Sunday, December 2, 2007

What hardware firewall are you using? And why?

Q: What hardware firewall are you using? And why?

Cisco, Sonicwall, Watchguard? What model?

If Cisco, do you like it, is it easy to admin?

Any thoughts appreciated.


A:
Hi ...,

Let begin with classification:
By hardware firewall we do mean that the firewall software is running on the unified platform where hardware and software is purpose built.

Models do vary. In order to recommend a model, you need to define your requirements. Here is a high level of inputs that you may list for a better recommendation:
1- Aggregated throughput
2- UTM features that will be enabled (deep packet inspection, AV , content filter etc)
3- Dynamic routing requirements
4- Failover , HA, load balancing requirements
5- Total number of physical segments needed, interface types, link aggregation requirements
6- SO-HO features like dial-back, wireless, ADSL, WAN interface support
7- VPN requirements, remote access VPN required?
8- Integration requirements (SEM/SIM, Backup, Network monitoring, MSS, desktop security IPS)
9- Your existing environment (all Cisco, all Check Point etc.., routing)
10- Primary function (e.g. Web Farm Protection, Internet Access, VPN, Server Farm Protection etc)

If you send more data on your planned firewall deployments with the hints for the questions above, I can be more specific on the comparison

Sonicwall and Watchguard fit the bill when all you need is a security appliance. They offer not only the firewall functionality, but several other network security features like content filtering, deep packet inspection or AV...They are more often called as UTM (unified threat management) instead of a firewall. Management is rather easy since the interface is unified, and central management servers do exist. Model selection is usually based on performance and interface requirements.


I would prefer Sonicwall on the enterprise (high-traffic) side if you have demanding infrastructure, performance wise multi-core parallel processing will help you a lot...

In Cisco world you have options for models... You can go with ISR series, ASA appliances, good old PIX boxes and the 6509 blades. Performance wise you can never get close to core since multi gig performance is limited unless you choose FWSM. (more blades maybe but not the ASAs ,ISRs etc)
I have managed several Cisco Systems in the past.. Administration is not miraculous when you compare with other systems; there are local GUIs, central management systems, 3rd parties, network management tools... Cisco is actually trying to unify the management piece... CiscoWorks VPN/Security Management Solution (Big bundle), CiscoWorks Management Center for Firewalls (VMS), Cisco Security Manager(this is the new one), Cisco Router and Security Device Manager (SDM) ,Cisco Adaptive Security Device Manager [ASDM]), PIX Device Manager (PDM), command-line interface (CLI) are the just few names in Cisco Firewall management space ..Overall the GUI is not miraculous but it works. If you are the CLI guy you will be happy. Managing a Cisco firewall on any of the models is no more difficult than managing routers. If you like scripting, you can automate 90% of the tasks. Cisco is already integrated with all network management products so you won’t have problems. Base code is stable lately and it does support enterprise features like VOIP or multicast up to a level... New additions to transport mode VPNs will help a lot …Upgrades downgrades are usually easy, backup is simple. Downside with Cisco is the segregation of duties, if your entire infrastructure is Cisco, it won’t help a lot to add one more layer of Cisco for firewalling esp. on the perimeter.

I can give more details on ISRs , ASAs, FWSM and PIX based on your specific questions.

If you are looking at hardware only firewalls you should also be looking at Juniper and Fortinet as well. Check Point/Nokia, Check Point/Crossbeam, Check Point UTM-1, Stonesoft, Secure Computing, Palo Alto Networks and Symantec are other players in the firewall space.

Let me know if you have any questions,
cheers,
- yinal ozkan

No comments: