1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Firewall recommendation please

Discussion in 'Internet, Connectivity and Communications' started by LukeP, Feb 3, 2011.

  1. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Can anyone recommend any decent firewall appliance under £3000?

    Not sure what other information would be useful. We have only 1 site but looking at a second site in the near future. Other than that we would like to terminate VPNs on the firewall (not more than 25-50 vpn users) and have the ability to failover to asdl (or any other WAN link I guess).

    Looked at some Cisco ASA but not sure which model would be suitable and if it fits within our budget.

    Any help appreciated
     
    WIP: Uhmm... not sure
  2. onoski

    onoski Terabyte Poster

    3,120
    51
    154
    Nokia firewalls and check point are very good and popular but comes with a high price tag. I think Cisco is playing catch up in terms of firewall products and are reasonable in price.
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  3. BrizoH

    BrizoH Byte Poster

    243
    6
    25
    I've used both Watchguard x750 and Cisco ASA 5510's in the past for a similar amount of VPN users, multiple sites etc.

    Both good products and would come within your budget (I think the WG series has been updates since I last used them), but if forced to choose I'd go for the ASA
     
    Certifications: CCNA, CCNA Security
    WIP: CCNP
  4. billyr

    billyr Kilobyte Poster

    262
    20
    35
    Not used them myself, but i've heard Fortinet have some decent products.
     
    Certifications: CCNP, CCSI, MCSE W2k/W2k3, MCITP_SA
    WIP: Taking it easy for a while.
  5. cisco lab rat

    cisco lab rat Megabyte Poster

    660
    62
    116
    ASA 5510's rock, I highly recommend them, easy to use, configure fault find, and when they fire up they sound like aircraft taking off. Not a usp but every little helps

    Forti is a very solid product, also have a look at checkpoint 390, 590
     
    Certifications: Yes I pretty much am!!
    WIP: Fizzicks Degree
  6. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Thanks.

    Random thought: Would I be better off getting a Forefront TMG 2010? We're a charity and with charity pricing it fits within the budget (including physical box to run it).
     
    WIP: Uhmm... not sure
  7. onoski

    onoski Terabyte Poster

    3,120
    51
    154

    Well Forefront TMG 2010 would work well as a web gateway filtering security solution that can also function in a lot of ways as customary hardware firewall based products e.g. Cisco, CheckPoint etc.

    Recently, at work we were looking to implement TMG in our new exchange server 2007 infrastructure. However, ISA 2006 can do what TMG can do and plus we already have ISA 2006 in place.

    However, anything hardware has a bit more whistles and bells going for it in terms of quality, reliability and intelligence.

    However, this is not to say that it's perfect in comparison to software based solution as a lot would boil down to configurability etc.

    I suppose if money plays a big deciding factor then MS forefront TMG 2010 would make sense providing it carters for the task at hand.
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  8. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Thanks onoski. Much appreciated.

    After researching TMG a bit more today I actually like it.
    One question though, is reverse proxy on TMG working ok for OWA, SharePoint and Outlook Anywhere? I know it does on UAG but 2 servers that do the same thing that ISA 2006 used to do is not something we want, especially given that TMG license gives you downgrade rights to ISA 2006.
     
    WIP: Uhmm... not sure
  9. SimonD

    SimonD Terabyte Poster Moderator

    3,463
    397
    199
    Actually when you install UAG it automatically installs TMG anyway.
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
    WIP: VCP6-CMA, VCAP-DCD and Linux + (and possibly VCIX-NV).
  10. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Yep. But according to Microsoft TMG installs there just to protect the UAG server.

    Let me find the link... 2 secs

    edit: http://technet.microsoft.com/en-us/library/ee522953.aspx

    and the interesting part:

     
    Last edited: Feb 3, 2011
    WIP: Uhmm... not sure
  11. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    I had to install ISA 2006 the other day as part of a downgrade from TMG. Published OWA etc. through a reverse proxy - nice! :biggrin

    In regard to "what firewall", how many users mate?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  12. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    At the moment we have about 50 internal and 25 vpn users but we're rolling out sharepoint and when it's done we're planning on giving access to it to another 50 users maybe.

    I really like the idea of publishing services through reverse proxy and now I'm not sure what would be better ISA/TMG or Cisco ASA? (as a general solution, not publishing)
     
    Last edited: Feb 3, 2011
    WIP: Uhmm... not sure
  13. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    I would recommend 2 x Cisco ASA 5510 Firewalls in Active/Passive configuration for hardware redundancy.

    This means that you can have two internet feeds coming in and if Firewall A breaks, Firewall B will do all the work.

    You will need the K9 Sec Licenses, but you can terminate VPN on the ASA 5510's you will be good for 50 Site to Site VPN's and you get to play with Cisco's :)
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  14. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Was considering this option. How much is ASA 5510 roughly? I'd love to play with Cisco but I wouldn't say no to TMG either. Just to make this clear, is TMG/ISA a viable option for an edge firewall? We're not big enough to go ASA + TMG and TMG setup works out at around than £2k. It also gives bit more redundancy (given it's viable replacement for an edge router) as drives are RAIDed, dual PSU and easyness of backup and restore using DPM. To achieve this with ASA I'd need 2 of them which I think works out £3k+.

    Also TMG proxy would be a bonus
     
    Last edited: Feb 3, 2011
    WIP: Uhmm... not sure
  15. LukeP

    LukeP Gigabyte Poster

    1,194
    41
    90
    Thanks for the input all.

    We're going for TMG as an edge server. Downloaded it from Technet last night. Installed this morning on one of the old servers we have kicking around the comms room. Played with it for good few hours (VPN's, Publishing through reverse proxy, Quarantining, etc.)

    It's great! I love it!

    By the way Sparky: Why did you downgrade TMG to ISA? TMG does reverse proxy too. Did you need better inbound access security than TMG has to offer and didn't want to spend on UAG?
     
    WIP: Uhmm... not sure
  16. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    We use Juniper NS25 in an Active/Passive config... works really well for VPN. We also have ISA 2006, but that's pretty much only for OWA... we got it a while back.
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA

Share This Page

Loading...