Printable View
I have 4 rack mounted (web,backup,data,email) servers...i wanted to implement a appliance firewall...i have reasonable amount of traffic and a dedicated 2.5 mb/s.....possibly compared to the traffic that hits this website....i am curerntly looking at servgate, cisco pix, sonicwall and maybe checkpoint firewall-1...anyone have any recommendations on these or have used these before....
I've used Cisco Pix, Checkpoint, SunScreen. I've messed around with Winroute, and various other software firewalls and my conclusion is all of them have their good and bad points. You really need to look at what each specifically gives you and what each falls short on.
My personal favorite is Sunscreen, however, at $15000 it's quite an investment. You just can't beat not having a TCP/IP stack. No TCP/IP, nothing to attack. On the other hand, no one ever got fired for buying Cisco.
The first thing I'd decide is whether you want a packet filtering or proxy based firewall. Cisco PIX is well known and I use it. The problem in recent days is that their support has become equivelant to that of a fast food drive through.
If you are looking at CheckPoint, they have *much* improved their product from a few years back. Don't forget to look at CheckPoint while you are researching solutions.
If you need a monster proxy based firewall take a look at guantlet. It has enough features to keep you busy for eons.
i was also considering netscreen 25, i can get netscreen products for cheaper because i know someone who works there... does anyone a have any opinions or comments on netscreen?
I've used their IPSec site-to-site tunneling feature that comes with their firewall. It was *excellent*. The firewall itself was very easy to setup via a web management interface. The only reason we didn't go with them was because of some political crap with preferred vendors at that time.
Also, the Netscreen salesman stopped by (now that we can buy from a preferred reseller) and told me that they are coming out with an appliance that does VPN, Firewall, IDS/IPS and Spam filtering. I believe he mentioned AV too. I can't wait to see it.
i've heard that watchguard has some nice, fairly inexpensive firewalls, www.watchguard.com
i've also heard good things about the checkpoint.
Hmmm...you could take an Old machine, and put Linux Smoothwall on it...thats very cheap...and you could customize it totaly :)
Noia bud,
Yeah, you could do that or just use IPTABLES but this dude seems to want an appliance solution, not an open-source solution.
--TH13
thats right i want an appliance ...primarily because an appliance can stay on for along time and not require any maintaince or resets...my site at one point had close to 5,000 concurrent sessions so i need something that very stable and reliable...
We have been looking at it right now (and you have to remember we have very large enterprise so we are looking at that kind of solution) and a clear leader right now is Checkpoint's Firewall-1 running on a Nokia Epliance. You get support from Nokia and support for clustering just for buying product and it has as far as we can tell some of the best performance around. Firewall-1 also has some pretty interesting capabilities with NAT, content filtering, and a few other things that are pretty nice. It is the only firewall we looked at that had a competent enterprise management solution.
We also use Cisco PIX on a much smaller scale, and it works pretty well and was easy for people to pick up because of similarities to Cisco's router IOS. We also found it did some very interesting things to protocols using the fixup options (like for SMTP it deletes all the server information and severly limits commands that can be run). I consider it to be a good firewall with good performance, but don't consider it to scale to well, even with Cisco's management solution. I consider PIX to be a very good firewall but we went towards Nokia over the enterprise management capabilities of firewall-1 versus the stuff with PIX. It NAT's by default and is very secure by default, but a little harder to configure.
I have messed around with SunScreen before (about 2 years ago) and was appalled with it. Clunky interface and relatively difficult to configure versus the other products we were looking at. I personally would avoid it.
I have also messed around with TSI/NAI/Secure Computing's Gauntlet. It is the only true proxy firewall out of the group, but your performance will suffer, it is not as easy to configure, and it is being merged with Secure Computing's Sidewinder firewall.
SecureComputing makes a new firewall that is based off supposidly the best of Sidewinder mixed with the couple of good things in Gauntlet (like anti-virus) and it continues to be run on a specialized platform like sidewinder. I haven't messed around with this, but considered sidewinder to be a pretty good product for the little that I have seen it.
There was someone that made an appliance that ran IP tables but I don't remember the name. I will ask a friend of mine that was running it and post again when I find it.
It just depends on your needs, versus performance, versus cost. Have a look at the ones I mentioned (minus gauntlet, it was a leadin for Secure Computing's product). Good luck and happy hunting.
/nebulus
EDIT: The IPtables firewall was Astaro.
Wow, you messed around with it two years ago and that makes you an authority? Do you have any idea how far firewall technology has come in the past two years, not to mention Sunscreen from just one version back? Personally I'd appreciate a "clunky" interface if it provides me more security, but that's just me. I could be way off base here.Quote:
Originally posted here by nebulus200
I have messed around with SunScreen before (about 2 years ago) and was appalled with it. Clunky interface and relatively difficult to configure versus the other products we were looking at. I personally would avoid it.
/nebulus
EDIT: The IPtables firewall was Astaro.
BTW- If you like Checkpoint, then you'd love Sunscreen. They are both cut from the same cloth.
I don't even know where to start on that one. No kid, firewalls have changed in the last couple years with a general trend towards hybrid firewalls (incorporating both stateful packet inspection and some psuedo-proxy capabilities), but I am sorry, when I looked at SunScreen between 2-3 years ago, that had to be one of the worst put together pieces of software I have ever seen. Even after being sent to training on it, we still wound up making do with NAI Gauntlet of all things over it because it was so clunky (I was trying to be nice by saying clunky), that was the least of its problems (although I will say it had decent performance when compared to something like a full proxy firewall like gauntlet). And when you compare something like sunscreen to market leaders like PIX and Firewall-1, I am sorry man, IMHO, there is no comparison...Quote:
Wow, you messed around with it two years ago and that makes you an authority? Do you have any idea how far firewall technology has come in the past two years, not to mention Sunscreen from just one version back? Personally I'd appreciate a "clunky" interface if it provides me more security, but that's just me. I could be way off base here.
BTW- If you like Checkpoint, then you'd love Sunscreen. They are both cut from the same cloth.
Out of curiousity, after talking to some industry reps while we were doing our research, one of them mentioned that they had discontinued Sunscreen (or maybe it was SPF) because of customer complaints about the very things I had been citing. I seem to recall that was a Sun Microsystems rep that said that, if I am getting the products mixed up please correct me, but I am pretty sure that the Sunscreen product was what we looked at and that it was produced by Sun and later included in with their Solaris 2.8 OS...
If I do remember right (which is a somewhat rare occasion these days), Sun told us they were dropping Sunscreen entirely and going to a firewall-1 product running on their LX-50 lines...
/nebulus200
I`d go with a nokia using Checkpoint, its well supported and failry easy to get up to speed on. The VRRP feature (supplied by Nokia) is also useful. NetScreen are also good, aren`t they the guys who worked on checkpoint? Sure I heard that somewhere. F5 also make some decent appliance firewalls, and if you can get an appliance with Cyberguard on it then that would be the way to go.
The new version of Checkpoint (due out in August) has some nice new features due to Checkpoint acquiring Okena. The only concern with checkpoint is the licensing can work out to be very expensive and there are yearly suibscription dues as well. Netscreen has a better pricing policy, but CP is the leader and the Nokia appliances are very good.
Oh, and Cisco PIX is also good, but as someone said the support is somewhat lacking these days.
Nebulus, I also heard that sunscreen was being dropped, and I remember it being a little clunky too.
They haven't discontinued Sunscreen. A quick check on their site would tell you that.Quote:
Originally posted here by nebulus200
I don't even know where to start on that one. No kid, firewalls have changed in the last couple years with a general trend towards hybrid firewalls (incorporating both stateful packet inspection and some psuedo-proxy capabilities), but I am sorry, when I looked at SunScreen between 2-3 years ago, that had to be one of the worst put together pieces of software I have ever seen. Even after being sent to training on it, we still wound up making do with NAI Gauntlet of all things over it because it was so clunky (I was trying to be nice by saying clunky), that was the least of its problems (although I will say it had decent performance when compared to something like a full proxy firewall like gauntlet). And when you compare something like sunscreen to market leaders like PIX and Firewall-1, I am sorry man, IMHO, there is no comparison...
Out of curiousity, after talking to some industry reps while we were doing our research, one of them mentioned that they had discontinued Sunscreen (or maybe it was SPF) because of customer complaints about the very things I had been citing. I seem to recall that was a Sun Microsystems rep that said that, if I am getting the products mixed up please correct me, but I am pretty sure that the Sunscreen product was what we looked at and that it was produced by Sun and later included in with their Solaris 2.8 OS...
If I do remember right (which is a somewhat rare occasion these days), Sun told us they were dropping Sunscreen entirely and going to a firewall-1 product running on their LX-50 lines...
/nebulus200
They have included a "personal" type in Sol9, although it doens't have the same capabilities as the full blown version, like being able to run in switched mode. (BTW- I was told the same thing about two years ago.)
We are definitely not talking about the same firewall here, obviously. You're talking about Sunscreen pre version 3.1 and I'm talking about that version and on.
The interface of the version of Sunscreen I have is identical to that of Checkpoint/Pix/etc. etc. So if Sunscreen is clunky then so to is Checkpoint. In fact the only thing I don't like about it is the fact that the interface is written in java. (It's from Sun, go figure.) Which means every once in a while I get a dumb browser lockup.
And like I've stated before "no one ever got fired for buying Cisco." They are cheap and fast, especially if you're not dealing with allot of bandwidth. :D
Just a quick clarification, we talked to Sun Microsystems last week and that is when they told us they were dropping SunScreen due to poor sales, this was not two years ago but rather last week; however, I think he meant from the perspective of making it a standalone firewall, not sure what their plans are for keeping it in the OS.
If you have any contacts with Sun (we have very good ones because of the massive amount of Sun equipment we buy (anywhere from serengeti (bad spelling) SANS, to sunfire 10000's, to countless sparcs (x1, t1, v120's, 280r's 480r's, etc))), I would recommend talking to them. They are really pushing Firewall-1 on their new LX50 platform (intel, not sparc based) hard.
/nebulus
They may have very well said that. But like I said, they said the same thing to me when I worked for a company that spends millions on support contracts, not to mention a buttload of hardware.
I've been browsing the Sun site and cannot find any such announcement, can you point me in the right direction?
http://wwws.sun.com/software/securenet/index.html
I don't know if it has been officially announced or not. They had some engineers, sales, and a few other company people down for a nice little dinner after they demo'd/installed their product for testing (the LX50 stuff), and while we were at dinner we were discussing what products we had used in the past and Sunscreen came up, which is when they mentioned that it was going away. I will look around their site and see if I see it mentioned anywhere, but I wouldn't be suprised if you don't hear about it for a little while (a couple of months). I think this move has alot to do with Sun working on re-inventing itself after having had its rear handed to it in the last couple of years in the server market (IMHO, kinda shocked how low their stock price is now)...Think the biggest thing they are moving towards is starting to use Intel chips more and trying to get their prices down...nonetheless, that is why i suggested talking to your reps...Quote:
Originally posted here by KorpDeath
They may have very well said that. But like I said, they said the same thing to me when I worked for a company that spends millions on support contracts, not to mention a buttload of hardware.
I've been browsing the Sun site and cannot any announcement, can you point in the right direction?
http://wwws.sun.com/software/securenet/index.html
/nebulus
EDIT: This is an exact quote from the very page you just cited:
Quote:
For customers who require more features than SunScreen 3.2 offers, Sun also announced a limited-time promotion in conjunction with Check Point Software Technologies, Inc. From February 6, 2002, until June 6, 2002, Check Point will offer existing SunScreen software customers a 50% discount on the purchase of particular Solaris software-based firewall and VPN products. Customers will be asked to purchase a software subscription and complete an End User Declaration form.
For complete details on this promotion, please see the Check Point SunScreen Promotion page.
Please note: The offer has been extended until December 31 2002.
Ok. You have probably already made your choice, but I figured I would give you some info. Just in case.Quote:
Originally posted here by dynosys
I have 4 rack mounted (web,backup,data,email) servers...i wanted to implement a appliance firewall...i have reasonable amount of traffic and a dedicated 2.5 mb/s.....possibly compared to the traffic that hits this website....i am curerntly looking at servgate, cisco pix, sonicwall and maybe checkpoint firewall-1...anyone have any recommendations on these or have used these before....
You requirement of 2.5 mbps is just about the top capability in 3DES of the Sonicwall SOHO3 series. If you are looking for pure throughput however, and not needing the VPN capabilities, then they are an extremely cheap way to go. And if you grow, they have upgrade (read trade in) style programs. In fact, you would be looking in the neighborhood of $380 for a SOHO3, that could handle up to ten servers. You can upgrade it easily. Reliability? Awesome. Setup? Easy. Reporting? Too much information (with VPN going you could give yourself 50K emails a day if your not careful). Wanna go cheap, but like the SonicWALL, and wanna save for something better later? Get a WebRAMP 700s, new, off ebay. You are looking at like $80, and it will handle your throughput. Barely. Just not in 3DES. It just happens to be 10BaseT.
What I am looking at is the 3com Embedded Firewalls. Similar situation, but would be closer to $1500. Also, I need a lot higher throughput (have gigabit capable, but tiered costs, so am trying to get as close to 100 mbps as possible). If anyone can comment on them it would be appreciated.
Checkpoint. Beware. While great firewalls, they can be an absolute money pit.
Pix. Great firewalls, atrocious interface. I am currently looking at a 515 for a client. You could do with a 501.
Just remember: what you have does not require an enterprise grade switch. With your listed requirements, a Firebox at Frys’ would work. I would suggest being careful, and not over spending on it. Save now, to help later expansions, or keep accounting happy.
Hell, if you are buying for a company, you might throw Checkpoint and Watchgaurd to them. And then find a “radical solution”, and show the pix of soho. With plans to increase capacity later on as requirements increase. It shows you are thinking of today, but you are also thinking of tomorrow.
Hope that helps.
i've used the sonicwall and the cisco pix....both of them work really well depending on what you are using them for....i prefer the cisco though if that helps
I need a free firewall because i um.... am fund challenged at the moment and was wondering if there were any free firewalls
I have tested all 3 products PIX, Netscreen and checkpoint...at my last engagement,,
We opted with Netscreen..Although for plitical reasons, we didnt give checkpoint much of a chance..Here is our results
Netscreen was our choice..for the following reason.
1. It implements VPN in hardware (ASIC) unlike Cisco although now Cisco PIX has
feature of VPN accelerator card..ASIC is lot faster than implementing insoftware..
2. manageabilty alotttttttt better than Cisco PIX.Cisco was a pain to manage as rule list increased..
3. Netscreen allows you to take an interface (ex gig interface) and break it up into multiple
sub interfaces thus allowing u to create many DMZs w/o buying additional hardware..
Csico does not have that feature, infact maximum # of interfaces on PIX525 was I believe around 15-17..(and thats the high end expensive platform.....
Last but not least,,,We needed a firewall connecting to timewarner cable ,
w/DHCP addresses..The netscreen Firewall can be set up to act as DHCP client
on outside interface but the Cisco PIX could not...
Hope this helps...
Good Luck..
I see that this thread is old and most likely completely passed, but I just wanted to put in my little plug for SONICwall. I have used it before, and I am using it now, with no problems what so ever. I have had it, the hardware firewall 1U box, for a few years now, and haven't had one problem because of it yet.
Just my opinion.
I assume in item 3 you are talking about the VSYS options on NetScreen 500s and above.
BTW, we have a few in stock. http://www.nha.com