Hey guys,

I would like your opinion on the subject of Hardware Firewalls.

I have been tasked to buy one for our company but since i have never bought one before, i would like to make sure i make a good investment by getting something good that serves our purpose.

I looked at about a dozen different types, different brands (Cisco, Dell, Barracuda, etc), different price ranges to see where we would possibly fit in.

Some info on the company it is for:
Small company, one server, 8 workstations, nothing top secret to protect, no trade secrets, but sensitive and confidential client information to protect.

Having said that, from my search it looked like something in the range of $500 to $2000 would be sufficient for us. But then again, like i said, i don't know much about these, so maybe it’d be worth spending some more money. I prefer not to set a budget here to see what opinions you guys have on it based on the size of the company and type of information we are protecting.

We'd be interested in something that would support VPN, VoIP, NAT, DMZ, with an IPS/IDS.

Any thoughts on what I should be looking for or what the best investment would be?

Thanks!

Knb15

I looked at Astaro a couple of years back and they were pretty well on it.  The price range was about what you were looking for and they had all the features we needed:

http://www.astaro.com/solutions/network-security

Best of all, at the time they had a VMware appliance you could test drive and see if you liked the interface.  It's Linux based which was a real plus.  We ended up going with an ASA due to factors outside of my control (but cost more $$).

Thanks for the initial responses. I checked out your suggestions and may have two or three in my sights.

2 Questions:
1. Does a HW firewall come with an IPS/IDS or are they just "IPS/IDS" supported, and the admin has to add it to the HW firewall later?

2. Is there a way to determine whether a firewall either supports an IDS/IPS and/or whether it comes with it, if it does not explicitly say so in the specs?

The reason i ask is because for some of these i only see "IPS supported" for example, but no mention of IDS. So i was wondering if it supports one it also automatically supports the other, or maybe it doesn't work that way.

Solid?! Solid maybe for small businesses. There is a saying you get what you pay for.


I managed a bucketload of firewalls and Fortinet, Sonicwall, Watchguard are among the worst I've had to deal with for many issues. To be quite fair about this, I have a Fortinet installed on my LAN for my LAN administrators (not my choice).

This is what's currently got in house to me: (sorry for the blur... Crackberry)

SSG20, NS204's (lab)
http://www.infiltrated.net/ehnet/IMG00014-20100917-1033.jpg

Stonesoft Stonegate SG1100 x2
http://www.infiltrated.net/ehnet/IMG00013-20100917-1033.jpg

Stonesoft Stonegate SG1100
http://www.infiltrated.net/ehnet/IMG00012-20100917-1033.jpg

Checkpoint + Sofware (separate boxes)
http://www.infiltrated.net/ehnet/IMG00011-20100917-1032.jpg

Sonicwall + Sonicwall's Remote Access
http://www.infiltrated.net/ehnet/IMG00010-20100917-1032.jpg

Fortigate 620b
http://www.infiltrated.net/ehnet/IMG00009-20100917-1032.jpg

Management wise, I can state over 20 SSG's in all forms, Sonicwall, Borderware, ASA, PIX, Sidewinder, Fortinet, Watchguard, etc. I use them all almost on a daily basis... Fortinet = horrible. If I had to rank them on:

FUNCTIONALITY
SSG
Stonegate
Borderware (pre Watchguard assimilation)
ASA/Pix
Checkpoint
Sidewinder (pre McAffee assimilation)
Sonicwall
Fortinet
Watchguard

Price
SSG
Stonegate
ASA/Pix
Sidewinder (pre McAffee assimilation)
Sonicwall
Checkpoint

Ease of use on CLI
SSG
ASA/Pix
Stonegate has no CLI

Ease of use on GUI
SSG
Stonegate
Checkpoint
Sonicwall
Fortinet
ASA/Pix
Watchguard

Small businesses (my recommendation to sites with under 50 devices)
SSG 5/20
Sonicwall
ASA/Pix
Watchguard

SMB's (50-200)
SSG
Stonegate
ASA/Pix
Checkpoint
Sidewinder (pre McAffee assimilation)

Big Boys/Big Toys (large companies)
Palo Alto 40xx (4020 )
SSG 520's
Stonegate SGxx
Sidewinder (pre McAffee assimilation)
ASA
Checkpoint

Thanks again for the replies.

Based on Sil's and Hordakk's post, it seems like the Juniper SSGs would be a good choice.

I am going to check them out tomorrow at work.

You're quite right. In fact here is a comparison with the links for validation. Keep in mind, I never pay list on anything anyway. Even with my vendors Fortinet works out to be higher not to mention support... Non existent. At least I can buy same day support for Juniper and save myself a headache:

Fortinet 620B $20,848.00
http://www.shopping.com/xPO-Fortinet-Inc-FORTIGATE-620B-PREM-COMPLETE

Key Features
Connectivity: Wired
Firewall Features: Intrusion Prevention, Antivirus Filtering

Performance
Clear Text Throughput: 16000 Mbps
VPN Throughput: 12000 Mbps
Concurrent Connections: 600000

Protocols
Transport Protocol    IPSec

VPN
VPN Tunnels: 20000
Included Licenses: Unlimited Users


Juniper Networks SSG 550M $8,316.00
http://www.shopping.com/xPO-Juniper-Networks-SSG-550M-Firewall-IPSec-VPN-Security-Appliance

Key Features
Connectivity: Wired
Firewall Features: Stateful Packet Inspection (SPI), DoS Prevention, URL Filtering, Spyware Filtering
NAT Support: Policy based, PAT, NAT Traversal

Performance
Clear Text Throughput: 1024 Mbps
VPN Throughput: 500 Mbps
Concurrent Connections: 128000
Installed RAM: 1 GB

Ports
LAN Ports: 4

Protocols
Transport Protocol: IPSec, L2TP, NetBEUI/NetBIOS, PPPoE
Routing Protocols: OSPF, RIP Version 1, RIP Version 2, BGP, Static Routing
DHCP Support: Client, Server, Relay
Remote Management Protocol: SNMP, HTTP, Telnet, SNMP 2, HTTPS

VPN
Authentication: RADIUS, XAUTH, RSA SecurID, LDAP, Secure Shell (SSH)
Encryption Standards: DES, 3DES, AES, MD5, IKE, SHA-1
VPN Tunnels: 1000
Included Licenses: Unlimited Users


Juniper High to low
Highest: $14,250.00
http://www.google.com/products?q=ssg+520m&oe=utf-8&client=firefox-a&scoring=pd


Fortinet 620b
Highest: $50,358.92 refurbished
http://www.google.com/products?q=fortinet+620b&scoring=pd

Don't get me wrong, Fortinet is ... "eh", I'd use it before Sonicwall and Watchguard (haven't seen them post Secure Computing purchase) but they're not all that. Not to mention when you get into the managed space, nothing beats NSM.

Need more?

http://www.austinnetworking.com/assets/SSG350M_vs_fortinet400A.pdf

Let's also not forget I can do routing if I choose with my Junipers and throw on all kinds of modules:

Fortinet
Maximum Firewall Throughput     16 Gbps (base) 20 Gpbs w/AMC
Maximum IPSec VPN Throughput    12 Gbps (base) 15 Gpbs w/AMC
Maximum Antivirus Throughput    350 Mbps
Maximum IPS Throughput    1 Gbps
Maximum Concurrent Sessions    1,000,000
Network Interfaces    20 Copper GigE 10/100/1000 Base-T 4 GigE SFP w/AMC
AMC expansion bays    1 single-width


Juniper
ScreenOS 6.2
Firewall Perf (Large Packets) 1+ Gbps
Firewall Performance (IMIX) 1 Gbps
Firewall Packets Per Second 600,000 PPS
3DES+SHA-1 VPN Perf 600 Mbps
Concurrent VPN Tunnels 1,000
Max Concurrent Sessions 256,000
New Sessions/Second 15,000
Max Security Policies 4,000
Max Security Zones 60
Max Virtual Routers 16
Max Virtual LANs 150
Fixed I/O 4x10/100/1000
Physical Interface Module (PIM) Expansion Slots 2
Enhanced PIM (EPIM) Expansion Slots 4
Convertible to JUNOS Yes

Notice: Convertible to JUNOS Yes which means at the end of the day, I can toss the router (and the cost of it) away something Fortinet is not capable of. But alas, you're right to each their own.

I had no idea Dell made firewalls.  From experience with their switches, the interface and language seems to be pretty similar to Cisco's.  I am guessing they license the code.  The boxes and hardware are significantly different.  I like Dell's support much better than Cisco's.  I am not a big fan of rebranded hardware, but I do like Dell's support. 

Obviously you and Sil have had different experiences with the Fortinet products than have I.  We used quite a few (~50-60), mostly in the 60/60b/80c range with a few 300 as well.  We did not have much trouble out of them and often did not run bleeding edge code on them.  We did use IPSEC and SSLVPN without issue, and yes, the missing GUI for mac reservations was irritating, but not a show-stopper.

They also support routing, up to and including BGP (though I can say I never used BGP on one since ours were too small).  OSPF and RIP worked perfectly, though.  We used them for nearly all of our non-core routing without issue at our WAN sites.

All that being said, we also used a SA4500 SSLVPN from Juniper that was far ahead of Fortinet's SSLVPN offering.  That would stand to reason, though, since Fortinet's was  bolt-on to list a feature (though it was quite usable for small implementations).

Fortinet support was not so good, but to be honest, we rarely had reason to call them.  Support is definitely a weakness for them that they will have to work on in order to improve market share.  Additionally, I think QA in their software side is next in line to get spanked if they do not improve.

In my experience, for the products we were purchasing, Juniper could not compete on a bang-for-the-buck comparison.  When we demoed Fortinet initially, we compared them to the Pixs and the NetScreens (now Juniper) and chose them due to simplicity and cost (and I really do not like Cisco products outside of routers for the most part).  As I stated before, each to his/her own.