Corporate firewalls

[DisgruntledVirus]

We are looking to potentially replace/supplement our Cisco ASA's since they don't offer any kind of layer 5-7 inspection (yes I know they have modules, but if we are spending the money on those then we are a decent way to new appliances anyways). I'm just curious what everybody uses in their environment and why they went with them. Also any pros/cons. Attached is a poll.

 

[Cooky]

We use two layer firewall design w/ Cisco ASA & Juniper/Netscreen's ISG.

We looked into Palo Alto years ago; their product seemed decent but they just started, and didn't have that many customers at the time so we took a pass.

Cisco's ASA 5585X's supposedly can do L7 nowadays.

 

[Ayah]

used to work for a remote small town ISP (population <20k) distributed with 802.16, firewall was freebsd with pf and snort. backbone line was microwave based.

 

[theevilsharpie]

Cisco ASA
I haven't used them in a few years, but even back then, ASAs were hopelessly outdated junk. Their UTM functionality was a joke, ASDM was barely functional, and they were slower than the competition. Cisco's new ASA 5500-X lineup seems to have made their performance competitive again, at the cost of even less UTM functionality 😕😵

If anybody knows what the draw of these devices are, please chime in. I simply can't see any compelling reason to use them at all.

SonicWALL
I haven't really used these devices much, but based on what I've seen, I'm not a huge fan. In what I assume is an attempt at making their firewalls easy to configure, they seem to have created a "black box" that doesn't behave as a network engineer would expect. It didn't help that the documentation was very sparse, not context-sensitive, and even missing in some aspects. In fact, their entire GUI could really use an overhaul.

If I had more time to play around with them and get used to their idiosyncrasies, I might warm up to them more. They ultimately work well enough, but they wouldn't be my first choice.

Fortinet
I've generally been happy with Fortinet. The products are fast, feature-filled, reasonably-priced, and they don't nickel-and-dime you on licensing like some other vendors do.

There are some rough areas. For example, logging and reporting are definite weak points compared to the competition unless you purchase a dedicated monitoring appliance or use their monitoring service.

Overall, though, I recommend them and they're usually my first choice for edge security.

 

[drebo]

Palo Altos are great. They do have some limitations (some of the same ones that Cisco has) but they more than make up for it.

Their L7 stuff is all done in software (though it does have dedicated cores) so it doesn't actually reach their claimed throughput (which is reached with L2-4), but they are "fast enough."

Juniper is also pretty good if you're looking for more basic L7 or simply web/email filtering and basic edge antivirus, etc. However, Juniper's biggest limitation and where they fail next to Palo Alto is their integration with Active Directory (and other LDAP directories) in relation to applying filters based on user groupings or individual users.

All in all, my recommendation would be Palo Alto. As far as easy of use, setup, ongoing operation goes, they're the simplest. Juniper is a bit more difficult to maintain and lacks some of the user integration, but they are significantly cheaper.

As the saying goes: good, cheap, easy...pick two.

Edit: It should go without saying that when I talk about Juniper, I'm referring to the SRX line, not the SSG or NetScreens.

 

[Demo24]

We've been investigating fortinet recently. I'm impressed with its speed and all that it let's me do, also the price is right. Community is small, but their technical documents are well written and cover enough scenarios to get you going.

Really wanted to go with Palo alto as they just seem to have the best product out there. However their products are too expensive for my application, especially when I have to cover small offices with 3-4 PCs in it and really can't justify a 2k appliance there.

Was not overly impressed with the juniper product. Maybe the new jos software improves it some, but I don't have the time to try and learn the command line which is where it becomes most powerful.

 

[melchoir]

I've used the Cisco PIX, Cisco ASAs, older Symantec security gateways, and different Fortinet models.

My opinion is that the older Symantec firewalls, while not as fast, were probably the best to configure and offered the best logging of the bunch. I'm quite comfortable with the ASAs, BUT am not a fan of ASDM. The Fortigate units have terrible logging as noted unless you have the external appliance, but are fast and generally easy to configure.

Currently we use a mixture of ASAs and Fortigate appliances.

 

[Enigma102083]

I'm a contractor that installs a lot of SonicWalls. Once you learn all the non-industry standard terms they use for the various functions they're quite nice to work with, though a bit pricey for what they are. But I'm starting to some testing with the Sophos UTM units. On the plus side they have a VM/ISO version you can install on a random box or in a lab enviro to play with and learn on.

http://www.sophos.com/en-us/products/unified/utm.aspx

 

[kevnich2]

I've also seen mostly sonicwalls in alot of the offices I've been in. Once you learn their technology and where things are configured, their fairly easy to figure out and seem very stable from my experience. Their licensing price for some of the add-on security and malware scanning does raise the price up though

 

[Lithium381]

Juniper SRX and their Netscreen line are good, as are Palo Alto Networks firewalls. . . they're becoming more popular.

 

[cmetz]

+1 Palo Alto. They seem to get it. Usual network equipment caveats apply, vendor performance claims should generally be taken with a box of salt.

theevilsharpie,

>If anybody knows what the draw of these devices are, please chime in. I simply can't see any compelling reason to use them at all.

The CCNP class taught them that ASA is the firewall. Just like EIGRP is the routing protocol.

Also, I've seen a lot of folks who know Cisco - kind of - and don't want to, or aren't capable of, learning anything else. So they go with what they know. I've watched this trump all sorts of logic and reason.

Demo24,

>However their products are too expensive for my application, especially when I have to cover small offices with 3-4 PCs in it and really can't justify a 2k appliance there.

Have you considered a topology where you have a non-split tunnel VPN based on inexpensive devices taking ALL small branch traffic back to your main site, and then do your firewalling there with one better device? Obviously, factor in extra bandwidth and main site and extra slowdowns, but that might be an option, depending very much on the details of your situation.

All,

Two things to remember about these products:

1. Fortinet key people were the old key people behind Netscreen, which got bought by Juniper, and later they bailed. So Juniper's products are short many of the key/original people, while Fortinet is those same people's next generation. Also, Juniper seems to really just want to graft the Netscreen functionality into JunOS, which on the surface is a great strategy, but the process of getting there is ugly.

2. Dell bought SonicWALL. I have not been happy with the results I've seen of any of the acquisitions Dell has done - in my opinion every product they have acquired has either atrophied or actively gotten worse. (also, in general, I've just had a ton of bad experiences with Dell the company and Dell products)

 

[Demo24]

Demo24,

>However their products are too expensive for my application, especially when I have to cover small offices with 3-4 PCs in it and really can't justify a 2k appliance there.

Have you considered a topology where you have a non-split tunnel VPN based on inexpensive devices taking ALL small branch traffic back to your main site, and then do your firewalling there with one better device? Obviously, factor in extra bandwidth and main site and extra slowdowns, but that might be an option, depending very much on the details of your situation.

Had not actually, and I think it would just be a logistical challenge to reconfigure that. Also note I really don't have the bandwidth for that at the main office, and have no idea if I will get approval for a 100/100mb line I'm asking for. We run a hub & spoke design at the moment, but a number of the 'spokes' end up being mini-hubs for a few small offices.

At this point, because the overall requirements between sites is fairly low it's just easier to setup a bunch of devices and create tunnels as necessary.

 

[Lithium381]

How many sites? Have you heard of Cisco's DMVPN available on their ISR platform? Could be a solution for you. . .

 

[DisgruntledVirus]

Thanks for the input everybody. It seems like the three I was leaning to heavily start investigating (Fortinet, Palo Alto, and Checkpoint) are the 3 that others seem to support the most.

The CCNP class taught them that ASA is the firewall. Just like EIGRP is the routing protocol.

Also, I've seen a lot of folks who know Cisco - kind of - and don't want to, or aren't capable of, learning anything else. So they go with what they know. I've watched this trump all sorts of logic and reason.

CCNP did teach me that. It's been really hard to move away from Cisco anything since my degree was basically Cisco networking. However, I'm getting there. Especially as it comes to firewalls. Sorry Cisco, you've fallen behind. Way behind. The ASA-X stuff might help but I'm not holding my breath.

What's funny is my company CEO has basically stated that he wants everything to be Cisco. So the guy with the Cisco certs is going to be trying to push non-Cisco stuff to the pro-Cisco CEO. I never would have thought that would happen!

 

[Jamsan]

Add one more to Palo Alto. We've been looking to replace our older Juniper SSG's lately and went to market with a few different providers. On our list was Cisco ASAs, Fortinet, Juniper SRX, and Palo Alto.

Palo Alto was far and away the best product wholistically, follows by Fortinet, Juniper and then Cisco.

 

[cmetz]

What's funny is my company CEO has basically stated that he wants everything to be Cisco. So the guy with the Cisco certs is going to be trying to push non-Cisco stuff to the pro-Cisco CEO. I never would have thought that would happen!

This is extremely common, it's another great example of Cisco's sales/marketing playbook. They sell the C-level heavily on the idea that they can go with one vendor, who will solve all their problems, support all the solutions, and one set of training/certs/skills for the staff. All you have to do is be *all* Cisco. But the moment anything non-Cisco appears... woe be unto you, all those compelling business advantages will evaporate in an instant!

Of course, this is all a sales pitch.

A similar game is to say, you're just tne nerdy engineer who wants the new shiny riskiest tech, but we business people know what the right business decision is, don't we? Yes, that's why we're successful executives, we can look at the big picture and not make rash decisions to take unnecessary risks with huge potential downsides when there's an obviously better business decision available, one offered by your long-time business partner... etc...

Basically, when the product sucks and the engineers know it, go over their heads and pit the C-level against the engineers.

 

[noobsrevenge]

Why did you leave out Juniper? What is wrong with SRX's, am I missing something?

If your org. is not opposed to opensource, check out pfsense too, install it in a VM @ home and check it out for free.

 

[RadiclDreamer]

Cisco ASA
I haven't used them in a few years, but even back then, ASAs were hopelessly outdated junk. Their UTM functionality was a joke, ASDM was barely functional, and they were slower than the competition. Cisco's new ASA 5500-X lineup seems to have made their performance competitive again, at the cost of even less UTM functionality 😕😵

If anybody knows what the draw of these devices are, please chime in. I simply can't see any compelling reason to use them at all.

SonicWALL
I haven't really used these devices much, but based on what I've seen, I'm not a huge fan. In what I assume is an attempt at making their firewalls easy to configure, they seem to have created a "black box" that doesn't behave as a network engineer would expect. It didn't help that the documentation was very sparse, not context-sensitive, and even missing in some aspects. In fact, their entire GUI could really use an overhaul.

If I had more time to play around with them and get used to their idiosyncrasies, I might warm up to them more. They ultimately work well enough, but they wouldn't be my first choice.

Fortinet
I've generally been happy with Fortinet. The products are fast, feature-filled, reasonably-priced, and they don't nickel-and-dime you on licensing like some other vendors do.

There are some rough areas. For example, logging and reporting are definite weak points compared to the competition unless you purchase a dedicated monitoring appliance or use their monitoring service.

Overall, though, I recommend them and they're usually my first choice for edge security.

ASDM has come a LONG way. Im with you in that it used to be awful, but the last few years it has made massive strides and I actually prefer it to most any other vendors GUI.

 

[Demo24]

Thanks for the input everybody. It seems like the three I was leaning to heavily start investigating (Fortinet, Palo Alto, and Checkpoint) are the 3 that others seem to support the most.



CCNP did teach me that. It's been really hard to move away from Cisco anything since my degree was basically Cisco networking. However, I'm getting there. Especially as it comes to firewalls. Sorry Cisco, you've fallen behind. Way behind. The ASA-X stuff might help but I'm not holding my breath.

What's funny is my company CEO has basically stated that he wants everything to be Cisco. So the guy with the Cisco certs is going to be trying to push non-Cisco stuff to the pro-Cisco CEO. I never would have thought that would happen!

http://www.fortinet.com/resource_center/whitepapers/nss_labs_firewall_product_analysis.html

This may help you and give you some talking points. I linked to fortinet as if you do that quick form they will let you download the entire report for free. Otherwise from nss its kinda expensive. I haven't read the report in a few months, but I remember them putting Palo alto in a good light, just lost out cause its more expensive.

I didn't know this until I was looking around, but apparently fortinet is currently the largest player in the utm market.

They do put out fairly regular software updates, although got to be careful as this doesn't always mean bug less.

 

[freegeeks]

pfsense appliance? Best bang for the buck

 

[theevilsharpie]

pfsense appliance? Best bang for the buck

pfsense is an excellent packet filter, but a poor UTM.

 

[brad310]

You should add Watchguard to your list.

I have shopped firewalls before and everyone says +1 palo alto. maybe i should have looked harder at them.

 

[Genx87]

+1 Palo Alto. They seem to get it. Usual network equipment caveats apply, vendor performance claims should generally be taken with a box of salt.

theevilsharpie,

>If anybody knows what the draw of these devices are, please chime in. I simply can't see any compelling reason to use them at all.

The CCNP class taught them that ASA is the firewall. Just like EIGRP is the routing protocol.

Also, I've seen a lot of folks who know Cisco - kind of - and don't want to, or aren't capable of, learning anything else. So they go with what they know. I've watched this trump all sorts of logic and reason.

Demo24,

>However their products are too expensive for my application, especially when I have to cover small offices with 3-4 PCs in it and really can't justify a 2k appliance there.

Have you considered a topology where you have a non-split tunnel VPN based on inexpensive devices taking ALL small branch traffic back to your main site, and then do your firewalling there with one better device? Obviously, factor in extra bandwidth and main site and extra slowdowns, but that might be an option, depending very much on the details of your situation.

All,

Two things to remember about these products:

1. Fortinet key people were the old key people behind Netscreen, which got bought by Juniper, and later they bailed. So Juniper's products are short many of the key/original people, while Fortinet is those same people's next generation. Also, Juniper seems to really just want to graft the Netscreen functionality into JunOS, which on the surface is a great strategy, but the process of getting there is ugly.

2. Dell bought SonicWALL. I have not been happy with the results I've seen of any of the acquisitions Dell has done - in my opinion every product they have acquired has either atrophied or actively gotten worse. (also, in general, I've just had a ton of bad experiences with Dell the company and Dell products)

This is my fear as well. We run Sonicwalls here and have been happy with their performance\features. But Dell may eventually erode the product. We are due for an upgrade in a couple years. I will source out other products and see what is out there. I liked Juniper at my previous employer.

 

[m1ldslide1]

For firewalls I only really know the Cisco stuff, but the entire ASA-X line supports L4-7 filtering, IPS, identity, etc, plus much faster firewall throughput. All in hardware, at least in theory. Also I agree with RadiclDreamer that ASDM has come a long way - I heard that Cisco hired a bunch of new devs from other manufacturers to spruce it up. So far so good. Might be worth another look if you're not familiar.

I've heard lots of good things about PA, with the major drawback being significant cost. That matters to some enterprises; doesn't matter so much to others. I haven't met anyone yet who said they didn't like the product, so that in itself is impressive.

 

[DisgruntledVirus]

For firewalls I only really know the Cisco stuff, but the entire ASA-X line supports L4-7 filtering, IPS, identity, etc, plus much faster firewall throughput. All in hardware, at least in theory. Also I agree with RadiclDreamer that ASDM has come a long way - I heard that Cisco hired a bunch of new devs from other manufacturers to spruce it up. So far so good. Might be worth another look if you're not familiar.

I've heard lots of good things about PA, with the major drawback being significant cost. That matters to some enterprises; doesn't matter so much to others. I haven't met anyone yet who said they didn't like the product, so that in itself is impressive.

Yeah I saw the Cisco ASA-X stuff, and while it's a massive step in the right direction it still seems like it's behind CP, PA, and Fortinet. Once this gets rolling more I'm sure I'll add the ASA-X stuff in, and in the mean time I'll take a look at WatchGuard.