Business Firewall/UTM Recommendations

[goobernoodles]

I'm looking into replacing our ISP provided hosted "cloud firewall" with hardware in house. We used to run a couple of sonicwall NSA240's prior to switching to the hosted solution. I haven't been happy with the usability of the web GUI or the increase in outages since we made the switch. They use a Palo Alto firewall that just takes forever to do anything. Just setting up a port forward with related security rule takes at the least 20-25 minutes to get committed. I'm going to ditch the ISP as well as our contracts expire. This is for a construction company with a lot of people working remotely from job sites as well as from home.

Seattle currently has a 20Mb EoC connection (~50 desks) while our smaller Portland office (~20 desks) has a 12Mb bonded T1 connection all going through the ISP firewall. We will likely get a 100mb point-to-point fiber connection between the two offices fairly soon.

The main things I'm looking for are:

1) Intuitive GUI for easy NAT and port forwarding, traffic shaping, monitoring.
2) Easy to set up site-to-site VPN&#8217;s. I'd like to be able to buy a cheap (<~$500) router and tie it into our network easily for construction job sites or executive's homes.
3) Easy to use VPN that hopefully &#8220;just works&#8221; and is intuitive for end-users. Palo Alto's GlobalProtect VPN client isn't the best. Deal-breaker if VPN is a per-user license.
4) I'd like to be able to have a 2nd ISP that we can switch over to in the event our main ISP goes down. Would like to potentially have a 2nd firewall at the HQ office in HA as well.

Anyway, I'm looking for some recommendations, preferably from people with first hand experience. I've been looking around at various options and I'm currently leaning towards Fortinet Fortigate UTM's. Cisco suggested going with an ASA-5512x paired with Meraki devices for the site-to-site VPNs.

 

[Hugo Drax]

Why not hire a professional to handle this?

 

[XavierMace]

I love my Meraki's, just a warning though that their range isn't the greatest.

 

[Firetrak]

I just installed Zyxel USG 20's in two restaurant chains i work for and we'll be using those going forward, its a low level version of the USG50 and then there are higher tier versions as well that handle more throughput.

Very happy with them so far.

I now the USG20 can hangle 3g fallover and the higher ones can handle dual wan interfaces for fallover as well.

Really like them personally.

 

[drebo]

Palo Alto is the device you want. It's the best one for the job.

Juniper SRX is also good.

Both are superior devices to the ASA5512-X. I also wouldn't recommend Meraki. They're overpriced for what you get and if you ever stop paying for support (or Meraki discontinues the product) you can no longer use it PERIOD. It's not just that you can't manage it. It stops working. If you want cheap and easy wifi, I would suggest Ubiquiti's UniFi.

As far as client access VPN, if you're a Windows shop, I'd recommend just using SSTP. It's built in to Windows Server 2008 and higher and Windows Vista and higer. No additional licensing required and it's bone-head simple to set up. Failing that, Palo Alto, Juniper, and Cisco all have roughly equivalent VPN products. In regards to "per user" licensing, Cisco's AnyConnect Essentials will license you for basic VPN for the max number of users supported on the platform, but you don't get some of the more advanced features.

For site-to-site VPN, I will always recommend Cisco's DMVPN. It is, by far, the best site-to-site VPN technology in existence. By far. There is no other vendor that comes close. However, it does limit you to Cisco IOS-based routers and firewalls. That's not necessarily a bad thing, however, as they do support Web VPN (AnyConnect) though it is licensed per simultaneous user. It also does not have full UTM capabilities (content filtering, edge antivirus, email filtering, etc.)

That said, a common DMVPN deployment is to have all of your VPNs terminate there and then pass the actual Internet traffic out of a single centralized firewall. So, you could combine an ASA5512-X (to take advantage of the UTM stuff and AnyConnect Essentials) and then a 1941/2911 at the central site with 891s at each site. With a bit of dynamic routing and DMVPN, you could have full ISP-agnostic failover at every site, with a central ASA to handle all firewall capabilities.

Cisco's mantra is that the ASA is not a router, and as such, they are not going to put in a number of very useful features, like VTI and DMVPN. If the ASA had DMVPN and VTI, it would be the perfect device and would challenge the SRX and PA as the premier small business UTM appliance.

So, if you're looking for one device: Juniper SRX or Palo Alto. If you don't mind multiple devices and a bit of extra work up front to make everything 100 times easier in the future, Cisco ASA + ISR G2.

 

[riahc3]

I just installed Zyxel USG 20's in two restaurant chains i work for and we'll be using those going forward, its a low level version of the USG50 and then there are higher tier versions as well that handle more throughput.

Very happy with them so far.

I now the USG20 can hangle 3g fallover and the higher ones can handle dual wan interfaces for fallover as well.

Really like them personally.

I have a USG50.

There is a con to these devices: There is a small learning curve. You have to get used to it but once you do, things are (pretty) easy.

 

[lif_andi]

I agree with drebo, Palo Alto is the box you want. May not be as snappy as you'd like but it's one of the best firewalls out there.

 

[seepy83]

OP - see if Cisco, Fortinet, Palo Alto, etc (or at least some local resellers) will let you spend some time with one of the devices. I haven't personally had the opportunity to use a Palo Alto, but I know a couple of people that tried to transition to them (from being PIX/ASA shops for years) and they absolutely hated them. That being said, I've heard mostly great things about them...but some level of personal-preference definitely comes into play.

 

[PliotronX]

I just installed Zyxel USG 20's in two restaurant chains i work for and we'll be using those going forward, its a low level version of the USG50 and then there are higher tier versions as well that handle more throughput.

Very happy with them so far.

I now the USG20 can hangle 3g fallover and the higher ones can handle dual wan interfaces for fallover as well.

Really like them personally.

Those ZyWalls are something else. Easy integration with AD is awesome too. I haven't heard of Palo Alto, is there any validity to the NSS test or is it skewed?

 

[Firetrak]

Those ZyWalls are something else. Easy integration with AD is awesome too. I haven't heard of Palo Alto, is there any validity to the NSS test or is it skewed?

Yeah it was a learning curve for others it probably seems easy to be honest.

But it just seems really robust with a lot of scalable features should you wish it.

 

[PliotronX]

Yeah it was a learning curve for others it probably seems easy to be honest.

But it just seems really robust with a lot of scalable features should you wish it.

Easy as cake compared to Cisco ASAs especially after the update with half assed object management. Zyxel killed it.

 

[lif_andi]

I work in Cisco, but Palo Alto is on another level. Take the time to learn it and you will be surprised at what those boxes can do.

About the NSS report and another test made a month or so later.

http://researchcenter.paloaltonetwo...ext-generation-firewall-comparative-analysis/

 

[drebo]

OP - see if Cisco, Fortinet, Palo Alto, etc (or at least some local resellers) will let you spend some time with one of the devices. I haven't personally had the opportunity to use a Palo Alto, but I know a couple of people that tried to transition to them (from being PIX/ASA shops for years) and they absolutely hated them. That being said, I've heard mostly great things about them...but some level of personal-preference definitely comes into play.

Palo Alto is an extremely large departure from Cisco-style configurations and architecture. Being context-based (like Juniper) makes it a very large mind-fuck coming from Cisco IOS and ASA. Heck, even Cisco's zone-based firewall, which is context-based, is a farce by comparison.

That said, PA's design is to separate control plane (management) from data plane (security, forwarding, etc.) With an ASA or an ISR, you get one CPU (possibly with multiple cores) handling both. So of course control-plane is going to be more responsible on an ASA or an ISR...by default it has more resources available to it. For PA, it's a security concern...it means that if someone DoSes your firewall, your data forwarding isn't compromised. Juniper does the same thing on their SRXs, and the management is just as slow.

Once you get past the architectural and the syntactical differences, PAs and SRXs are both wonderful devices. Both are far more feature-rich than an ASA as well (you can run full VPLS on an SRX100 (which is cheaper than an ASA5505.))

 

[Genx87]

What is your budget? What are your throughput requirements?
I am in the process of evaluating UTM devices. We currently have a Sonicwall NSA 3500. We have about 50 devices in our main office. With site to site to a location with 10 device, web production site at century link, and to a sister company for exchange.

My current top 3 are

Sonicwall NSA 3600 - Basically a drop in replacement, easiest to configure. I know what we get as our current NSA 3500 is just an older slower version of this. Same interface ect.
Fortinet 200D - I looked at this product. Seems nice, need to get a demo.
Sophos SG210 or 230 - I was really impressed with the interface on this unit. The capability is also impressive out of the box. I also liked the reporting features.

Right now I am heavily leaning towards the Sophos unit. Take a look at them before making a decision.

 

[goobernoodles]

Just got a demo Sophos SG230 and some smaller model presumably to test setting up a site-to-site VPN. Hoping to get a Fortinet 200D demo unit as well. I'll test this weekend.

 

[PliotronX]

I work in Cisco, but Palo Alto is on another level. Take the time to learn it and you will be surprised at what those boxes can do.

About the NSS report and another test made a month or so later.

http://researchcenter.paloaltonetwo...ext-generation-firewall-comparative-analysis/

Good to know, gotta love those sensationalist headlines. I work with Cisco as well and am not blind to alternative hardware as well

That Sophos was looking good until I saw it costs as much as a 2000 Toyota Camry. I'm hardcore about home networking but there comes a point...

 

[goobernoodles]

Copying and pasting what I wrote up for another forum, since it recaps everything fairly well:

I&#8217;ve been looking for a solution to take the place of a cloud hosted firewall and VPN solution through our ISP for several months now. The main factor was simply getting away from this ISP since we&#8217;re paying entirely way too much (~6500/mo) for the service we receive, however other factors like the how long it took to do routine tasks on the hosted Palo Alto as well as the clunky VPN client were factors as well.

Main office is in Seattle, second office in Portland. 200 employees and roughly 125 actual computer users. Roughly 50/20 desks at SEA/PDX. Exchange is hosted internally, but our website is externally hosted. We don&#8217;t have high throughput at this point (20Mb SEA & 12Mb PDX), but I&#8217;m looking to improve on that with either changes to our main connection, implementation of additional, cheaper, higher bandwidth connections, as well as potentially a dedicated fiber connection between our two offices. Main goal is to improve the end user experience working in and more importantly outside of the office. Paired with new firewalls, I&#8217;m working on a new RDS server, and will be testing Egnyte as a &#8220;dropbox&#8221; like service to tie into our existing file servers.

The main things I&#8217;m looking for are:

&#8226; Good performance &#8211; or&#8230; good enough that it isn&#8217;t a bottleneck. End result is that I want to be able to more effectively improve end-user perception of &#8220;speed&#8221;.
&#8226; Good enough security for our needs, which aren&#8217;t super high
&#8226; Site-to-site VPN &#8211; ideally cost effective.
&#8226; Client VPN with no per user licensing
&#8226; Ability to have 1+ connections for failover as well as active/active.
&#8226; Traffic Shaping/QoS so that I can divert high bandwidth traffic that doesn&#8217;t need to be on the primary connection such as web traffic and backup replications over those.

I&#8217;ve looked at Juniper SRX240 and 220, Fortinet 200D and 100D, Barracuda NG380 and NG280, and Sophos SG230 and SG210. After comparing costs, specs, pro&#8217;s and cons specific to my specific one-man operation working for a construction company, it looks like Sophos is the clear winner. The price is right in line with everyone else, the performance numbers blow everything else out of the water, the hardware appears to be better (ie. Bigger ssd, 8gb ram) to back up those numbers, the reporting out of the box looks much better, and lots of other things like being able to imbed a how-to video on the VPN portal page. The biggest single advantage for me over what my initial bias was for &#8211; Fortinet &#8211; was that the Sophos site-to-site VPN option is insanely easy. The Red 10 setup takes a few minutes &#8211; punch in the serial, give it a subnet and a few other things, hand it to someone to take out to a site, and it will set itself up and create a tunnel back home. Not having to travel to sites alone is probably worth it.

I should add that I tested the Fortinet and Sophos options in-house. I preferred the Fortinet GUI as it seemed more logical to me, but perhaps it&#8217;s just because that&#8217;s the one I tested first and got used to it. On that subject, we used Sonicwalls in the past and I always disliked their GUI. That&#8217;s why I didn&#8217;t mention them.

Anyway, my main questions are&#8230; is there anything I haven&#8217;t mentioned that I should be taking into account? Does anyone have experience with Sophos? Any reason not to pull the trigger?

 

[Emulex]

Sophos UTM with a RED50 for remote VPN makes it dead simple to setup site to site vpn's with multi-wan.

I rock sophos on a Dell R610 with dual SSD and dual L5639 cpu's and it is 1000% solid and fast as all heck! It just works! plus it integrates with their anti-virus software which is a big plus compared to standalone solutions which require another management server!

 

[goobernoodles]

Sophos UTM with a RED50 for remote VPN makes it dead simple to setup site to site vpn's with multi-wan.

I rock sophos on a Dell R610 with dual SSD and dual L5639 cpu's and it is 1000% solid and fast as all heck! It just works! plus it integrates with their anti-virus software which is a big plus compared to standalone solutions which require another management server!

Thanks! Hadn't really considered running it on my own hardware... Is it a Hyper-V or vMware VM or a proprietary bare metal OS? Or is it just an application that you install on windows/linux? I wonder what it would cost in hardware + sophos to get better performance than the SG230. Doesn't look like Sophos publishes exact specs of the processors other than that they're "the latest in Intel technology..."

 

[Emulex]

They license your own hardware on per IP and license their own hardware on performance. It is a way to profit on selling low-end servers for massive profit!

You can install sophos on bare metal (what I do) or run it in hyper-V or ESXi with full virtualization driver support (built into the same ISO).

So it is just a unix software loaded on bare metal in my case. I added a 6-port silicom intel gigabit nic i got for $99 off ebay and threw in a pair of samsung 840 pro's to the el-cheapo R610 dell box I had. It has 48gb of ram and never sees more than 10 cpu load at over 6000 connections/sec maximum load. 12 cores of Intel westmere allows it to seriously do some SSL scanning with multiple virus scan with no real latency gain!

I'm sure newer low power 1U servers could outgun the R610 but I got it for cheap and so it lives!

 

[goobernoodles]

They license your own hardware on per IP and license their own hardware on performance. It is a way to profit on selling low-end servers for massive profit!

You can install sophos on bare metal (what I do) or run it in hyper-V or ESXi with full virtualization driver support (built into the same ISO).

So it is just a unix software loaded on bare metal in my case. I added a 6-port silicom intel gigabit nic i got for $99 off ebay and threw in a pair of samsung 840 pro's to the el-cheapo R610 dell box I had. It has 48gb of ram and never sees more than 10 cpu load at over 6000 connections/sec maximum load. 12 cores of Intel westmere allows it to seriously do some SSL scanning with multiple virus scan with no real latency gain!

I'm sure newer low power 1U servers could outgun the R610 but I got it for cheap and so it lives!

Interesting. I have a electronics recycling place a few blocks away that has a ton of servers for relatively cheap. Some things are overpriced and others are steals.

http://stores.ebay.com/3R-Technolog...b=7751052&_sid=20214558&_trksid=p4634.c0.m322

^Some of their inventory is on ebay.

A dual quad core with a bunch of RAM and SSD's would be pretty quick, I'd think. That said, considering it'd be on used/older hardware I'd want a good backup/recovery solution in place.

 

[Emulex]

You'd want a backup solution in place regardless. You might consider the ability to use a hypervisor based UTM if you want HA without extra hardware costs! or a hybrid (not sure if they exist) Cold-standby Sophos UTM running in hyper-V/ESXi to backup real-world bare metal UTM!

 

[RFC Rudel]

WatchGuard.

 

[jsbush]

Watchguard for its ease of configuration and administration.

 

[Genx87]

We also went with Sophos. We got a SG 210 and are very impressed with it so far. It was deployed in late Jan and has run great!