• Quick note - the problem with Youtube videos not embedding on the forum appears to have been fixed, thanks to ZiprHead. If you do still see problems let me know.

Firewalls\Security Appliances

Nevermore

Scholar
N
Joined
Oct 2, 2006
Messages
55
Hello.

I was wondering if anyone might have any experience with either the Cisco ASA 5500 (5505 or 5510) or Astaro 220?

I'm looking for a replacement for a Sonicwall Pro which recently died. I need something with robust perimeter security, decent throughput and flexible remote user accessibility.

The new Cisco ASA 5500 series seems very robust with a PIX firewall and SSL-VPN capabilitites.

The Astaro 220 reviews I've read make it seems like an easy to configure solution with lots of power under the hood.

Comments on these two products or competitors (Sonicwall, Watchguard, Checkpoint, Juniper, etc) welcome.

Thanks!
 
I have a question unrelated to the specifics of the above but generally on firewalls: I have heard that if you have a hardware firewall that while it can help you don't really need a software one (esp since XP's SP2 came out). True? False? Sorta in-between?
 
I've used a Watchgaurd Firebox for years. Upgraded twice when money allowed. It's done everything I've asked. We have 9 servers on three network segments behind it (along with about 200 users) and it routes all the web pages and ftp services for us to the correct networks. We also have three of the little SoHos that go with it so creating pipes through the internet to remote sites is practically plug and play. Even with all our websites, NATing for about 200 users, logging various things, and a 500+ user e-mail server behind it, it works just fine.

I've never used anything else to compare, but like I said, I've never had a need for anything else. And I'm probably not even pushing a third of it's capabilities. I think the last time we upgraded it was around two grand. You can also subscribe to various filters and spam blockers but we handle that on the mail server so have never tried it. User interface is clear in most areas and just requires a little searching for some features. I paid a little extra for having 6 network segments (default is 3). It's been over two years since I've had a tech support issue and if I recall they were pretty quick in responding. Can't say if that's still the same.

Anyway, I like it and I know the local courthouse recently swapped out whatever they had for a couple of Watchgaurds which they mirrored, so if one goes out the other one automatically kicks in.

Well, that's my review of the Watchgaurd. Hope it was helpful.
 
bigred said:
I have a question unrelated to the specifics of the above but generally on firewalls: I have heard that if you have a hardware firewall that while it can help you don't really need a software one (esp since XP's SP2 came out). True? False? Sorta in-between?
Click to expand...

Well, since a hardware firewall is protecting a whole network it usually may have more open than a specific user needs. For instance, I have ports open for certain programs that not all users use. A local software firewall will plug those ports.

Also, if a virus gets in behind the firewall a local software firewall will be your next line of defense.

One also helps if the other fails for whatever reason. An attacker may attempt to bypass the hardware firewall for example or crash the hardware firewall leaving the network open. I've never really seen this happen but I guess anything is possible. A local business I support had a power outage and their firewall came up with default settings. Nothing happened as it was caught but that could have let things through.

Software may also be able to scan things that the hardware can't, like an encrypted file or files passing through a secure pipe.

I'm sure there are more examples. These are just what I thought of offhand. I would recommend a good combination of both and scheduled, regular checking.
 
I've been deploying pfSense [http://pfsense.org/] and OpenVPN with great success at minimum cost.

Even my office is running off of a pfSense box. I have 8 full gigabit ports that can run full tilt while rulesets are being applied and VPNs are active on a machine I built for $2,500. And it's nowhere near it's limit. No service contracts to boot ;) . Only thing lacking, at the moment, is the ability to do PPPOE on more than one port. But I'm lucky as only one of my DSL lines uses it.

I'll hopefully have the chance next month to write a plug-in to control LCD displays with buttons (I have two installed on my own box already) and then there won't be any reason left for me not to use it in my colos either.


Frankly, I'm fed up with Cisco....
 
I was actually thinking of just for my home PC, but thx for the info -
 
Thank you for the replies.

I think I am going to go with the Cisco ASA 5505. A box with an unlimited connection PIX firewall, 10 IPSec peers, 2 SSL-VPN peers for under $750 seems reasonable. Reading through the user guide the new Adaptive Security Device Manager makes the management interface seem pretty straight forward.

If anyone is interested in my experience post here or send me a PM in a month or two and I'll let you know how it goes.
 
No. This would be our companies first Cisco router.

Thanks for mentioning it. I need to investigate the cost.
 
The service contracts and slow response to threats are why I'm fed up with Cisco. And I get everything at greater than %50 off to boot.......

You can build a WRAP box with pfSense on it for about $250 that will do all the same things as the cisco you are looking at. I'd download and install a copy on an unused computer (doesn't have to be anywhere near new) to see if it meets your needs. That's the nice thing about free software that runs on existing hardware.

My box is the equivalent of what you would easily pay twenty or thirty thousand to a "security" vendor for. You wouldn't need to spend anywhere near as much on hardware to run the average branch office. The really great thing is that, when PCI-E x4 ports starts showing up in greater quantity on motherboards, the price of a setup like mine will easily drop down to around $1,200 with the rackmount chassis being the most expensive component. And this is with redundant hot swappable HDs, redundant hot swappable power supplies, status LEDs/LCDs with control keys, etc...

I've had enough of all the firewall and router vendors pushing everyone around just because they can. It's nice to finally start having some viable open source alternatives. Maybe prices will actually start becoming reasonable in the near future.

P.S. Sorry for all the run on sentences, I'm typing this in a hurry. ;)
P.S.S. Sorry for the ranting too. :D
 
My company trialled the Juniper box against the Citrix Access Gateway and found both to be excellent. Indeed it was a split decision to go for the Juniper in the end (we found the interface easier to use).

We always found the Sonicwall to be an excellent firewall but our users always found difficulty using VPN software from remote sites. Now, with the Juniper, it's just a case of browsing to a website to get remote access. Directing remote access traffic over port 80 is great because pretty much any network in the world will allow people to access web traffic.
We still operate Sonicwalls as the main firewall solution.
 
You must log in or register to reply here.

Back
Top Bottom