Re: Small office firewall/vpn/security appliance

"Mark" <nothere@notthere.com> wrote in message
news:433ca3f3$0$6857$bb4e3ad8@newscene.com...
> "CCMiami" <nospam@modeldriven.org> wrote in message
> news:fGeZe.29808$dm.25937@lakeread03...
>> We are setting up a new office network and would like some
>> advise/experience on firewalls. I have looked at the messages but am
>> still confused :)
>>
>>
>>
>> Today we have a single external connection (business cable 2/4) but may
>> want to expand with a backup. There will be 2-3 externally visible
>> servers with their own IP and a small LAN - 15 users. We need VPN access
>> (10 licenses) to the servers for external users. We will probably set up
>> the internal lan using a "store" router for NAT but could also use the
>> firewalls NAT. We would like (of course) as much protection as we can
>> get - including intrusion, VP. The degree of "inspection" on the
>> firewall is important but it is hard to see around the marketing. I
>> expect to set up some wireless, but using a separate access point - we
>> will also set up a "guest" wireless (possibly outside the firewall). We
>> also want to make sure we can still use applications - FTP, Netmeeting,
>> etc.
>>
>>
>>
>> It is even hard to tell what these things really cost when you get the
>> protection packages. I have listed what I THINK they cost. Questions I
>> have are;
>>
>> - Stability -> Very Stable
>>
>> - Degree of protection -> AV signiture set is an in the wild (not a bad
>> option as the Netscreen AV kills the CPU with its "full" set), IPS is
>> good, antispyware is good
>>
>> - Speed -> if you turn all services on combined throughput can drop to
>> around 5-10Mbps
>>
>> - Expected life/upgrades -> I would expect a new model out next year
>>
>> - Support for multiple IP addresses and routing -> OPT port, get the
>> Enhanced OS if you can
>>
>> - Real cost -> Bundle is good, it includes Gateway AV, IPS, Antispyware,
>> Content Filtering, and Viewpoint Reporting. GAV/IPS/AS, CF require 2nd
>> year renewals
>>
>> - Complexity to admin (Tech users but no dedicated support) - Easy, nice
>> GUI, enhanced OS is a bit daunting to newbies because it does so much
>>
>> - Marketplace position - Top of this segment
>>
>> - Support - pretty good (that bundle includes 1 Year 8x5)
>>
>>
>> SonicWALL TZ 170 25-Node Comprehensive Gateway Security Bundle $750 (May
>> be more hidden $)
>>
>> -- But it looks like VPN clients are $$30/each, so ad $300! < BIG NOTE:
>> Sonicwalls GVPN Clients are licensed to the firewall and CONCURRENT
>> licenses, not seat based. So if you have 10 users but only 3 at one time
>> will be using the VPN you only need 3 licenses (but can install it as
>> much as you like).
>>
>> -- Hints of stability problems. -> They had some minor issues with 3.0
>> early on, 3.1 is very stable.
>> -- Market leader? Yup. Only real competition is Juniper/Netscreen &
>> Fortigate. They are having problems expanding their IPS on the 5GTs, the
>> CPU can't handle it. Their gateway AV absolutely kills the CPU, no
>> antispyware, and to go fully zoned is bloody expensive. Fortigates in the
>> crap because the stole some of their code, they got spanked in court. The
>> 1st Gen of the model you listed crapped out when you enabled AV and they
>> are going backwards fast. Fortinets long term $$$$ stability is in
>> question. Neither Cisco or Checkpoint get off the starting grid with
>> their lack of features.
>
>>

The FG60 comes with AV, IPS, SPAM, VPN, all unlimited users, $800 ish in US
dollars, no hidden charges except software VPN clients if you want to buy
them. So about equivalent in general I'd say.

It most definately does NOT crap out when you enable AV. I run a FG50A in
front of lots of places with 3Mbps -level feeds with *everything* turned on,
no problem. The FG60 is faster yet and features 4 physical zones and many
more vlan zones if you want. Fortigate is hardly "going backwards" because
they lost a court case, it happens all the time in big business. They're a
well funded fully private company, doing business all around the world, this
US judgement hardly puts them in trouble. They're rewriting the code in
question and will continue to ship product, no noticable effects are noticed
on this quarter results, existing customers can still use and get support on
the products... etc...

But the Trend guys are surely making it out like the world has ended for
Fortinet.... lol... it hasn't.

-Russ.
Received on Sat Oct 15 04:35:42 2005