Opinions about firewalls and VPN

0 pts.
Tags:
Active Directory
Application security
Budgeting
Cabling
Cisco
Database
Dell
Desktops
DHCP
DNS
Encryption
Firewalls
Forensics
Foundry
Hardware
Hubs
Incident response
Instant Messaging
Intrusion management
Juniper Networks
Management
Microsoft Exchange
Microsoft Windows
Network security
Networking
Networking services
OS
Project management
Routers
Secure Coding
Security
Servers
SQL Server
Switches
VPN
Wireless
I currently have watchguard firewalls and IPSec tunnels between them and the other watchguard firewalls. We also have remote users VPN into the firewall for access to our network. Our firewalls are fine but we haven't been that happy with the support over the last 5 or so years. We are joining together with another company that is similiar to ours and they use sonicwall and some other things that are also getting a bit a bit older. We'd like to take this time and get everyone on the same page and I am starting here to see what you think. Perhaps a good article about the new Cisco ASA being the best option for firewall/vpn together or maybe your current setup that is working very well. My main concern is probably having a great firewall with hopefully built in VPN capabilitiy for remote users and IPSec tunnels between the offices. Anything you want to share is greatly appreciated. Thank you, Kevin We
ASKED: June 21, 2006  9:56 AM
UPDATED: June 28, 2006  10:09 AM

Answer Wiki

Thanks. We'll let you know when a new response is added.

First, older does not mean that it can’t do the job. If they have been using it for years, thet should be well trained with this software.

Second, chaning over to a new system may provide better protection but both companies will have to learn the new software.

Just a couple of things two concider.

Discuss This Question: 12  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Astronomer
    Kevin; What issues have you had that required support? I have worked with a variety of firewalls. While they vary in flexibility and ease of management, all of the modern stateful firewalls tend to have similar capabilities. The GUI based firewalls are easy for beginners but tend to restrict what can be done. The command line firewalls tend to be considerably more flexible. We currently use PIX and openBSD. The PIX has a nice GUI but I still had to do some things from the command line to make it work for our environment. The PIX requires many more lines than the BSD because its interface limits what you can do. The BSD on the other hand is user hostile in a way that only an old unix hack would love. I have run into similar experiences with linux firewalls. The iptables command set allows nearly anything needed by a firewall, (the only thing it didn't have that I wanted when we built our DMZ was stateful failover), but most of the GUIs that get wrapped around it severely restrict what can be accomplished. When I first planned our firewall I looked at ISA but rejected it immediately because it wasn't designed for an environment as complex as ours. It would have been fine for home or small office use. I have heard that the newer version will now accomodate the needs of a medium size organization like ours but I haven't checked since our infrastructure is already in place. The only unresolved issue we currently have with our firewalls is FTP. The PIX has the standard FTP fixup applied but it still doesn't work with many external FTP servers. Because it's on the inside, this is where FTP proxying is done in our setup. As for VPNs, we are using the PIX. It uses RADIUS from our domain controllers to authenticate the users. We have had minimal problems with this arrangement. I believe nearly any VPN server that can use RADIUS to integrate with active directory would be a reasonable solution for external user connections. We don't have site to site VPNs but is seems clear that IPsec is mature enough to allow most devices to interoperate. So my conclusion is: There is no "best firewall". It depends on your needs and the abilities ouf your people. Firewalling our environment required more flexibility than the GUIs allowed but the support staff are much more comfortable managing a GUI. As a result we use the more secure BSD firewall on the outside mostly to restrict the incoming traffic, (these rules don't change often and are replicated in the PIX). The outgoing rules that change significantly more rapidly are done with the PIX GUI. Look closely at your needs and abilities and see how this maps to the capabilities of the firewall. Take the manufacturers propaganda with a grain of salt. rt
    15 pointsBadges:
    report
  • Kevins74
    In this situation it has been me that has been using/configuring the watchguard firewalls. They have been fairly solid over the years and for the most part user friendly, but when it comes to their tech support it is less then desirable. Sine the firewall is a key compenent of our infrastructure, opening a ticket and waiting for a reply or waiting for a call back isn't really isn't an option. I know we can pay more for the better support, but I should be able to call in with normal tech support problems without the run around. There are also limitations we have come across over the years that make using the WG an issue. (Can't drop a problem VPN user without rebooting the firewall, Can't NAT polycom public IP down to internal IP, every update, patch, etc.. causes major issues, if you keep updating your config file, eventually they use that as an excuse to your problem and ask you to rebuild the config file from scratch, until you say no way and then they look harder for an answer) That type of stuff I am tired of. We are at a point where we can continue buying watchguard and get the latest and greatest or we can find something better for our situation. This is just me looking at some other options. We have though about the Cisco ASA 5500 which basically replaces the PIX, and VPN concentrator, but also acts as an IPS and even anti virus. The command line is something we want to stay away from, so the GUI has got to be good. Article I just read said the GUI for that new cisco ASA was still lacking... The problem is, we all want to be on the same page. One firewall brand (easier to mantain and troubleshoot) One way to VPN in for remote users.
    0 pointsBadges:
    report
  • Imazing
    In my expiriences the PIX firewall has held up great. My last company we had the PIX 515 UR doing site to site and client VPN, 3 DMZs setup, site to site IP connection. 150 Internet users. I never had to reboot it my config changed atleast 3 times a year. Cisco support was always excellent and I feel resonably priced. The only thing I can't confirm is the gui interface I have always used the command line interface. I always highly recommend the PIX line of firewalls. I also had exprience tring to help my parent company with their Watchguard firewall it was fine for with any easy config. but when it started to get complicate the WG firewall didn't like it and I thought support was also terrible. They ended up going with the PIX also. Good Luck
    0 pointsBadges:
    report
  • Imazing
    In my expiriences the PIX firewall has held up great. My last company we had the PIX 515 UR doing site to site and client VPN, 3 DMZs setup, site to site IP connection. 150 Internet users. I never had to reboot it my config changed atleast 3 times a year. Cisco support was always excellent and I feel resonably priced. The only thing I can't confirm is the gui interface I have always used the command line interface. I always highly recommend the PIX line of firewalls. I also had exprience tring to help my parent company with their Watchguard firewall it was fine for with any easy config. but when it started to get complicate the WG firewall didn't like it and I thought support was also terrible. They ended up going with the PIX also. Good Luck
    0 pointsBadges:
    report
  • Stevesz
    I've worked with a number of firewalls, WatchGuard and SonicWall among them. I have found the support from watchGuard to be very good. They have always called back fairly quickly, and I can do other things other than wait on the phone on hold.There ws a SonicWall a company had that they let the support contract run out on. It was cheaper to get a new firewall rather than get the support renewed so the problem with the firewall could be resolved, and that was what they did, but from another vendor. Whatever you do, it will not be an easy path to get everyone on the same page. There are no migration paths or conversions to easily tranfer firewall settings from one brand to another, so any new firewall that replaces one from another vendor will require configuration from the ground up. I do like the WatchGuards for their ease of configuration. If you go with PIX, and have Exchange servers, there is a special configuaration you need to implement to allow mail traffic through--no biggie, but I know it has tripped up a lot of Exchange installations.I've only worked with lower end 3COM firewalls, so I can't really say much about them. The SonicWalls seem to have a problem dropping licensed connections after the computers have been disconnected from them, and you eventually run out of licenses--never have gotten a fix for that from SonicWall, so those installations get rebooted on a regular basis.
    2,015 pointsBadges:
    report
  • Yogeshrane
    You could look at the Nortel Range of producrts for VPN Boxes. The C2700 can support upto 200 odd tunnels while the end-user CPE can be a c100 which is a 6/8 port l2 switch combined with the vpn box. Alternatively you can use cisco at the end-user side.
    0 pointsBadges:
    report
  • Idyllicsys
    I have worked with SonicWalls for many years. The license issue has been solved with the current models. If you are looking at a new one, you have the option of blocking spyware and virusses, as well as using their intrusion prevention system to stop incoming threats. I use one for my data center and have quite a few site to site VPNs. Never had an issue that could not be solved.
    0 pointsBadges:
    report
  • TheVyrys
    I too have worked with Sonicwall, but only with the model we have - PRO 200. It is seemingly a good product, but no better than any decent firewall...... however Sonicwall themselves have p i s s e d me off. They are discontinuing support for some of their products, but not before raising the hell out of their price for support. Then they go on to tell you that their products may not be providing the protection that is needed. So in a sense they are saying, hey, you can use our product that you paid us good money for, but we must charge the crap out of you again....but they really don't work. HOWEVER, if you buy something else from them, all your problems are mysteriously solved, except we must charge you again......and again...... a great strategy to screw over even their faithful customers. Good luck talking to an american also. Goodbye sonicwall.....
    0 pointsBadges:
    report
  • BHawthorne
    There are a couple of pieces of information missing before a recommendation can be made: 1. What is you bandwidth and utilization like? 2. How many concurrent VPN tunnels are you looking to have? With that said, a couple of comments: Both WatchGuard and SonicWall seem to do a good job for the cost. They are easy to manage, easy to configure, and very cost effective if their feature sets fit your needs. If you are a smaller organization, these are still boxes to seriously consider. Tthe Cisco equipment is not as easy to configure nor manage. Often it is just plain not easy. The skill/knowledge , and just patience, required can be high. It has many great features, and is often very flexible equipment. You do need to be careful that you are sizing it appropriately for what you are trying to do with it.
    0 pointsBadges:
    report
  • Joshua2
    Have you thought about ISA? In addition to normal firewalling, it also does application layer scanning. On the VPN side, it can put the clients into a quarantined network and check for the existence of critical patches, virus definitions, etc. The GUI is fantastic. http://www.microsoft.com/isaserver/ If tech support is an issue, don't pursue SonicWall. I've got a SonicWall firewall & a sonicwall ssl vpn box. Besides the slow support, I have to reboot the firewall every month. (It's the firewall for my guest network, so I live with it...). Pix I've been using Pix for years. It's much more expensive than other solutions, it's harder to learn...but it runs and runs and runs and runs. When I do have an issue, support response time is adequate. As for the pix gui, it's pretty much worthless, IMO. (I never use it). I've never had any Cisco training and I'm able to fumble my through it. I hired an expert to do the initial configuration/setup and I'm able to make minor changes on my own.
    0 pointsBadges:
    report
  • Astronomer
    Kevin: Joshua has several good points. If you have a pure windows environment, you should check out ISA. On the other hand, the microsoft security class I just went to, did NOT recommend an ISA as the outer firewall. A firewall appliance was recommended. You might want to consider using your existing firewall appliances as external screening FWs and use ISA as the internal FW/VPN server. This way the external firewalls wouldn't need much attention since they wouldn't be involved in VPNs and their rules wouldn't change often. You shouldn't have much trouble finding support for ISA. It seems like everyone wants to support microsoft products. The PIX GUI is clumsy but usable. We haven't had problems with clients connecting to our PIX although we are having issues with an internal PIX client connecting to an outside vendor. It seems there is a problem using the PIX client on 2003. When we configured the PIX, there was only one thing I had to do on the command line. I can't speak to support since we didn't have issues during the warrenty. I didn't consider it very difficult to learn but I am constantly irritated by the things I can do cleanly with bsd but stumble through on the PIX. If the timing had been different we could have ended up with a PIX on the outside and the newer ISA on the inside. If I thought you were more adventurous, I would suggest running linux with webmin. We use this with iptables as the built in firewall on our DNS servers in the DMZ and the GUI straight jacket isn't nearly as tight as most others I have experienced. I haven't had the need but I suspect I could do nearly anything available with the iptables command line. In summary, I agree the PIX is expensive but reliable. Since your experiences with inexpensive firewalls has been negative, you should seriously consider cisco, nokia, and possibly 3com. If you are going to run a screening outer firewall and an inner FW, then look at ISA. As I indicated earlier, there is no best firewall. You need to select the best compromise of security, features, managability, support, and price for your environment. rt
    15 pointsBadges:
    report
  • ScsiTerminator
    We've been using Sonicwalls for years for VPN & Interoffice VPN. Works great, Macs, PCs, etc. As for Cisco products ... more $ for the hardware, more $ for software support going forward, i.e. yearly subscription, and more time & $ in setup. Really depends on the size & type of company you're in ... big infrastructure & IT staff, or more hands-on, "we do it all" kind of shop, and are looking to KISS (keeping it stupid simple). Cisco has great stuff, don't get me wrong, but I would equate it to this ... you save to buy a Porsche, maybe you get a deal on a slightly used one, but you don't bother to check on the cost of insurance, replacement parts, and maintenance... you soon come to the realization that maybe you should have gone with something else, or maybe you weren't quite ready for the Porsche just yet (you can sub in whatever car you want, but you get the idea ... you have to look at what works in your setup & company structure) Ciao for now, from the Great White North!
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following