Firewall recommendation please

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Can anyone recommend any decent firewall appliance under £3000?

Not sure what other information would be useful. We have only 1 site but looking at a second site in the near future. Other than that we would like to terminate VPNs on the firewall (not more than 25-50 vpn users) and have the ability to failover to asdl (or any other WAN link I guess).

Looked at some Cisco ASA but not sure which model would be suitable and if it fits within our budget.

Any help appreciated

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Nokia firewalls and check point are very good and popular but comes with a high price tag. I think Cisco is playing catch up in terms of firewall products and are reasonable in price.

 

I've used both Watchguard x750 and Cisco ASA 5510's in the past for a similar amount of VPN users, multiple sites etc.

Both good products and would come within your budget (I think the WG series has been updates since I last used them), but if forced to choose I'd go for the ASA

 

Not used them myself, but i've heard Fortinet have some decent products.

 

ASA 5510's rock, I highly recommend them, easy to use, configure fault find, and when they fire up they sound like aircraft taking off. Not a usp but every little helps

Forti is a very solid product, also have a look at checkpoint 390, 590

 

Thanks.

Random thought: Would I be better off getting a Forefront TMG 2010? We're a charity and with charity pricing it fits within the budget (including physical box to run it).

 

Well Forefront TMG 2010 would work well as a web gateway filtering security solution that can also function in a lot of ways as customary hardware firewall based products e.g. Cisco, CheckPoint etc.

Recently, at work we were looking to implement TMG in our new exchange server 2007 infrastructure. However, ISA 2006 can do what TMG can do and plus we already have ISA 2006 in place.

However, anything hardware has a bit more whistles and bells going for it in terms of quality, reliability and intelligence.

However, this is not to say that it's perfect in comparison to software based solution as a lot would boil down to configurability etc.

I suppose if money plays a big deciding factor then MS forefront TMG 2010 would make sense providing it carters for the task at hand.

 

Thanks onoski. Much appreciated.

After researching TMG a bit more today I actually like it.
One question though, is reverse proxy on TMG working ok for OWA, SharePoint and Outlook Anywhere? I know it does on UAG but 2 servers that do the same thing that ISA 2006 used to do is not something we want, especially given that TMG license gives you downgrade rights to ISA 2006.

 

Actually when you install UAG it automatically installs TMG anyway.

 

Yep. But according to Microsoft TMG installs there just to protect the UAG server.

Let me find the link... 2 secs

edit: http://technet.microsoft.com/en-us/library/ee522953.aspx

and the interesting part:

 

At the moment we have about 50 internal and 25 vpn users but we're rolling out sharepoint and when it's done we're planning on giving access to it to another 50 users maybe.

I really like the idea of publishing services through reverse proxy and now I'm not sure what would be better ISA/TMG or Cisco ASA? (as a general solution, not publishing)

 

I would recommend 2 x Cisco ASA 5510 Firewalls in Active/Passive configuration for hardware redundancy.

This means that you can have two internet feeds coming in and if Firewall A breaks, Firewall B will do all the work.

You will need the K9 Sec Licenses, but you can terminate VPN on the ASA 5510's you will be good for 50 Site to Site VPN's and you get to play with Cisco's

 

Was considering this option. How much is ASA 5510 roughly? I'd love to play with Cisco but I wouldn't say no to TMG either. Just to make this clear, is TMG/ISA a viable option for an edge firewall? We're not big enough to go ASA + TMG and TMG setup works out at around than £2k. It also gives bit more redundancy (given it's viable replacement for an edge router) as drives are RAIDed, dual PSU and easyness of backup and restore using DPM. To achieve this with ASA I'd need 2 of them which I think works out £3k+.

Also TMG proxy would be a bonus

 

Thanks for the input all.

We're going for TMG as an edge server. Downloaded it from Technet last night. Installed this morning on one of the old servers we have kicking around the comms room. Played with it for good few hours (VPN's, Publishing through reverse proxy, Quarantining, etc.)

It's great! I love it!

By the way Sparky: Why did you downgrade TMG to ISA? TMG does reverse proxy too. Did you need better inbound access security than TMG has to offer and didn't want to spend on UAG?

 

We use Juniper NS25 in an Active/Passive config... works really well for VPN. We also have ISA 2006, but that's pretty much only for OWA... we got it a while back.