Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




1947 posts

Uber Geek


# 181265 8-Oct-2015 13:58
Send private message

Hi There

generally speaking.....

Say, In an approx 10-20 user network
Im wondering how to justify the cost of lower end hardware firewalls : $1500+ ongoing maintenance plans + costs of annual licensing

A descent router has some basic firewall funtionality built in, eg NAT, SPI, some even have basic content filtering
Many routers also support site to site VPN's .

Is a hardware firewall justified on small networks ? Given the initial cost & ongoing annual support costs & licensing costs .
Sure , allways better to have than not have, but do the lower end hardware firewalls do enough to justify the cost ?
Ive read some of the 'advertising'  about what they claim, but if you block all ports except those needed , then what else does the hardware firewall provide (I know they do drop port scans, but then stupidly allow the same IP to port scan again some time later)

Im also not conviced the optional security bundles for the hardware , that you pay annually for, do that much either , on the cheaper units.
All the security issues Ive seen are from staff stupidity , and the Firewalls didnt help there at all (sort of as expected).

We have clients with old firewalls, I'm just considering upgrades to new Firewall hardware , over something like a cheaper Draytek 2820 .
With the move to fibre, the older firewalls may be a bottleneck (but still usuable )
one client told me to look for cheaper options , some others will take some convincing to upgrade the older Firewalls .

Create new topic
Mr Snotty
8940 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1402429 8-Oct-2015 14:07
Send private message

For small business firewalls the Meraki range is pretty good however expensive.

You can configure IDS and filtering on the Ubiquiti Edgerouter series routers and for an office of that size I'd recommend the $200 Edgerouter Lite. Using it at home and it is great.




2668 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1402431 8-Oct-2015 14:14
Send private message

IMHO anti-malware on the firewall is getting more important.

We've recently had a client (that we see only when they call us) hit with Cryptolocker for second time.  This time it came in via a Word document attached to an email (not zipped), passing through antivirus scanners on the email.  The document used a vulnerability in Office that allowed code to execute without warning.  The script downloaded and executed Cryptolocker version 3 - a new enough variant to get past the desktop antivirus.




"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

 
 
 
 


2092 posts

Uber Geek


  # 1402436 8-Oct-2015 14:20
Send private message

Dynamic: IMHO anti-malware on the firewall is getting more important.

We've recently had a client (that we see only when they call us) hit with Cryptolocker for second time.  This time it came in via a Word document attached to an email (not zipped), passing through antivirus scanners on the email.  The document used a vulnerability in Office that allowed code to execute without warning.  The script downloaded and executed Cryptolocker version 3 - a new enough variant to get past the desktop antivirus.


Hope you had backups!

However in your scenario anti-malware on the firewall wouldn't have made any difference at all. If your desktop AV missed it because it was 0-day, how would an anti malware firewall save you? Heuristics and software updates would be your last chance really.

On small networks I would worry about my edge device providing firewalling and routing and leave malware to the desktop/mail gateway. IDS/IPS are a nice to have but unless you have the skills and time to actively monitor and respond you are paying for something you aren't going to use.



2668 posts

Uber Geek

Trusted
Lifetime subscriber

  # 1402441 8-Oct-2015 14:25
Send private message

wasabi2k: Hope you had backups!

However in your scenario anti-malware on the firewall wouldn't have made any difference at all. If your desktop AV missed it because it was 0-day, how would an anti malware firewall save you? Heuristics and software updates would be your last chance really.

On small networks I would worry about my edge device providing firewalling and routing and leave malware to the desktop/mail gateway. IDS/IPS are a nice to have but unless you have the skills and time to actively monitor and respond you are paying for something you aren't going to use.

Yes, but it was annoying for all involved to lose half a day's worth of files.  Could have been much worse.

Defence is about layers of protection.  More (sensible) layers reduce the risk.  Certainly there is no point providing a sophisticated solution if the client does not see the value in it being monitored.  There are 3rd parties (e.g. Mako Networks who it looks like are being handed a lifeline) who will do a pretty good job of this and notify the IT partner if an issue is discovered.




"4 wheels move the body.  2 wheels move the soul."

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams



1947 posts

Uber Geek


  # 1402444 8-Oct-2015 14:28
Send private message

Dynamic: IMHO anti-malware on the firewall is getting more important.



My (limited) experience with that is that it simply didnt work , the AV would detect malware that the firewall allowed to pass through .
This was some years back though , on old devices with the optional AV bundles.

The issue I have with with small size companies is that they are reluctant to spend , especially if they dont see an issue with what they have, even if its 8years old . Some will follow upgrade recommendations , but many just wont spend untill something breaks.
Thats why I would have to justify the cost of new Hardware Firewalls .

1094 posts

Uber Geek


  # 1404454 12-Oct-2015 15:25
Send private message

1101:
My (limited) experience with that is that it simply didnt work , the AV would detect malware that the firewall allowed to pass through .
This was some years back though , on old devices with the optional AV bundles.

The issue I have with with small size companies is that they are reluctant to spend , especially if they dont see an issue with what they have, even if its 8years old . Some will follow upgrade recommendations , but many just wont spend untill something breaks.
Thats why I would have to justify the cost of new Hardware Firewalls .


It is always hard to get companies to spend money on IT when they can't see the benefits from it.

I tend to deal with lots of higher end firewalls these days (Watchguard) which run into the thousands of dollars, but provide some very nice features around monitoring of users, filtering of sites based on classification and type and antivirus and antimalware protection.

Lots of businesses that i used to do work for went down the path of Fortigate firewalls, as they were not as expensive but allowed good protection from many nasties out there.

The downside of any subscription firewall products (AV etc) is that they have to pay each time for it, however the unit will still function without these products being licensed.

If the company is not willing to pay for edge network AV protection, then they should be putting more money into managed AV protection and managed antimalware protection.  In reality most home/small business routers will provide enough "firewalling" to cover a small business.  But make sure passwords are changed and i would suggest setting only ports 80 and 443 allowed outbound from client computers and let your onsite server have access outbound to more ports.

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

Intel introduces cryogenic control chip to enable quantum computers
Posted 10-Dec-2019 21:32


Vodafone 5G service live in four cities
Posted 10-Dec-2019 08:30


Samsung Galaxy Fold now available in New Zealand
Posted 6-Dec-2019 00:01


NZ company oDocs awarded US$ 100,000 Dubai World Expo grant
Posted 5-Dec-2019 16:00


New Zealand Rugby Selects AWS-Powered Analytics for Deeper Game Insights
Posted 5-Dec-2019 11:33


IMAGR and Farro bring checkout-less supermarket shopping to New Zealand
Posted 5-Dec-2019 09:07


Wellington Airport becomes first 5G connected airport in the country
Posted 3-Dec-2019 08:42


MetService secures Al Jazeera as a new weather client
Posted 28-Nov-2019 09:40


NZ a top 10 connected nation with stage one of ultra-fast broadband roll-out completed
Posted 24-Nov-2019 14:15


Microsoft Translator understands te reo Māori
Posted 22-Nov-2019 08:46


Chorus to launch Hyperfibre service
Posted 18-Nov-2019 15:00


Microsoft launches first Experience Center worldwide for Asia Pacific in Singapore
Posted 13-Nov-2019 13:08


Disney+ comes to LG Smart TVs
Posted 13-Nov-2019 12:55


Spark launches new wireless broadband "Unplan Metro"
Posted 11-Nov-2019 08:19


Malwarebytes overhauls flagship product with new UI, faster engine and lighter footprint
Posted 6-Nov-2019 11:48



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.