Comments on: Opinions about firewalls and VPN

By: scsiterminator

scsiterminator — Wed, 28 Jun 2006 10:09:08 +0000

We’ve been using Sonicwalls for years for VPN & Interoffice VPN. Works great, Macs, PCs, etc. As for Cisco products … more $ for the hardware, more $ for software support going forward, i.e. yearly subscription, and more time & $ in setup. Really depends on the size & type of company you’re in … big infrastructure & IT staff, or more hands-on, “we do it all” kind of shop, and are looking to KISS (keeping it stupid simple).

Cisco has great stuff, don’t get me wrong, but I would equate it to this … you save to buy a Porsche, maybe you get a deal on a slightly used one, but you don’t bother to check on the cost of insurance, replacement parts, and maintenance… you soon come to the realization that maybe you should have gone with something else, or maybe you weren’t quite ready for the Porsche just yet (you can sub in whatever car you want, but you get the idea … you have to look at what works in your setup & company structure)

Ciao for now, from the Great White North!

By: astronomer

astronomer — Mon, 26 Jun 2006 13:27:54 +0000

Kevin:
Joshua has several good points.
If you have a pure windows environment, you should check out ISA. On the other hand, the microsoft security class I just went to, did NOT recommend an ISA as the outer firewall. A firewall appliance was recommended.

You might want to consider using your existing firewall appliances as external screening FWs and use ISA as the internal FW/VPN server. This way the external firewalls wouldn’t need much attention since they wouldn’t be involved in VPNs and their rules wouldn’t change often.
You shouldn’t have much trouble finding support for ISA. It seems like everyone wants to support microsoft products.

The PIX GUI is clumsy but usable. We haven’t had problems with clients connecting to our PIX although we are having issues with an internal PIX client connecting to an outside vendor. It seems there is a problem using the PIX client on 2003. When we configured the PIX, there was only one thing I had to do on the command line. I can’t speak to support since we didn’t have issues during the warrenty. I didn’t consider it very difficult to learn but I am constantly irritated by the things I can do cleanly with bsd but stumble through on the PIX.

If the timing had been different we could have ended up with a PIX on the outside and the newer ISA on the inside.

If I thought you were more adventurous, I would suggest running linux with webmin. We use this with iptables as the built in firewall on our DNS servers in the DMZ and the GUI straight jacket isn’t nearly as tight as most others I have experienced. I haven’t had the need but I suspect I could do nearly anything available with the iptables command line.

In summary, I agree the PIX is expensive but reliable. Since your experiences with inexpensive firewalls has been negative, you should seriously consider cisco, nokia, and possibly 3com. If you are going to run a screening outer firewall and an inner FW, then look at ISA. As I indicated earlier, there is no best firewall. You need to select the best compromise of security, features, managability, support, and price for your environment.
rt

By: joshua2

joshua2 — Fri, 23 Jun 2006 11:05:05 +0000

Have you thought about ISA? In addition to normal firewalling, it also does application layer scanning. On the VPN side, it can put the clients into a quarantined network and check for the existence of critical patches, virus definitions, etc. The GUI is fantastic.
http://www.microsoft.com/isaserver/

If tech support is an issue, don’t pursue SonicWall. I’ve got a SonicWall firewall & a sonicwall ssl vpn box. Besides the slow support, I have to reboot the firewall every month. (It’s the firewall for my guest network, so I live with it…).

Pix
I’ve been using Pix for years. It’s much more expensive than other solutions, it’s harder to learn…but it runs and runs and runs and runs. When I do have an issue, support response time is adequate. As for the pix gui, it’s pretty much worthless, IMO. (I never use it). I’ve never had any Cisco training and I’m able to fumble my through it. I hired an expert to do the initial configuration/setup and I’m able to make minor changes on my own.

By: bhawthorne

bhawthorne — Fri, 23 Jun 2006 10:35:19 +0000

There are a couple of pieces of information missing before a recommendation can be made:
1. What is you bandwidth and utilization like?
2. How many concurrent VPN tunnels are you looking to have?

With that said, a couple of comments:
Both WatchGuard and SonicWall seem to do a good job for the cost. They are easy to manage, easy to configure, and very cost effective if their feature sets fit your needs. If you are a smaller organization, these are still boxes to seriously consider.

Tthe Cisco equipment is not as easy to configure nor manage. Often it is just plain not easy. The skill/knowledge , and just patience, required can be high.
It has many great features, and is often very flexible equipment. You do need to be careful that you are sizing it appropriately for what you are trying to do with it.

By: thevyrys

thevyrys — Fri, 23 Jun 2006 10:26:20 +0000

I too have worked with Sonicwall, but only with the model we have – PRO 200.
It is seemingly a good product, but no better than any decent firewall…… however Sonicwall themselves have p i s s e d me off.
They are discontinuing support for some of their products, but not before raising the hell out of their price for support. Then they go on to tell you that their products may not be providing the protection that is needed. So in a sense they are saying, hey, you can use our product that you paid us good money for, but we must charge the crap out of you again….but they really don’t work.
HOWEVER, if you buy something else from them, all your problems are mysteriously solved, except we must charge you again……and again…… a great strategy to screw over even their faithful customers.
Good luck talking to an american also.
Goodbye sonicwall…..

By: idyllicsys

idyllicsys — Fri, 23 Jun 2006 09:27:44 +0000

I have worked with SonicWalls for many years. The license issue has been solved with the current models. If you are looking at a new one, you have the option of blocking spyware and virusses, as well as using their intrusion prevention system to stop incoming threats. I use one for my data center and have quite a few site to site VPNs. Never had an issue that could not be solved.

By: yogeshrane

yogeshrane — Fri, 23 Jun 2006 06:38:12 +0000

You could look at the Nortel Range of producrts for VPN Boxes. The C2700 can support upto 200 odd tunnels while the end-user CPE can be a c100 which is a 6/8 port l2 switch combined with the vpn box. Alternatively you can use cisco at the end-user side.

By: stevesz

stevesz — Thu, 22 Jun 2006 23:52:35 +0000

I’ve worked with a number of firewalls, WatchGuard and SonicWall among them. I have found the support from watchGuard to be very good. They have always called back fairly quickly, and I can do other things other than wait on the phone on hold.There ws a SonicWall a company had that they let the support contract run out on. It was cheaper to get a new firewall rather than get the support renewed so the problem with the firewall could be resolved, and that was what they did, but from another vendor.

Whatever you do, it will not be an easy path to get everyone on the same page. There are no migration paths or conversions to easily tranfer firewall settings from one brand to another, so any new firewall that replaces one from another vendor will require configuration from the ground up.

I do like the WatchGuards for their ease of configuration. If you go with PIX, and have Exchange servers, there is a special configuaration you need to implement to allow mail traffic through–no biggie, but I know it has tripped up a lot of Exchange installations.I’ve only worked with lower end 3COM firewalls, so I can’t really say much about them. The SonicWalls seem to have a problem dropping licensed connections after the computers have been disconnected from them, and you eventually run out of licenses–never have gotten a fix for that from SonicWall, so those installations get rebooted on a regular basis.

By: imazing

imazing — Wed, 21 Jun 2006 15:22:40 +0000

In my expiriences the PIX firewall has held up great. My last company we had the PIX 515 UR doing site to site and client VPN, 3 DMZs setup, site to site IP connection. 150 Internet users. I never had to reboot it my config changed atleast 3 times a year. Cisco support was always excellent and I feel resonably priced. The only thing I can’t confirm is the gui interface I have always used the command line interface. I always highly recommend the PIX line of firewalls. I also had exprience tring to help my parent company with their Watchguard firewall it was fine for with any easy config. but when it started to get complicate the WG firewall didn’t like it and I thought support was also terrible. They ended up going with the PIX also. Good Luck

By: imazing

imazing — Wed, 21 Jun 2006 15:22:40 +0000