Firewall & VPN recommendations for an organisation of about 60 people

Forums › IT Pro and developers › Firewall & VPN recommendations for an organisation of about 60 people

1 | 2 | 3

rhysb

435 posts

Ultimate Geek

Trusted

#710585 1-Nov-2012 19:31

For a FWF-60C the Forticare plus Fortiguard Bundle 8x5 for 1yr is ~$390. That includes 8x5 support, UTM and firmware updates. On a par with other support contracts.

networkn

Networkn
32354 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#710605 1-Nov-2012 20:27

BTR: A Sonicwall TZ series box might do the trick. They are the entry level box but do both SPI and DPI as well as supports site to site and site to client VPN. TZ215 is less than 2K

TZ215 would get my vote wholeheartedly. 24/7 Support with good quality and well trained people.

I think it's also worth noting I support both and I DO like Fortigate and their support once uyou get it, is excellent. However, getting support requires a full description of the issue and a full network diagram even for straight forward issues, which is a pain.

lchiu7

6476 posts

Uber Geek

Trusted

#710834 2-Nov-2012 09:03

rhysb: For a FWF-60C the Forticare plus Fortiguard Bundle 8x5 for 1yr is ~$390. That includes 8x5 support, UTM and firmware updates. On a par with other support contracts.

What kind of support does a firewall need? I was thinking for my friend he could have two around with a cold swap available if the primary unit died. That's cheaper than 7x24 support. The cold swap might be slightly lower spec (like a 60C for a 100D)

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

Jeeves

301 posts

Ultimate Geek

#710841 2-Nov-2012 09:23

lchiu7: An issue my friend has is the cost the ongoing support. He was quoted over $1K for monthly support for a Fortigate. He could not understand what that provided.

I would asumeo once the device is up and running, just a quick check every now and then should be enough. Presumably new rules/filters could be pushed out by Fortigate like AV signatures?

Pretty sure your friend meant $1k would be for annual support, not monthly. We have a large enterprise system and that isn't even anywhere near $1k a month.

rhysb

435 posts

Ultimate Geek

Trusted

#710938 2-Nov-2012 12:24

lchiu7: What kind of support does a firewall need? I was thinking for my friend he could have two around with a cold swap available if the primary unit died. That's cheaper than 7x24 support. The cold swap might be slightly lower spec (like a 60C for a 100D)

You would still need a support contract for each unit as it is activated to the units SN. You also need a support contract to use/continue to use any of the UTM features. As mentioned the first year is bundled with all units sold here.

lchiu7

6476 posts

Uber Geek

Trusted

#711137 2-Nov-2012 20:27

Jeeves:
lchiu7: An issue my friend has is the cost the ongoing support. He was quoted over $1K for monthly support for a Fortigate. He could not understand what that provided.

I would asumeo once the device is up and running, just a quick check every now and then should be enough. Presumably new rules/filters could be pushed out by Fortigate like AV signatures?

Pretty sure your friend meant $1k would be for annual support, not monthly. We have a large enterprise system and that isn't even anywhere near $1k a month.

It was per month and actually $1200. I asked who it was and it's a local vendor who have been in the news recently :-) But apparently it involved active monitoring to see that it was up and other proactive stuff. Still seems a tad expensive IMHO

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

raytaylor

4017 posts

Uber Geek

Trusted

#711837 4-Nov-2012 17:13

My recommendation is Kerio Control

- Built in AV protection on the transparent proxy server (sophos, compatible with many other AV's)
- Firewall functionality
- User surfing monitoring for computer use auditing, finding staff watching porn
- Web filtering for blocking porn, facebook, facebook proxies etc
- Built in VPN server
- URL rules
- Very good reporting
- Runs on windows (including xp pro), linux, or as a hardware appliance
- Bandwidth control eg. large downloads can be limited to a bandwidth pool
- User data quotas
- Internal user database or Active Directory authentication if users are required to login for internet access
- IPv6 support under active development.

Ray Taylor

There is no place like localhost

Spreadsheet for Comparing Electricity Plans Here

Sharesies

Trade NZ and US shares and funds with Sharesies (affiliate link).

quakeguy

111 posts

Master Geek

Trusted

#714051 8-Nov-2012 11:03

I won't recommend a specific model, but coming from an ISP, I can say a few things on this topic.

We regularly see scenarios where either the firewall is under-powered and causing performance issues for everything behind it. Sometimes this is because the company decided to cut back on the Firewall/UTM/IDS cost; most often though, we see firewalls getting very old (3+ years) without being upgraded, and because they've "just done their job and kept going" - they tend to be forgotten about.

The hidden cost to a business can be quite nasty; consider having a bunch of designers sitting around waiting for their stock images to download - the longer a performance problem goes on, the more it costs you! Those guys need to be working to their potential!

Especially with UFB coming, the throughput of your firewall (especially with all of those nice features on) is important to consider. Can it do more than 100mbit/sec with IPS on, Anti-Virus on, etc?

I'd argue that more important than a particular brand, is a solid OAM (Operations, Administration and Management) plan for the firewall within your organisation. This will include things like:

- Keeping definitions (and licenses) up-to-date.
- Monitoring performance of the firewall (CPU utilisation, network interface utilisation - i.e., are we maxing out 100mbit/sec of our 100mbit/sec interface? - while I'm at it, beware of 5-minute graphs - if you are getting to 85% of interface speed on 5-minute averages, you are almost certainly maxing out the interface)
- Environmental care (graphing/alerting on the temperature of the firewall is a great idea - this way, you are alerted when the internal fans fail, and your organisation goes offline!)
- Knowing (and periodically revising) the roadmap and product portfolio of your firewall vendor (Is this range being discontinued/cut down? If we upgrade to the next model, do we have to re-configure everything from scratch? A full firewall reconfiguration can cost more than the whole device!)

Some of this stuff sounds costly. In small organisations, it may not be necessary; I think the tipping point is probably 100 users or more, but it depends on the value of your business.
Most managed services providers will consider the above, so if it makes sense to outsource - do it!

2c

“I do not think there is any thrill that can go through the human heart like that felt by the inventor as he sees some creation of the brain unfolding to success... Such emotions make a man forget food, sleep, friends, love, everything.” - Nikola Tesla

Disclaimer: Views expressed in my posts do not necessarily reflect those views of my employer.

lchiu7

6476 posts

Uber Geek

Trusted

#717034 14-Nov-2012 13:53

My friend for a number of reasons has decided to go with Fortigate. The problem the organisation with whom he has the relationship cannot free up people to do configuration for him.

So if anybody can or knows people who can configure Fortigate firewalls, lease PM me and I can forward the details.

Thanks

Staying in Wellington. Check out my AirBnB in the Wellington CBD. https://www.airbnb.co.nz/h/wellycbd PM me and mention GZ to get a 15% discount and no AirBnB charges.

vulcannz

436 posts

Ultimate Geek
Inactive user

#720623 21-Nov-2012 10:33

A Sonicwall TZ-215 probably would've done the job, ideally that box sits well for around 25Mbps with all services turned on.

FWIW the fundamental difference between the main firewall brands can be broken into 3 groups of basic tech:

Octeon CPU's: Palo Alto Networks and Sonicwall, both use Cavium Octeon chipsets in their appliances
ASIC's: Juniper and Fortigate
Generic Intel based hardware: Astaro/Sophos, Kerio, PFSense, Watchguard, Checkpoint etc

The Cavium Octeon is designed for looking into packets and that type of workflow. So you tend to see much better performance. When doing IPS, App management, AV, these boxes are the best bang per buck. They typically do a single pass inspection on traffic, so turning on 1 layer 7 service vs all layer 7 services makes little difference. Whereas most of the competitors use multipass inspection, so as you turn on each server (IPS/App Management/AV) the performance issues compound - Octeons avoid this problem.

ASIC based stuff makes for good speeds and feeds, generally fast if you don't want to turn any of the IPS or App management on. Once you do you see big performance hits. These boxes also tend to use proxy based ALG's, and suffer latency issues as well as limits on how much they can scan (often limited by tcp sessions and file size). Also they tend to have a limited breadth of scan in protocols (typically don't pick up HTTP on non-standard ports for example). In some brands specific ports can only be used with ASIC's for traffic inspection.

Intel based stuff... well... it's just not designed for packet inspection on the wire. Let alone high throughput IPSEC VPN or SSL VPN performance. It's not unusual to see these boxes fall over when talking to a Cavium or ASIC based boxes VPN :) (they get overwhelmed easily). Same as ASICs these boxes also tend to use proxy based ALG's, and suffer latency issues as well as limits on how much they can scan (often limited by tcp sessions and file size). Also they tend to have a limited breadth of scan in protocols (typically don't pick up HTTP on non-standard ports for example).

Every single brand is going to have bugs. Nobody is perfect. So maturity and support from the vendor is always something to look for. And as pointed out above, it pays to measure your current network performance before deciding on which box. You can get tools like PRTG for free (the 10 node limited version) to do some basic network measurements.

Annnnnnnnnnd... DON'T FORGET THE REPORTING ASPECT. Reporting is essential in any decent firewall, always factor this into your decision.

1 | 2 | 3