA though which makes it harder to use in the enterprise. I use it at home, and had a small deployment a while back for web filtering a small section of our network.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?