Years ago, firewalls were primarily devices to shut down unneeded ports, but today firewalls have merged with other devices to include things like Quality of service (QOS) traffic shaping, intrusion prevention system (IPS), VPN, antivirus, antispyware, antispam, web filtering, and application control, Proxy Blocking, Bandwidth Management, Content Inspection, Application Control, ID Management, Reporting Malware Firewall, etc.
We're in the process of evaluating potential firewall replacements. We're not really interested in the product as a spam or content filter. I've been looking at some SonicWall products, as well as a Cisco Pix. I'd love to choose something with an integrated VPN option that allows for an LDAP lookup against our directory. Any suggestions? Companies to avoid?
Comments About FirewallsEdit
Retrieved from ISED-L list-serv 3/09 (and before) CC3.0 a, s-a, nc license:
- Fortinet is what we have and have been very satisfied. VPN and AD integrations is included plus other options. Fortinet is a spinoff from the Netscreen founder Ken Xie - a second generation NetScreen if you like - through this experience they avoided several design issues and got it right the first time - the major differentiators are their unlimited license modell and hardware accellerated content inspection. check their website for details.
- I've always liked the Cisco PIX as a firewall, but maybe I'm biased because of my Cisco experience. I have replaced a couple BorderManager installations with PIXs, keeping in mind the caveat that the PIX does not natively have a content filter. Also keep in mind that the PIX has been superseded by the ASA 5500 series of firewalls. The ASA will do everything the PIX will do, only faster and with more features. The ASA can use Kerberos for authentication and LDAP for authorization, but I have found it easiest to allow a PIX or ASA to use RADIUS authentication against an Internet Authentication Server (IAS) installed on a domain controller. I have also found installing the Cisco VPN client has been less problematic than VPN client, including SonicWall's. If you are willing to pay the licensing fees, the ASA also offers a SSL VPN option. They will tease you with two licenses for you to try out. Once you have your address translations and access rules configured, you can usually get the VPN up and running in about 10 - 15 minutes using the wizard included in the graphical device manager. After saying all of that, I have to say that Juniper has a nice set of firewall/IPsec VPN appliances, as well as SSL VPN appliances.
- I have used the Cisco Pix, SonicWall, Watchguard, Nokias and the Juniper (aka Netscreen) line of firewalls and IDP appliances. By far the Juniper is the easiest to configure/administer and very little overhead, they are also priced very competitive. If you have a chance, check out their website http://www.juniper.net/us/en/. They have several models depending on your needs. I have used the Juniper Netscreen product line for 8 years and would not change. It has a number of options depending on the network size and needs. They also are the market leader in SSL VPN appliances. The guys at http://www.securehq.com carry a wide selection of security systems and are very helpful.
- I've been evaluating the Cymphonix for the last month. I had already tested the Marshall-8e6 product and in a few days I will be testing the St. Bernard Software iPrism box. The biggest problem we had with the Cymphonix was distributing the local cymdir executable that takes care of the single-sign-on process. The distribution was fine, but we had some problems and it took us a while to figure out that we had a problem with our Group Policy Object. All the while, the Macs behaved just fine. I like the interface (but don't like that it doesn't yet support Firefox or Safari). I like the granular reporting and the ease of finding what I need in the reports without having to wait too long. I like the filtering and ability to associated filter policies to different groups and users. I like that there is a web-based login to fallback to if the SSO is not working (and for non-domain members on the network). I like the bandwidth throttling, but I haven't really tweaked this yet. I haven't found any showstoppers. Right now, I strongly prefer the Cymphonix over the Marshall-8e6 solution. And, for what it's worth, their initial quotes (for a three year agreement) were within $100 of each other. We have been using the Cymphonix for 3 years now. The reporting is very strong. It integrates well with our active directory and I think it supports Novell's eDirectory. The bandwidth shaping has worked well. Teachers have priority over students but students have a larger share of the pipe since there are a lot more of them then teachers. Certain websites that the teachers and students use for school take precedence over other websites. The only problem that I have encountered is with the workstation directory utility (cymdir) sometimes dropping communication with the cymphonix box. If the box can't identify you then you are automatically put into the default (student) group. This will generally resolve itself within a few minutes, or the user can log off and back on again. This doesn't happen as often anymore. Overall we have been satisfied with it. The tech support has been great.
- We're using Border Manager and have been pretty happy with it.