Recommend a firewall for 20 office users.

[robmurphy]

Anyone have any experience/recommendations for a firewall for about 20 users at present, this may expand up to 60 - 70. This is for an office in the UK, and so whatever firewall is used will be sourced in the UK.

The incoming broadband is ADSL at present, with the firewall on the router (Billion Bipac 5200GRC) turned on. I would prefer the firewall to have an Ethernet WAN input as I will set the ADSL modem to bridge mode. That way if the office gets a faster Ethernet internet connection I can still use the same firewall.

So at present the requirements for the firewall are:

Ethernet WAN connection available.

Must be a big improvement on the firewall in the Billion router

Supports at least 20 users at present and easily expanded up to 100.

Wireless G or N would be nice, but is not a requirement.

Firewall throughput 100 Mbs

VPN access, providing the VPN endpoint and encryption would be nice, but not a must.

Budget initially £250 pounds up to £1000.


I'm not clear if the subscription services really provide much, either that or the big clients site I have worked on have not been using it.

How do commercial hardware firewalls compare on the overall security provided to the open source solutions like pfsense m0n0wall.

I do not have any vendor preference on this, but some very cheap piece of kit from a company that's not known is will not be used.

If any further information is needed please ask. I'm sorry if the requirements are not well enough specified. Any other information needed please ask.

If there are some things I have missed please point them out, offence will NOT be taken.

Thanks in advance

Rob

 

[stlcardinals]

I would take a look at a Cisco ASA 5505. They come in 10, 50, and unlimited user models. Any of the lower user models can be upgraded with a license to the higher capacities. Also add on the AnyConnect Essentials license for VPN connectivity.

 

[netsysadmin]

I second the vote for a Cisco ASA 5505.

John

 

[Nothinman]

Same here, we sell ASAs to all of our customers and have very few problems.

 

[imagoon]

Juniper SSG140

http://www.juniper.net/us/en/products-services/security/ssg-series/ssg140/

Set it, forget it unless a firmware update comes out. Same as doing an IOS update on the ASA's. I also find them much easier to configure that ASA line.

 

[theevilsharpie]

The FortiGate 80C would meet all of your requirements, and one can be had for about $1,000. The also have a model with integrated WiFi, but I'd recommend keeping them separate.

Avoid the ASA line. The low-end models aren't competitive on features or price with other modern firewalls, Cisco will nickel and dime you on licensing and support, the graphical interface is a pain in the ass and relies on ancient versions of Java, and the command line is very unforgiving to novices.

 

[dawks]

I'll just toss in my experience with Untangle, a free, mostly open source linux based gateway/firewall/spam/etc software system. Free if you have a spare PC to run it on.

You can install it on a dedicated PC and act as a gateway for your networks (which I do), or install it as a VM and with some clever networking still let it gateway your network.

I've been running it for over a year now on a P4 1.7Ghz with 768mb ram, and it works pretty good with 45 users behind it. Some people in the forums say it can scale to thousands of users with a fast dual/quad core and 4gigs ram.

I run spam filtering, web filtering, spyware and virus scanning. It also has firewall, VPN, and IDS features.

 

[James Bond]

+1 ASA 5505. Not sure how much it will cost with the unlimited user license (make sure you get this, or at least the 50), but it should fit within budget.

 

[Nothinman]

The FortiGate 80C would meet all of your requirements, and one can be had for about $1,000. The also have a model with integrated WiFi, but I'd recommend keeping them separate.

Avoid the ASA line. The low-end models aren't competitive on features or price with other modern firewalls, Cisco will nickel and dime you on licensing and support, the graphical interface is a pain in the ass and relies on ancient versions of Java, and the command line is very unforgiving to novices.

The licensing thing can be a pain, Cisco is good for that. And I can't speak to ADSM since I avoid it and things like the Cisco Configuration Assistant because they usually only have a certain subset of functionality that they target and some more complicated configs can confuse them.

But I find the IOS CLI simple and ubiquitous enough. Between the '?' key and Google I can almost always find what I need. I couldn't imagine doing anything more than minor changes in a GUI, copy/paste into the CLI is much simpler and less error-prone IMO. If you're going to touch any Cisco networking equipment you should have some basic understanding of IOS.

I'll just toss in my experience with Untangle, a free, mostly open source linux based gateway/firewall/spam/etc software system. Free if you have a spare PC to run it on.

We were looking at that for some SMBs too and from the little work I did in setting up the demo it looked pretty decent. I've never touched it in a production environment though.

 

[theevilsharpie]

But I find the IOS CLI simple and ubiquitous enough. Between the '?' key and Google I can almost always find what I need. I couldn't imagine doing anything more than minor changes in a GUI, copy/paste into the CLI is much simpler and less error-prone IMO. If you're going to touch any Cisco networking equipment you should have some basic understanding of IOS.

So you find the CLI simpler and less error-prone than a GUI?

Quick, set up a firewall rule blocking access to social networking (but not Twitter), streaming media, and online gaming site between the hours of 7:00AM to 12:00PM and 1:00PM to 6:00PM, while rate limiting other types of HTTP/HTTPS traffic originating from client computers (but not servers) to a quarter of the overall link bandwidth and scanning it for viruses. Be sure to exclude management from the filtering (but not virus scanning).

BTW, the client wants it done in the next 15 minutes.

Let me know how that works out for you :awe:

BTW, the ASA doesn't run IOS, it runs the PIX/ASA OS.

 

[NesuD]

Sonicwall NSA 240 or 2400 if you think you will have use for the extra capacity in the future. The 240 would be a good fit for your needs as described. No wireless but does support the addition of several sonicpoint access points as needed.

 

[Thor86]

http://www.endian.com/en/community/

 

[blure007]

Juniper SRX100 - http://www.juniper.net/us/en/products-services/security/srx-series/srx100/

 

[mxnerd]

Another vote for excellent, excellent Endian firewall, an IPCop clone but much better user interface & integration. You can use either the free community version that runs on a PC or buy the appliance.

Endian is easy to install and easy to configure, though the support is about non existence if you use the community version, where users discuss issues at www.efwsupport.com

 

[spidey07]

So you find the CLI simpler and less error-prone than a GUI?

Quick, set up a firewall rule blocking access to social networking (but not Twitter), streaming media, and online gaming site between the hours of 7:00AM to 12:00PM and 1:00PM to 6:00PM, while rate limiting other types of HTTP/HTTPS traffic originating from client computers (but not servers) to a quarter of the overall link bandwidth and scanning it for viruses. Be sure to exclude management from the filtering (but not virus scanning).

BTW, the client wants it done in the next 15 minutes.

Let me know how that works out for you :awe:

BTW, the ASA doesn't run IOS, it runs the PIX/ASA OS.

Heh, that's what the proxy is for. Not the firewall.
:sneaky:

 

[theevilsharpie]

Heh, that's what the proxy is for. Not the firewall.
:sneaky:

There's no sense in using a separate device when the functionality is present in the firewall.
:sneaky:

 

[SammyJr]

Sonicwall NSA 240 or 2400 if you think you will have use for the extra capacity in the future. The 240 would be a good fit for your needs as described. No wireless but does support the addition of several sonicpoint access points as needed.

I'm a fan of the SonicWall these days. The 5.6 firmware adds additional SSL-VPN capabilites which saved me a ton of money on an actual SSL-VPN device. The NSAs also serve as wireless controllers. I have an NSA 240 at home and an NSA 5000 at work. They've been solid.

 

[theevilsharpie]

I'm a fan of the SonicWall these days. The 5.6 firmware adds additional SSL-VPN capabilites which saved me a ton of money on an actual SSL-VPN device. The NSAs also serve as wireless controllers. I have an NSA 240 at home and an NSA 5000 at work. They've been solid.

SonicWall and Fortinet's technology is pretty similar, but SonicWall will nickel and dime you on licensing costs.

 

[SammyJr]

SonicWall and Fortinet's technology is pretty similar, but SonicWall will nickel and dime you on licensing costs.

I haven't found them to be bad. I just renewed for firmware upgrades and it was $193 for 2 years. Same price for AV/IPS protection for 2 years. Of course, I'm not sure what Fortinet's licensing costs are.

 

[melchoir]

Fortinet is decent for a small office, I would not purchase a larger unit for an enterprise after using their 5000 series unit.

 

[Dark Shroud]

I'm going to throw out a recommend for Astro, they're at least worth looking at.

 

[Cable God]

Juniper SRX100 or SRX210 all the way.

 

[robmurphy]

Sorry for the late reply/update.

It would seem to be pick a solution from Cisco/Juniper ect. I'll look into this a little further when time allows.

I will be looking for licensing of at least 70 users as a starting point. I'll see what's available from the suppliers we use at the time. I do not think I'll have time to look at pfsense/untangle/ipcop/endian/vyatta at present. If an open source solution was used it would need to be easily managed, i.e. GUI. The same will go for an off the shelf solution. I do not want to be the only one who can set the firewall to block certain types of traffic ect.

To be honest this is over my head. I'm a VoIP engineer with networking experience that comes from working on VoIP. I'm asked to spec this as I have the most relevant experience in the company at present.

Rob.

 

[arch113]

I'm going to throw out a recommend for Astro, they're at least worth looking at.

Second, if you meant Astaro

 

[kstornado]

Having used open source solutions such as pfsense, monowall, ipcop, etc, in the past (and still currently do)...I would suggest going with a solution that another network engineer could step in and work with, or your company could contact the manufacturer for support if you got hit buy a bus. I would check licensing costs and features on the Cisco, Juniper, Fortinet, Sonicwall, etc. and see what fits your scenario.

I've always been a fan of the Fortinet firewalls because they don't hit you with per user licensing, but for ongoing support contracts, they will make it up on the back end.