[autoenthusiast]

Quote:

Originally Posted by given2fly

Whoa, We are getting into territories without understanding the repercussions first. Agreed that CISCO sells most, not because they are the best, because there are most guys working on CISCO products (read certified) and they have a highly successful marketing team. Or else, I would love to see Juniper and Fortiget come into picture and maul CISCO PIX or ASA 5xx out. Yes, if you want a rather buggy & somewhat not highly scalable hardware firewall, go for CISCO (they are best known for switches & routers, not firewalls). Or else, you should be looking at Juniper (the best hardware firewall) or Fortiget (coming there). However, getting a guy for Fortiget in India would be tough, so my vote goes for Juniper. You should also look to get a unified threat management (UTM) device if you want to become a security freak (many of us are, these days).

However, the bottomline is any firewall or UTM device is as good as its configurator. There are lots of CISCO & MS certified folks out there who don't know what they do and pass certifications exams through proxies and question dumps (Autoenthusiast, please don't misunderstand this as a personal attack, you know the situation out there). But if you have a good firewall admin, then even ISA can do your job. Plug in as many NICs as needed and throw a good hardware & configure it accordingly. Like many orgs do, they configure ISA behind a so called Hardware firewall where it is the second filtering device before the packet finally hits your internal network router. My everyday job is to get into configuration of Exchange & ISA and other MS products and I know of very big banks and multinationals successfully using ISA products with plugins. Besides this all, you can call up MS anytime and they shall help you for 245$, per incident (as per US rates, don't now there rates in india). I don't know about CISCO TAC rates.

My Friend, after having worked across a range of different security products, believe me I have seen most of them all, "and" I have learnt to respect the Cisco PIX.

A MS Operating Based firewall just cannot give you the same kind of reliability and performance that a hardware product can. First of all, reliability is not at all a MS word. Due respect to your MS skills, but somehow I feel Microsoft makes the worst products out there, they are best for desktop operating systems and nothing else.

Please do not compare a MS ISA server to a PIX, they are worlds apart and can't be compared.

[Samurai]

Well, I have used every Microsoft firewall since Microsoft Proxy Server 2.0 and I can't say it has failed me until now.

[autoenthusiast]

Quote:

Originally Posted by Samurai

Well, I have used every Microsoft firewall since Microsoft Proxy Server 2.0 and I can't say it has failed me until now.

Sometimes you may never know

Same here, started from the NT 3.51 days and MS Proxy 1.0, tried the entire gamut of MS products once upon a time. I used to appreciate them once upon a time, but upon seeing the kind of issues an MS product can wreak on a network felt the need to also look at different technologies. Do you remember the Code Red days ? Jeez that caused a living nightmare for SysAds in 2001. Well I graduated to Cisco products a decade back and stuck with them ever since. Somewhere down the line I forsaked MS products and kept them for what they are best (plain desktop Operating System).
Agreed Juniper makes some pretty good products (I worked on them, including NetScreen), but in terms of market reach and configurability and features, the Cisco ASA is quite a phenomenal product.
It's been a while since I moved out of technical architecture, but I'd blindly go ahead and recommend a Cisco PIX to anyone since I have seen it's reliability over the past many years.
Irrespective of which product, a good technical implementor with a sound knowledge of network is essential otherwise your network is bound to be open to security breaches, but when it comes to an operating system based firewall product irrespective of the skills of the implementor you are bound by the flaws of the underlying system
Nothing against MS, but I feel they just can't make firewalls.

[Samurai]

Quote:

Originally Posted by autoenthusiast

Due respect to your MS skills, but somehow I feel Microsoft makes the worst products out there, they are best for desktop operating systems and nothing else.

You may want to reconsider that statement. I design enterprise middleware for telephony, where the server is up 24x7x365, most run on Win2003 handling millions of billable transactions every month. Lot of these are credit card transactions, like payment over IVR, etc. If MS OS was as bad as you say, I should have lost lot of business by now. And Microsoft should have gone bankrupt, instead more are moving into Microsoft platform.

This image should explain the current trend (Source: http://news.netcraft.com):


But let us not get sidetracked here. The question is who makes the best firewall for corporate environment. I am willing to accept Microsoft may not be the best firewall, that is not their main competency anyway.

Should I buy Cisco despite the high cost? Is Juniper better than Cisco PIX? Is ISA good enough if configured properly, those are the questions that haunt me.

[Thad E Ginathom]

Just curiosity: is Checkpoint still any good?

[jassi]

Lets not get very sensitive about vendors here - I have been in the security industry for many years now and I do that for a living - network security, endpoint security, etc and despite having worked at multiple vendors and consultants as a security architect, I am not maintaining any vendor certifications (have been with Checkpoint/Nokia, Cisco as well as worked for some respectable security consulting organisations)

So keeping the vendors out, your network security device (firewall) is only as safe as its weakest link. In the case of a firewall software running on a commercially available operating system, the OS normally tends to be that weak link. No matter how much you harden the OS, there are still hundreds of vulnerabilities published every other day (every 2nd tuesday if you are a MS hotfix fanboy). Also a commercial OS like MS is not designed to handle packets and flows passing through it effectively, it is designed as an endpoint OS and no matter how good a firewall software you put on it, the limitations lie in the OS.
As far as autoenthusiast's advice goes, I would say he is spot on with the firewall architecture, yes you need a firewall with three interfaces - an inside, outside and dmz and yes you need to NAT your servers on the DMZ. This is the most secure design which they will teach you on any vendor neutral security architecture training.

With your architecture requirements in place. lets get back to vendors - Most firewall vendors realised the weakness of commercial OSs and decided to sell hardware firewall appliances (running a non-commercial OS - mostly a rewritten bsd/linux variant) instead of firewall software on MS/Solaris/RHEL/etc. Checkpoint realised this years ago and chose Nokia blades, juniper bought netscreen and ofcourse Cisco was always on hardware with their PIXes.
Then came some UTM firewall boxes, which combined every security function possible in one box. But generally speaking these were never good performers in anywhere but the really small offices - why - well for one they were dirt cheap (made the CFO happy) and secondly claimed performance figures on their datasheets which were never matched in their practical realworld numbers. The more functions you turned on (firewall, IPS, network AV, URL filtering, spam control), the more happier finance admins got, but on the flipside the more performance dropped (90% drops!!) and the more security admins cried their hearts out. Fortinet for one claims performance ASICs, which enhance firewall performance to 10gbps but turn out to be the reason for bad performance (200mbps when all functions are turned on - not because you need em but because you paid for em), as anything beyond firewalling is handled in software emulation by their el-cheapo asics. But then again who has a 200mbps ISP link. Besides for anyone hosting webservers, throughput hardly matters, the performance is measured in connections and connections/sec, as each http request is a new connection.

Now coming to your scenario, turning my vendor neutral hat off, since this is infact a best firewall thread, I would stop contesting on which is the best firewall (never ending discussion!!). The best firewall FOR YOUR REQUIREMENT will be a hardware appliance with good 24X7 support (not per incident support like MS), but good all round the year support at your beck and call. Cisco has stopped making PIXes, their firewalls are now called ASA 5500 series. There are models ranging from ASA 5505 (the cheapest - few hundred dollars including annual AMC) to the 10-20gbps ASA 5550 (which i am assuming you don't need )
Here is a datasheet to help you decide the right model for you
Cisco ASA 5500 Series Adaptive Security Appliances [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems
and a video data sheet of the ASA 5505 if thats the model you need
Cisco ASA 5505 Video Data Sheet [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

Also to clear up any confusion - Cisco used to be a router and switch company, but if you think thats all they do, you are seriously out of touch with the industry - Cisco has been into security since a decade and also make Voice over IP phones and related technology, cable set-top boxes, linksys wireless devices, etc etc. Look at Cisco Systems, Inc if you haven't yet!!
To top it all I am a Checkpoint fanboy (i was a checkpoint certified security expert), but I am not recommending them here as it is way too overpriced for your need and support is costed per incident. Besides their biggest hardware partner Nokia Enterprise Systems is up for sale (this is Nokia Cellular's firewall hardware division)

Thats all the advise I can give !!
Good luck with finding the best firewall (for your requirement )

[jassi]

also if you are experimental and linux savvy and like free open source stuff, you can rig up your own linux box. However, remember you will have no paid support (open source community and google is there for you) and if not done right you are prone to the same security issues of running a firewall software on a commercially available endpoint OS.
Besides to get any decent performance, you will need server class hardware and in that cost you could get a Cisco ASA 5505 with 24X7 support (no per incident charges - you can open any number of cases anytime with Cisco's Technical Assistance Center)
I personally use two firewalls at home - a cisco asa 5505 (got it for free ) and a linux firewall (for experimenting and playing around )

[Samurai]

A Cisco asa 5505 looks fine, but how much does that cost in India?

[moralfibre]

I would choose firewalls in the following order:

Cisco ASA 55xx, (I think their ASDM costs extra not sure though).
Fortinet 300 / 400
Sonicwall.

They are in descending order of pricing and my choice if its a small and medium business would be the Forigate 300 if its cheaper than the ASA. Or if I am on a budget, nothing beats the Sonicwall. I have worked on all three firewalls and they are pretty good at their own price points as well as features. Depends on what you are looking for.

[jkdas]

Quote:

Originally Posted by Samurai

Ok, I think it is time I learnt a little more about firewall/DMZ thingie. After some googling and stuff, I have enquired my hardware vendor for quotes for Cisco PIX 515e router.

I suppose this one allows both Microsoft and other popular VPN clients.

515E is a Pix. Aint sold/supported anymore by Cisco.

The only option you have with Cisco is ASA (ASA 5510 is the starter).

Cisco isnt the leader at FW.

Checkpoint is dependent on OS and costly(?)

Just saw post 19.

You are lucky and thats where Cisco etc makes money

[jassi]

Quote:

Originally Posted by Samurai

A Cisco asa 5505 looks fine, but how much does that cost in India?

asa 5505 is the base (not 5510) and yes asdm is free (gui for management and has all the necessary wizards to get you up and running - you can go command line if you are not into GUIs )
5505 costs anywhere between 300 to 500 usd (street price) - make sure you buy it from an authorized reseller (not ebay ) and buy the smartnet 24X7 with advanced replacement (or next business day replacement) support

Yes the leader is checkpoint (but too costly to buy and maintain for the same functionality as cisco) and cisco ranks no. 2 in corporate firewalls. Anyone else (sonicwall, fortinet) sells way too less to be considered close to these two leaders and the support is not as well structured or reliable as Cisco TAC.

PS - if you need a demo mode of the asdm (asa device mgr) GUI mgmt software (note this is not the firewall just mgmt software) to see how it looks and works - let me know via PM I can login to the cisco site and get it for you. This will give you a good idea of the management software GUI (java based) and core functions of the box.

[jkdas]

Quote:

Originally Posted by Samurai

A Cisco asa 5505 looks fine, but how much does that cost in India?

Moral: ASDM comes with it and you can upgrade it and the ASA ISO online.

Would suggest 5510 as you may need content scan etc in future.

righto jassi

Hows Juniper?

Would suggest Datacraft (authorized reseller)

[Samurai]

Thanks for all the info guys. Now I am looking at this item:

Cisco ASA 5505 10-User Bundle - 8 x 10/100Base-TX LAN, 1 x Management, 3 x - ASA5505-BUN-K9 - Buy.com

What is this user bundle thing? Are they going to control how many Machines I can put on NAT or PAT?

[jassi]

Quote:

Originally Posted by Samurai

Thanks for all the info guys. Now I am looking at this item:

Cisco ASA 5505 10-User Bundle - 8 x 10/100Base-TX LAN, 1 x Management, 3 x - ASA5505-BUN-K9 - Buy.com

What is this user bundle thing? Are they going to control how many Machines I can put on NAT or PAT?

well checkpoint does user based licensing and introduced the concept of user bundles. Cisco does not have any user restrictions (read unlimited users are allowed) on all firewall models except the 5505. The 5510 through 5580 all allow unlimited users/nodes. I have noticed the 5505, has a 10, a 50 and an unlimited user node option. This is so that smaller deployments can benefit from lower prices and add a 50 or unlimited user license as they grow. Do ensure you go for the higher user bundle on day 1 if you intend to have more than 10 nodes behind the 5505. These bundles turn out to be cheaper than buying licenses later.
If you go for the 50 user bundled appliance its like 100usd more and unlimited will be 300usd more. However, this is still cheaper than buying the bundle later. Make sure you ask your local reseller for a good discount (PM me if you need any help with that)

Cisco also intends to add functions like content security or ips as an option in the 5505 in the future (seperate daughter card which goes in a free slot on the 5505 - no UTM gimmicks here). This is line with the content security and ips add on cards on all their mid level models upto 5540.
5550 and 5580 are for large service providers, software houses or datancenters and are dedicated firewall/vpn boxes with no daughter card options.

[given2fly]

I will reply to all one after another. I have got no disrespect for any of the comments on this thread, so please don't take this as a negative personal remark. I fully respect your experience.

Quote:

Originally Posted by jassi

Yes the leader is checkpoint (but too costly to buy and maintain for the same functionality as cisco) and cisco ranks no. 2 in corporate firewalls. Anyone else (sonicwall, fortinet) sells way too less to be considered close to these two leaders and the support is not as well structured or reliable as Cisco TAC.

PS - if you need a demo mode of the asdm (asa device mgr) GUI mgmt software (note this is not the firewall just mgmt software) to see how it looks and works - let me know via PM I can login to the cisco site and get it for you. This will give you a good idea of the management software GUI (java based) and core functions of the box.

Checkpoint is no longer the leader in any segment. It used to be the Numero Uno when CISCO Pix didn't exist and Juniper & others were too basic to compete against it. It enjoyed the days of bundling Checkpoint software on top of Sun Solaris or MS Windows (Yes, even that was/is possible). They have since long slid down the list and taken over by others. They are also way too expensive to maintain compared to SonicWall or Firebox or other SMB segment firewalls. The best thing about them was their management software and detailed logging appreciated by then admin fraternity, but for performance reasons, it has gone down the favorite list in recent years. During my support days for Exchange Server @ MS, I have come across CheckPoint only twice as far as I remember. Samu, just forget that name, not worth it anymore.

Also, in last few years, independent networking consultants in US (usually having 25+ SMB accounts) have gotten really pissed off on the CISCO Pix and ASA series because of bugs & buffer issues that they are bulk replacing them with others. Also, the higher end ASAs do not include AV or IPS (for free).

Quote:

Originally Posted by moralfibre

I would choose firewalls in the following order:

Cisco ASA 55xx, (I think their ASDM costs extra not sure though).
Fortinet 300 / 400
Sonicwall.

They are in descending order of pricing and my choice if its a small and medium business would be the Forigate 300 if its cheaper than the ASA. Or if I am on a budget, nothing beats the Sonicwall. I have worked on all three firewalls and they are pretty good at their own price points as well as features. Depends on what you are looking for.

Like MoralFibre said, Fortigate is a good solution with their ASIC based firewall. They are basically a take off from where they left Netscreen with Juniper and founded Fortinet to carry on in the same field.

Quote:

Originally Posted by jassi

Besides to get any decent performance, you will need server class hardware and in that cost you could get a Cisco ASA 5505 with 24X7 support (no per incident charges - you can open any number of cases anytime with Cisco's Technical Assistance Center)

If you could quote their AMC charges for an ASA 5510 or above.

Quote:

Originally Posted by jassi

So keeping the vendors out, your network security device (firewall) is only as safe as its weakest link. In the case of a firewall software running on a commercially available operating system, the OS normally tends to be that weak link. No matter how much you harden the OS, there are still hundreds of vulnerabilities published every other day (every 2nd tuesday if you are a MS hotfix fanboy).

Agree till here.

Also a commercial OS like MS is not designed to handle packets and flows passing through it effectively, it is designed as an endpoint OS and no matter how good a firewall software you put on it, the limitations lie in the OS.

Similarly a hardened OS or firewall still has the admin console loopholes that anyone can exploit with right approach. Checkpoint runs on Solaris and Windows, Juniper on JunOS (based on FreeBSD) (but is also an ASIC based firewall), & PIX and ASA on PIX/CISCO IOS, all of which have their own vulnerabilities. Just check cisco/juniper/checkpoint buffer issues. Likewise, if the hardware is not managed by the same vendor company (like Nokia/Crossbeam in Checkpoint's case), then you have a separate case to pursue.

As far as autoenthusiast's advice goes, I would say he is spot on with the firewall architecture, yes you need a firewall with three interfaces - an inside, outside and dmz and yes you need to NAT your servers on the DMZ. This is the most secure design which they will teach you on any vendor neutral security architecture training.

With your architecture requirements in place. lets get back to vendors - Most firewall vendors realised the weakness of commercial OSs and decided to sell hardware firewall appliances (running a non-commercial OS - mostly a rewritten bsd/linux variant) instead of firewall software on MS/Solaris/RHEL/etc. Checkpoint realised this years ago and chose Nokia blades, juniper bought netscreen and ofcourse Cisco was always on hardware with their PIXes.

Guess what, all CISCO Boxes run on some type of x86 hardware.

Cisco ASA - Wikipedia, the free encyclopedia

So ISA 2006 is not the only case, I see.

But then again who has a 200mbps ISP link. Besides for anyone hosting webservers, throughput hardly matters, the performance is measured in connections and connections/sec, as each http request is a new connection.

"Each HTTP request is a new connection", this statement is a news to me. It purely depends on what you are trying to do & what kind of environment you have. If you have load balancers, things will change. If you have cookie based connections, connection will remain alive and persistent. If you are hosting just web pages, every connection completes its cycle in one go and opens a new channel on new requests. So please don't club all into one. We have enough techies here who can differentiate between such statements.

Now coming to your scenario, turning my vendor neutral hat off,.... The best firewall FOR YOUR REQUIREMENT will be a hardware appliance with good 24X7 support (not per incident support like MS), but good all round the year support at your beck and call. Cisco has stopped making PIXes, their firewalls are now called ASA 5500 series. There are models ranging from ASA 5505 (the cheapest - few hundred dollars including annual AMC) to the 10-20gbps ASA 5550 (which i am assuming you don't need )
Here is a datasheet to help you decide the right model for you
Cisco ASA 5500 Series Adaptive Security Appliances [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems
and a video data sheet of the ASA 5505 if thats the model you need
Cisco ASA 5505 Video Data Sheet [Cisco ASA 5500 Series Adaptive Security Appliances] - Cisco Systems

An MS Admin may not necessarily know about ISA but so will your average CCNA folks not know about it. CISCO's ADSM interface is nowhere as friendly as ISA and if ISA fits the bill with just the right amount of scalability Samurai needs, what is the harm. Besides that, he is going to be using Exchange & may be Active Sync and other things which are best handled by ISA, provided it is tuned correctly. You can also get ISA based appliances with hardened Windows 2003 installed as base OS.

Please don't sell CISCO just because you like it.

Also to clear up any confusion - Cisco used to be a router and switch company, but if you think thats all they do, you are seriously out of touch with the industry - Cisco has been into security since a decade and also make Voice over IP phones and related technology, cable set-top boxes, linksys wireless devices, etc etc. Look at Cisco Systems, Inc if you haven't yet!!

I still say they are a router and switch company. They are not the best names in security products and Linksys is not an in-house development, but an acquisition as late as in 2004/5. VoIP is dominated by Nortel & Avaya & CISCO Unity is loosing ground very fast to both of the above and believe it, Microsoft Exchange 2007 Unified Messaging.

To top it all I am a Checkpoint fanboy (i was a checkpoint certified security expert), but I am not recommending them here as it is way too overpriced for your need and support is costed per incident. Besides their biggest hardware partner Nokia Enterprise Systems is up for sale (this is Nokia Cellular's firewall hardware division)

Thats all the advise I can give !!
Good luck with finding the best firewall (for your requirement )