[146303] in North American Network Operators' Group
RE: Firewalls - Ease of Use and Maintenance?
daemon@ATHENA.MIT.EDU (Blake T. Pfankuch)
Tue Nov 8 20:54:37 2011
From: "Blake T. Pfankuch" <blake@pfankuch.me>
To: "Jones, Barry" <BEJones@semprautilities.com>, "nanog@nanog.org"
<nanog@nanog.org>
Date: Wed, 9 Nov 2011 01:53:20 +0000
In-Reply-To: <E36EB8E60B5EB244AAFCFEF0AF0A116D0301794C40@MS-EX7MB-P03.corp.se.sempra.com>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
As Hammer stated, you hit all the big ones.
ASA's are a classic fallback because of the stability implied by the cisco =
name. Complaints about them tend to be cost on getting all the shiny bits =
attached to them (IDS, IPS, Content filtering). This coming from a Cisco p=
artner. I am not a Netscreen fan myself due to past experiences and sour t=
astes. Checkpoint's are OK, but I don't like the application need for conf=
iguring on SMB appliances. =20
Add to the list Sonicwall. We use them primarily for our customers at work=
and are partners with them as well. They have appliances that go from 10 =
office size to Active/Active HA pairing that can do multi gbit of throughpu=
t. They support all the standard features you look for IPSEC VPN, SSLVPN, =
L2TP, VLAN Interfaces, Dynamic routing support (OSPF and RIP in small model=
s, BGP in the larger) LDAP auth for all of the above, content filtering, IP=
S, IDS, Anti Spyware stateful blah blah and centralized management. Some o=
f the newer things that are gaining popularity that you can license is the =
App Visualization (think netflow in a web UI with good filters), WAN Accele=
ration modules via a VMware Appliance, RBL Filtering (which can be applied =
to just about anything), DPI-SSL inspection for https traffic, Active/Activ=
e HA, Physical port redundancy per appliance, list goes on. Configuration =
logic is similar to a ASA, however takes a little to get used to. The nice=
thing is everything in the config is name based and searchable within the =
WebUI and you can talk non technical people through making changes in the c=
onfig if you have to. =20
The feature list is growing every day, and I almost prefer them anymore jus=
t because of the simplicity as well as the scalability.
Ping me if you have more questions or want a few example setups.
Blake
-----Original Message-----
From: Jones, Barry [mailto:BEJones@semprautilities.com]=20
Sent: Tuesday, November 08, 2011 4:07 PM
To: nanog@nanog.org
Subject: Firewalls - Ease of Use and Maintenance?
Hello all.
I am potentially looking at firewall products and wanted suggestions as to =
the easiest firewalls to install, configure and maintain? I have a few smal=
l networks ( 50 nodes at one site, 50 odd at another, and maybe 20 at anoth=
er. I have worked with Cisco Pix, ASA, Netscreen, and Checkpoint (Nokia), a=
nd each have strong and not as strong features for ease of use. Like everyo=
ne, I'm resource challenged and need an easy solution to stand up and opera=
te.
Feel free to ping me offline - and thank you for the assistance.
----------------------------------------
Barry Jones - CISSP GSNA
Project Manager II
Sempra Energy Utilities
(760) 271-6822
P please don't print this e-mail unless you really need to.
----------------------------------------
