Small office firewall/vpn/security appliance

Small office firewall/vpn/security appliance
Secure Home | Search | About
Login Password
Register Now! Lost Password?
 Networking Firewalls    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content add this group's latest topics to your Google content
Subject Author Date
Small office firewall/vpn/security appliance CCMiami 09-24-2005
Posted by CCMiami on September 24, 2005, 11:55 am
If you were  Registered and logged in, you could reply and use other advanced thread options
We are setting up a new office network and would like some advise/experience
on firewalls. I have looked at the messages but am still confused :)



Today we have a single external connection (business cable 2/4) but may want
to expand with a backup. There will be 2-3 externally visible servers with
their own IP and a small LAN - 15 users. We need VPN access (10 licenses)
to the servers for external users. We will probably set up the internal lan
using a "store" router for NAT but could also use the firewalls NAT. We
would like (of course) as much protection as we can get - including
intrusion, VP. The degree of "inspection" on the firewall is important but
it is hard to see around the marketing. I expect to set up some wireless,
but using a separate access point - we will also set up a "guest" wireless
(possibly outside the firewall). We also want to make sure we can still use
applications - FTP, Netmeeting, etc.



It is even hard to tell what these things really cost when you get the
protection packages. I have listed what I THINK they cost. Questions I
have are;

- Stability

- Degree of protection

- Speed

- Expected life/upgrades

- Support for multiple IP addresses and routing

- Real cost

- Complexity to admin (Tech users but no dedicated support)

- Marketplace position

- Support



We are looking at;

Checkpoint Safe@office 225 Comprehensive security $1230 ($180 per year)

-- Or perhaps VPN-1 Edge, seems similar

-- Best "deep inspection"?

-- Market leader?



Juniper NetScreen 5GT Extended $1100

-- Well respected, solid



Fortigate 60 all in one security bundle $800 ($350/year)

-- Fast but may have more limited protection? Hard to upgrade due to
hardware?

-- No user limits

-- Best deal and good rep, But not much of a market leader?



SonicWALL TZ 170 25-Node Comprehensive Gateway Security Bundle $750 (May be
more hidden $)

-- But it looks like VPN clients are $$30/each, so ad $300!

-- Hints of stability problems.

-- Market leader?



Cisco PIX 501

-- Seems to lag the others



We would really appreciate thoughts and experience!




Posted by Duane Arnold on September 24, 2005, 5:31 pm
If you were  Registered and logged in, you could reply and use other advanced thread options


You may want to check out Watchguard and Snapgear too.

Duane :)


Posted by Somebody. on September 25, 2005, 1:27 am
If you were  Registered and logged in, you could reply and use other advanced thread options

> We are setting up a new office network and would like some
advise/experience
> on firewalls. I have looked at the messages but am still confused :)
>
>
>
> Today we have a single external connection (business cable 2/4) but may
want
> to expand with a backup. There will be 2-3 externally visible servers
with
> their own IP and a small LAN - 15 users. We need VPN access (10 licenses)
> to the servers for external users. We will probably set up the internal
lan
> using a "store" router for NAT but could also use the firewalls NAT. We
> would like (of course) as much protection as we can get - including
> intrusion, VP. The degree of "inspection" on the firewall is important
but
> it is hard to see around the marketing. I expect to set up some wireless,
> but using a separate access point - we will also set up a "guest" wireless
> (possibly outside the firewall). We also want to make sure we can still
use
> applications - FTP, Netmeeting, etc.
>
>
>
> It is even hard to tell what these things really cost when you get the
> protection packages. I have listed what I THINK they cost. Questions I
> have are;
>
> - Stability
>
> - Degree of protection
>
> - Speed
>
> - Expected life/upgrades
>
> - Support for multiple IP addresses and routing
>
> - Real cost
>
> - Complexity to admin (Tech users but no dedicated support)
>
> - Marketplace position
>
> - Support
>
>
>
> We are looking at;
>
> Checkpoint Safe@office 225 Comprehensive security $1230 ($180 per year)
>
> -- Or perhaps VPN-1 Edge, seems similar
>
> -- Best "deep inspection"?
>
> -- Market leader?
>
>
>
> Juniper NetScreen 5GT Extended $1100
>
> -- Well respected, solid
>
>
>
> Fortigate 60 all in one security bundle $800 ($350/year)
>
> -- Fast but may have more limited protection? Hard to upgrade due to
> hardware?
>
> -- No user limits
>
> -- Best deal and good rep, But not much of a market leader?


I work rather heavily with Fortigates, deploying them in front of small
offices, branch offices, head offices, very large enterprises, universities,
school boards, hospitals.

Their protection is very good -- they can reassemble and scan through data
in hardware enabling them to Antivirus and IPS at very good speed while
still using comparatively simple (ie reliable) hardware. A 60 for example
has Internal, WAN1, WAN2, DMZ interfaces, but no moving parts. The only
failures I've seen in thousands of units is the odd dead port, which occured
in the field most likely via user error. And in that same box it does full
firewall, software or site-to-site VPN, 1300 Intrusion Protections,
web/mail/ftp AntiVirus, SPAM filtering, Content filtering, and web Category
blocking (ie, stop porn/gambling/etc).

They don't upgrade -- but neither do most any other ones in the roundup I
bet, unless they artificially limit themselves in the first place and
"upgrade" by removing the limit, or by putting in an expansion card to make
up for hardware deficiencies to start with. Do you really need to upgrade
from a 70Mbps firewall? All Fortigates come with no user limits, no
per-user fees, on anything except for software VPN clients which are very
cheap. They run like champs right up to their limits. I've got big
Fortigate boxes doing IPS at Gig speeds and AV at hundreds of megs. The 60
has complete internal (or even external) logging and packet sniffing and can
even be set up as an HA pair.

The 60 has been around for 2 years, and it's been through the last 2 major
code updates (2.5, 2.8) and will soon run the 3.0 code which will add even
more neat tricks to it -- unfortunately I can't tell you what under my NDA
Beta agreement, but I have live Beta code that I've seen, and it's very
cool. The thing is the hardware is so flexible they can add new
capabilities to it readily... the 60 today does all sorts of neat things
that it didn't do when I first saw it, due to new code using the flexible
ASIC chips on board.

I've done lots of NetScreen too, they're very solid boxes indeed. But they
got away from their bread-and-butter ASIC design with the 5GT -- the AV and
DI components are implemented in software, so the performance of those bits
can't touch the FG.

I've put in lots of Fortigates and I work with them every day along with
lots of NetScreen and a handfull of other things. Let me tell you, I think
they're awesome. The fact that they're also a great deal to me is
astounding.

-Russ.




Posted by Mark on September 29, 2005, 9:35 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
> We are setting up a new office network and would like some
> advise/experience on firewalls. I have looked at the messages but am
> still confused :)
>
>
>
> Today we have a single external connection (business cable 2/4) but may
> want to expand with a backup. There will be 2-3 externally visible
> servers with their own IP and a small LAN - 15 users. We need VPN access
> (10 licenses) to the servers for external users. We will probably set up
> the internal lan using a "store" router for NAT but could also use the
> firewalls NAT. We would like (of course) as much protection as we can
> get - including intrusion, VP. The degree of "inspection" on the firewall
> is important but it is hard to see around the marketing. I expect to set
> up some wireless, but using a separate access point - we will also set up
> a "guest" wireless (possibly outside the firewall). We also want to make
> sure we can still use applications - FTP, Netmeeting, etc.
>
>
>
> It is even hard to tell what these things really cost when you get the
> protection packages. I have listed what I THINK they cost. Questions I
> have are;
>
> - Stability -> Very Stable
>
> - Degree of protection -> AV signiture set is an in the wild (not a bad
> option as the Netscreen AV kills the CPU with its "full" set), IPS is
> good, antispyware is good
>
> - Speed -> if you turn all services on combined throughput can drop to
> around 5-10Mbps
>
> - Expected life/upgrades -> I would expect a new model out next year
>
> - Support for multiple IP addresses and routing -> OPT port, get the
> Enhanced OS if you can
>
> - Real cost -> Bundle is good, it includes Gateway AV, IPS, Antispyware,
> Content Filtering, and Viewpoint Reporting. GAV/IPS/AS, CF require 2nd
> year renewals
>
> - Complexity to admin (Tech users but no dedicated support) - Easy, nice
> GUI, enhanced OS is a bit daunting to newbies because it does so much
>
> - Marketplace position - Top of this segment
>
> - Support - pretty good (that bundle includes 1 Year 8x5)
>
>
> SonicWALL TZ 170 25-Node Comprehensive Gateway Security Bundle $750 (May
> be more hidden $)
>
> -- But it looks like VPN clients are $$30/each, so ad $300! < BIG NOTE:
> Sonicwalls GVPN Clients are licensed to the firewall and CONCURRENT
> licenses, not seat based. So if you have 10 users but only 3 at one time
> will be using the VPN you only need 3 licenses (but can install it as much
> as you like).
>
> -- Hints of stability problems. -> They had some minor issues with 3.0
> early on, 3.1 is very stable.
> -- Market leader? Yup. Only real competition is Juniper/Netscreen &
> Fortigate. They are having problems expanding their IPS on the 5GTs, the
> CPU can't handle it. Their gateway AV absolutely kills the CPU, no
> antispyware, and to go fully zoned is bloody expensive. Fortigates in the
> crap because the stole some of their code, they got spanked in court. The
> 1st Gen of the model you listed crapped out when you enabled AV and they
> are going backwards fast. Fortinets long term $$$$ stability is in
> question. Neither Cisco or Checkpoint get off the starting grid with their
> lack of features.

>





Posted by on October 1, 2005, 1:52 pm
If you were  Registered and logged in, you could reply and use other advanced thread options
I can't advise you on hardware firewall, but you also need a software
"firewall" for the out direction. Why not try AppWall, a very good
shareware app: electronicscomputing.com

Kelly

> We are setting up a new office network and would like some
> advise/experience on firewalls. I have looked at the messages but am
> still confused :)
>
>
>
> Today we have a single external connection (business cable 2/4) but may
> want to expand with a backup. There will be 2-3 externally visible
> servers with their own IP and a small LAN - 15 users. We need VPN access
> (10 licenses) to the servers for external users. We will probably set up
> the internal lan using a "store" router for NAT but could also use the
> firewalls NAT. We would like (of course) as much protection as we can
> get - including intrusion, VP. The degree of "inspection" on the firewall
> is important but it is hard to see around the marketing. I expect to set
> up some wireless, but using a separate access point - we will also set up
> a "guest" wireless (possibly outside the firewall). We also want to make
> sure we can still use applications - FTP, Netmeeting, etc.
>
>
>
> It is even hard to tell what these things really cost when you get the
> protection packages. I have listed what I THINK they cost. Questions I
> have are;
>
> - Stability
>
> - Degree of protection
>
> - Speed
>
> - Expected life/upgrades
>
> - Support for multiple IP addresses and routing
>
> - Real cost
>
> - Complexity to admin (Tech users but no dedicated support)
>
> - Marketplace position
>
> - Support
>
>
>
> We are looking at;
>
> Checkpoint Safe@office 225 Comprehensive security $1230 ($180 per year)
>
> -- Or perhaps VPN-1 Edge, seems similar
>
> -- Best "deep inspection"?
>
> -- Market leader?
>
>
>
> Juniper NetScreen 5GT Extended $1100
>
> -- Well respected, solid
>
>
>
> Fortigate 60 all in one security bundle $800 ($350/year)
>
> -- Fast but may have more limited protection? Hard to upgrade due to
> hardware?
>
> -- No user limits
>
> -- Best deal and good rep, But not much of a market leader?
>
>
>
> SonicWALL TZ 170 25-Node Comprehensive Gateway Security Bundle $750 (May
> be more hidden $)
>
> -- But it looks like VPN clients are $$30/each, so ad $300!
>
> -- Hints of stability problems.
>
> -- Market leader?
>
>
>
> Cisco PIX 501
>
> -- Seems to lag the others
>
>
>
> We would really appreciate thoughts and experience!
>
>




Similar ThreadsPosted
We have two small office at different locations, which is best VPN solution? October 1, 2006, 4:43 pm
Re: Small Office Firewall Options October 18, 2007, 9:53 am
What appliance to buy? January 9, 2006, 2:25 pm
multiple office vpn question December 21, 2004, 10:19 pm
Office Communicator ports April 15, 2007, 6:41 am
Wrt54G is a FW appliance? July 30, 2005, 5:58 am
Webcache appliance? August 10, 2005, 12:17 am
Proxy Appliance September 6, 2005, 3:31 pm
Which Firewall appliance? October 8, 2006, 10:05 am
linux box or appliance March 7, 2007, 8:45 pm

The site map in XML format XML site map

Contact Us | Privacy Policy