Hardware firewalls, on small networks

Forums › IT Pro and developers › Hardware firewalls, on small networks

1101

3122 posts

Uber Geek

#181265 8-Oct-2015 13:58

Hi There

generally speaking.....

Say, In an approx 10-20 user network
Im wondering how to justify the cost of lower end hardware firewalls : $1500+ ongoing maintenance plans + costs of annual licensing

A descent router has some basic firewall funtionality built in, eg NAT, SPI, some even have basic content filtering
Many routers also support site to site VPN's .

Is a hardware firewall justified on small networks ? Given the initial cost & ongoing annual support costs & licensing costs .
Sure , allways better to have than not have, but do the lower end hardware firewalls do enough to justify the cost ?
Ive read some of the 'advertising' about what they claim, but if you block all ports except those needed , then what else does the hardware firewall provide (I know they do drop port scans, but then stupidly allow the same IP to port scan again some time later)

Im also not conviced the optional security bundles for the hardware , that you pay annually for, do that much either , on the cheaper units.
All the security issues Ive seen are from staff stupidity , and the Firewalls didnt help there at all (sort of as expected).

We have clients with old firewalls, I'm just considering upgrades to new Firewall hardware , over something like a cheaper Draytek 2820 .
With the move to fibre, the older firewalls may be a bottleneck (but still usuable )
one client told me to look for cheaper options , some others will take some convincing to upgrade the older Firewalls .

michaelmurfy

meow
13270 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1402429 8-Oct-2015 14:07

For small business firewalls the Meraki range is pretty good however expensive.

You can configure IDS and filtering on the Ubiquiti Edgerouter series routers and for an office of that size I'd recommend the $200 Edgerouter Lite. Using it at home and it is great.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

Dynamic

3869 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1402431 8-Oct-2015 14:14

IMHO anti-malware on the firewall is getting more important.

We've recently had a client (that we see only when they call us) hit with Cryptolocker for second time. This time it came in via a Word document attached to an email (not zipped), passing through antivirus scanners on the email. The document used a vulnerability in Office that allowed code to execute without warning. The script downloaded and executed Cryptolocker version 3 - a new enough variant to get past the desktop antivirus.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

wasabi2k

2098 posts

Uber Geek

#1402436 8-Oct-2015 14:20

Dynamic: IMHO anti-malware on the firewall is getting more important.

We've recently had a client (that we see only when they call us) hit with Cryptolocker for second time. This time it came in via a Word document attached to an email (not zipped), passing through antivirus scanners on the email. The document used a vulnerability in Office that allowed code to execute without warning. The script downloaded and executed Cryptolocker version 3 - a new enough variant to get past the desktop antivirus.

Hope you had backups!

However in your scenario anti-malware on the firewall wouldn't have made any difference at all. If your desktop AV missed it because it was 0-day, how would an anti malware firewall save you? Heuristics and software updates would be your last chance really.

On small networks I would worry about my edge device providing firewalling and routing and leave malware to the desktop/mail gateway. IDS/IPS are a nice to have but unless you have the skills and time to actively monitor and respond you are paying for something you aren't going to use.

Dynamic

3869 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1402441 8-Oct-2015 14:25

wasabi2k: Hope you had backups!

However in your scenario anti-malware on the firewall wouldn't have made any difference at all. If your desktop AV missed it because it was 0-day, how would an anti malware firewall save you? Heuristics and software updates would be your last chance really.

On small networks I would worry about my edge device providing firewalling and routing and leave malware to the desktop/mail gateway. IDS/IPS are a nice to have but unless you have the skills and time to actively monitor and respond you are paying for something you aren't going to use.

Yes, but it was annoying for all involved to lose half a day's worth of files. Could have been much worse.

Defence is about layers of protection. More (sensible) layers reduce the risk. Certainly there is no point providing a sophisticated solution if the client does not see the value in it being monitored. There are 3rd parties (e.g. Mako Networks who it looks like are being handed a lifeline) who will do a pretty good job of this and notify the IT partner if an issue is discovered.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

1101

3122 posts

Uber Geek

#1402444 8-Oct-2015 14:28

Dynamic: IMHO anti-malware on the firewall is getting more important.

My (limited) experience with that is that it simply didnt work , the AV would detect malware that the firewall allowed to pass through .
This was some years back though , on old devices with the optional AV bundles.

The issue I have with with small size companies is that they are reluctant to spend , especially if they dont see an issue with what they have, even if its 8years old . Some will follow upgrade recommendations , but many just wont spend untill something breaks.
Thats why I would have to justify the cost of new Hardware Firewalls .

jaymz

1133 posts

Uber Geek

#1404454 12-Oct-2015 15:25

1101:
My (limited) experience with that is that it simply didnt work , the AV would detect malware that the firewall allowed to pass through .
This was some years back though , on old devices with the optional AV bundles.

The issue I have with with small size companies is that they are reluctant to spend , especially if they dont see an issue with what they have, even if its 8years old . Some will follow upgrade recommendations , but many just wont spend untill something breaks.
Thats why I would have to justify the cost of new Hardware Firewalls .

It is always hard to get companies to spend money on IT when they can't see the benefits from it.

I tend to deal with lots of higher end firewalls these days (Watchguard) which run into the thousands of dollars, but provide some very nice features around monitoring of users, filtering of sites based on classification and type and antivirus and antimalware protection.

Lots of businesses that i used to do work for went down the path of Fortigate firewalls, as they were not as expensive but allowed good protection from many nasties out there.

The downside of any subscription firewall products (AV etc) is that they have to pay each time for it, however the unit will still function without these products being licensed.

If the company is not willing to pay for edge network AV protection, then they should be putting more money into managed AV protection and managed antimalware protection. In reality most home/small business routers will provide enough "firewalling" to cover a small business. But make sure passwords are changed and i would suggest setting only ports 80 and 443 allowed outbound from client computers and let your onsite server have access outbound to more ports.