1

I’ve seen the several open discussion on SMB firewall recommendation with some good input there but still looking for a final kick in the right direction.

Network: I only have about 50 users/computers but a lot of VoIP phones, cameras, APs, Door Locks eating up addresses so I’m moving into some VLANs.
I’m on SBS 2011 (metal) with a handful of servers on 2 VMware 6.x hosts. I just moved to Office 365 hosted Exchange and will be getting onto most likely a 2012 R2 Essentials DC.
Mostly Win 7, handful of Win 10 on the clients. No VPNs, a handful of users RDP in.

Internet: 50/50 ATT Fiber about to be 100/100 or more. Just added a T1 for fail over specifically for the VoiP phones.

I currently have a Sonicwall TZ 215 which has kept the bits flowing reliably and seems to keep out the bad and with only a few website exceptions lets users get where they need to go. I know enough to pick out and buy a replacement firewall that will probably serve me well. So why am I here.

I don’t know what I don’t know. Firewalls have advanced well beyond ACL’s and such that I started out with back in the PIX 505 days and I’m now on the larger side of SMB with no real experience with “enterprise” level solutions. I’m a one man show with all the good and bad that goes along with it and lucky enough to have a mostly unlimited budget.

While I like the Sonicwall in general I really don’t like the GUI which may or may not apply to other/newer models. This are just too many menus, Some for options this model doesn’t even have. This really became an issue as I configured it to do some inter-vlan routing. Bottom line, I subjectively just don’t like it very much regardless of features or performance.

As i mentioned, I started out on a PIX years ago and prior to the Sonicwall I used a ASA 5505. It is on the shelf for a couple years when I maxed out the 50 user license. It takes a little poking around with my favorite search engine but I can drive the Cisco CLI ok. I wouldn’t mind going back into the Cisco familar but my experience with their website for support and flashing/upgrading devices in past was mind-numbing and something I strongly don’t want to go near again if it’s unchanged.

My APs are Ubiquiti, with the cost being so low I bought an Edge Router to play with. It doesn’t directly tie into the Unifi Controller so the brand really isn’t a plus/minus, I generally like the GUI and the fact it is a rack mount form factor with a standard power cord (no brick).

And finally, I think I’m at the point where I need to leave this level of devices behind and be looking at something like a Palo Alto PA-3000. Something that’s not just a bigger castle wall but more of a TSA body scanner for the bits I have to let in the door. TIA - Ralph

2 Spice ups
2

There are lots of options out there, as you mentioned, and each has its own unique GUI that some love or hate. There is also the question of WAN management; you mentioned fail-over, was there more control you wanted to have over those connections? If just fail-over, most new firewalls offer this; if more advanced, like QoS, inbound and outbound load balancing, and SD-WAN ready, then probably need another device.

We try to help people decide which technology is right for them, a Firewall or a WAN management appliance. Both types of devices cross over in terms of functionality. Here is some additional material for you:

Ping me if I can help further.

3

PA-3000 is massive overkill, a PA-500 will do everything you’ve said though the management interface is a bit slow.

I’d draw up a list of stuff you’re interested in:

  • URL filtering

  • SSL inspection

  • AD integration

  • L7 application level filtering

  • IPS/IDS

  • Sessions

  • Bandwidth

  • Support

  • Price
    As it’ll help somewhat. Then I’d draw up a shortlist and look at doing some product evaluations to get a handle on how different vendors do the the stuff you’re interested in.

1 Spice up
4

Palo Alto, excellent but not cheap

Sophos UTM, excellent all round product with accompanying endpoint if you have mobile users

5

Whatever product you use I would never use a firewall or perimeter device for inter VLAN routing, but then again with 100 users why have you got VLANs anyway?

Leave the perimeter to do its job and get a L3 switch for the routing

1 Spice up
6

Are you sure, that PAN is ‘it’? If you ask CheckPoint, they will say, it’s crap…

Sure, Gartner has put PAN heaven high in their latest quadrant, but more I look at Gartner, more I believe, they give away points for best storytelling. No doubt, PAN is the greatest, when it comes to tell you a story (usually these begin with ‘Only we…’ or ‘We are the only…’).

Another analyst, NSS Labs, doesn’t listen at stories, but wants to see facts. Wonder why in their ranking the cards are completely mixed up, not a bit like those of Gartner?

And yet NSS Labs is not ‘it’. They show one aspect, a snapshot in time, that could be completely different a week earlier or later. Also their results may very much depend on the configuration/optimization for their tests (guess that’s why vendors often have very bad results, when they are tested by NSS Labs for the first time).

With 50 users you are still far away from a ‘Large Enterprise’ user as Gartner&Co do see them, when they talk about ‘Enterprises’. Large Enterprise products that are designed for companies with thousands of users may lack SME features YOU will be missing. That may result in adding additional solutions to fill the gap, adding administrative burden, you probably wouldn’t want to have.

I can just recommend not to listen to any of those analysts, stories or smart*****. Take your time and test different products from different vendors. Build your own opinion on each of the solutions and go with the one, that best fits your company and your way of managing the network. Having an ‘unlimited’ budget is great - but that doesn’t mean, that the most expensive solution out there has to be the one, that will be the best for you. Sometimes much cheaper solutions can be really surprising…

In terms of ‘rightsizing’ the solution, you should be very careful about VLAN’s and LAN segments. E.g. the PA-3000 series goes from 2 up to 4Gbps firewall throughput. If you have a lot of intra-VLAN routed traffic, than just the VLANs could already consume 1Gbps - or even more. If you than add a datacenter segment and have some VLANs inside that too, than the small PA-3020 could start becoming a bottleneck at some point.

I think, that your Sonicwall allows you to collect enough statistics, to be able to foresee how heavy traffic you may expect on your segments and VLANs. Use this information to rightsize the appliance model you will choose. And don’t forget to add 50-100% for future growth!

1 Spice up
7

The problem is, that a L3 switch doesn’t have the security options a firewall has.

You have to ask yourself, why are you segmenting your network (doesn’t matter, if using LANs or VLANs). If it’s because of security reasons, than doing the routing on a switch just won’t do it.

But sure - a switch is much cheaper and it performs better, than (almost) any firewall.

8

I do have HP 29xx ProCurve switches exclusively and have moved the VLAN routing to a 2920. At the time it just seemed more logical to do VLAN routing on the “router”. I was completely new to VLANs and our plant runs 24/7 so the thought was it was better to kill just internet access if I did something wrong verses having to bounce my backbone 48 port switch. Tagging/UnTagging no longer scares the crap out of me :slight_smile:

Nothing security related. I need VLANs because I’m out of IP addresses. I could have done a supernet but as most of these addresses are not workstations and don’t need domain access I elected to go VLANS. A class C subnet doesn’t go far anymore when you have 80 IP cameras, 5 NVR/DVR, 25 IP phones, 30 RFID door locks, 15 APs, and 10-15 industrial machines before you put the first computer in it.

I only mention the PAN 3000 as an example not that it was a specific option. Beyond the device features, who is easy to live with? I don’t have much need for 24/7 help past the initial setup but ease of firmware and license updates really makes a difference.

9

Most modern devices are web GUI, click a button to update and ship with a 1, 2 or 3 year license term…

Its a long time since managing PIX days;-)

10

Everyone loves his puppy - I’m in favor for WatchGuard, someone else is for Fortinet, SonicWall, CheckPoint, PAN, Cisco, Sophos,…

I think I’ve listed those, that one has to have had a look at, when he is serious at security solutions. Still there are other players, that may be preferred by someone, but are not that high in their market-share as the mentioned ones.

3 Spice ups
11

Hey Belralph- you may want to check out the bundle from HPE Security and Fortinet. It combines HPE’s Security Logger and the powerful firewall of Fortinet’s Fortigate to create a unified threat management that will allow you to detect and mitigate threats quickly and efficiently in the future.

Let me know if you have any questions!

12

Thanks for all the input. Anyone have any thoughts on UTM as a VM verses physical hardware? I’ve been reading some of the Sophos propaganda. I like the idea in general but a little worried about all the eggs in one basket. Everyone knows you never connect your phasers to the warp engines.

13

I’d lean towards running it on a dedicated host if I did.

14

An UTM as a VM vs. an appliance?

  • VM’s have limitations, when it comes to the number of ports/networks supported by the virtualization software.

  • VM’s don’t have hardware supported decryption for VPN’s and https

  • VM versions are not necessarily any cheaper than hardware appliances

  • VM versions have a huge advantage, when you have virtual networks that are not bridged to any physical NIC - a HW appliance is not able to protect such networks

So I would go for a VM version, if I already run a virtualization server and need to protect the virtual networks on that server. In all other cases I would go for a HW appliance.

Still VM version can be very interesting for educational purposes, demo’s and trials (and possibly some home use if a cheap license is available).
I’ve seen cases, when a customer started with a VM version to protect just some virtual server and get confidence in the solution, adding later a physical appliance for his network perimeter.

1 Spice up
15

In lab running a UTM on VM is a good idea

In production I like (as do auditors) physical separation

In reality with Sophos the VM UTM is licensed per LAN IP numbers, the physical appliances are LAN IP unlimited so it a pretty easy choice to make;-)

16

Everyone here has made some excellent points. And in fact from a sizing perspective, you might in fact be fine with even the smallest Palo Alto Networks box, the PA200 … just because you have 100mb, 200mb aggregate bandwidth… How much do you actually use at peak? Session count at peak? Looking to do SSL decryption (we certainly suggest you do)?

The best way to see if its right for you, would be to find yourself a local partner http://locator.paloaltonetworks.com . Just logging spanned traffic from your existing switch, they can have it set up in less than an hour. Collect logs for a week or so, then review things with the Palo Alto Networks team and the partner to see what’s happening today. That free process would also double as a sizing validation. If you need help finding someone who could provide this, you can message me.