Firewall recommendations

  • Thread starter Thread starter Mha
  • Start date Start date
M

Mha

Hi

I'm looking for a 'blackbox' firewall solution for a small company about
50-60 users/computers with 4-5 servers (Web,Exchange,App server).
We also need one site-site VPN tunnel and client-site L2TP IPsec or maybe in
a future SSL vpn tunnels. I also need DNS and SMTP (proxy) on this box, to
use it as a mail-relay and DNS-relay from outside to our services into LAN.
Currently I'm looking WatchGuard FireBox X550e, it has all the
functionalities I need. Is this a good choice, or do you recommend any
other products that are more optimal for a small company
(price/performance). Maybe Netscreen or VigorPro, but I'm not sure if they
support DNS and SMTP proxy?
Thank you in advance!
Regards,
Miha
 
Thanks for informations.
I think that Firebox x550e will be exactly what we need for our company
(50-60 users)., I only plan to take LiveSeucirty subscription (not
UTM-Spam/Web/Gateway blocker), I think this will be sufficient for now,
we'll se in a future if we need these extra services. I also plan to buy
upgrade to FireFire Pro for more SSL VPN connection for my home users. I
need SMTP proxy so that Exchange server will relay through it (not to be
exposed to internet), also all mail from outside will be delivered to
FireBox that will forward it to Exchange server. Considering DNS proxy, I'm
thinking of using our internal DNS server also for DNS resolver from
internet, but also I don't want to expose it directly so it will be resolved
through FireBox proxy DNS,
Any other opinion or proposal about this configuration?
Regards,
Miha
 
Thanks again for all the tips!
Yes you're right, taking UTM bundle for x550e (Firebox+Spam/Web/Gateway
blocker+LiveSecurity) costs in my country (Europe) about 3000$, just
Firebox alone costs 2500$, so for a 500$ I get 1-year full subscription to
all services, and next year we'll decide if we extend subscription.
So I think for now FireBox x550e UTM bundle + Fireware PRO will be the right
choice. I'll let you know more when I get the equipment.
Thanks again!
Regards,
Miha
 
Thanks. I'm quite familiar with rules on firewall, but don't have any
experiences with WatchGuard. Thank you again for all informations, I'll try
to configure it, we'll see how will it go.
Regards,
Miha
 
Hi Leythos

I have another question regarding Firebox x550e about throughput that is
specified:
- Firewall Throughput 300+ Mbps
- VPN Throughput 35 Mbps
- AV Throughput 50 Mbps
I'm a little concerned if I enable all UTM services
(Anti-Spam,Anti-Spyware,GW-AntiVirus,IPS...) will there be any problems with
performance or throughput at all?
We have 100/100 internet connection, so with all these services enabled,
also about 10 users will use client-site SSL VPN (sometimes), can I expect
any problems with Firebox performance or with firewall throughput?

I'm also wondering if there are any differences between Mobile VPN Tunnels
and SSL VPN tunnels? Since Firebox x550e only has 5 Mobile VPN client
licences included, but with Firmware PRO upgrade I get full (75) SSL VPN
client licences, I'm thinking of using SSL VPN access for all users who will
need access from home computers.Are there any other differences/features
between these two types of VPN? Primary my clients need to access (from
their home computers) file-shares on servers and some local applications?
Thanks again!
Miha
 
Mha said:
Hi Leythos

I have another question regarding Firebox x550e about throughput that is
specified:
- Firewall Throughput 300+ Mbps
- VPN Throughput 35 Mbps
- AV Throughput 50 Mbps
I'm a little concerned if I enable all UTM services
(Anti-Spam,Anti-Spyware,GW-AntiVirus,IPS...) will there be any problems
with performance or throughput at all?
We have 100/100 internet connection, so with all these services enabled,
also about 10 users will use client-site SSL VPN (sometimes), can I expect
any problems with Firebox performance or with firewall throughput?

Yes it matters. But is has nothing to do with bandwidth, network speed,
throughput, etc.
It matters with respect to the CPU of the Firewall. The more you give it to
do the longer it takes to process,..the longer it takes to process,..the
more "processor lag" you introduce. To speed it up you need a Model with a
faster processor.
I'm also wondering if there are any differences between Mobile VPN Tunnels
and SSL VPN tunnels? Since Firebox x550e only has 5 Mobile VPN client
licences included, but with Firmware PRO upgrade I get full (75) SSL VPN
client licences, I'm thinking of using SSL VPN access for all users who
will

Watchgaurd tends to rerite the dictionary to suit themselves or just simply
"make up" terminology out of nowhere.

Mobile VPN = what the industry called Remote Access VPN.
Watchgaurd used to call it MUVPN (Mobile User VPN)
This is individual "humans" that establish their own personal inbound VPN
connection into the LAN from the "outside". It is not meant nor designed to
"stay up". The user is supposed to connect,..do the job they connected to
do,...and then disconnect. This type of VPN can potentially, and often
does, disrupt the users ability to connect to things on thier own local LAN
during the time it is "up".
Remote Access VPN can use PPTP, L2TP, or IPsec

SSL VPN Tunnels = Wow, they are really getting "vague" here. SSL VPN can
mean a *lot of things* that are nothing alike. They might mean Site-to-Site
VPNs or they might mean Application Publishing via a web browser over
SSL,..which tecnically is not even true VPN. I've always though SSL VPN was
an oxy-moron that really meant nothing in reality and was just a Marketing
Term. It is a term used by products such as Whale that was bought-out by MS
and renamed "Intelligent Application Gateway" and incorporated into the
Forefront Security Suite. While at MS myself in a meeting with the ex-Whale
employees and some MS Forefront people I think I annoyed them by telling
them that I did not think it was a "true VPN" and that it should not be
called "SSL VPN" and that they should call it something else. It is also
similar to the Web Interface that Citrix is capable of using to make things
available to user.

Anyway,...if they use the term to mean what the industry calls Site-to-Site
VPN.....
Watchgaurd used to call this ROVPN (Remote Office VPN)
these probably nearly always use IPsec but some products like MS ISA Server
lets you choose between PPTP, L2TP, or IPsec which can be dictated by what
equipment it has to work with.
A Site-to-Site VPN is the connecting of two Networks over a VPN link. There
are no "humans" involved,..only computers. This type of connection is
designed and expected to be "always up". It does not disrupt or adversly
effect local traffic on either one of the connected LANs however the two
LANs need to have the routing schemes properly designed so that the correct
traffic goes over the VPN while other traffic does not.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
Thanks again for all informatins, they are always very helpful.
Yes I know it's the lowest version of the firewall, but there won't be any
high activieties on it. Users behind it will primary use HTTP to surf the
web, the general purpose of 100Mbps fiber is that we have one apache web
server with a few internet sites on it and internal mail server (Exchange)
for 50 users, so we need a strong line, but I think that for our line of
business and a small profile of a company also 50Mbps line would be enough.
Also users who will VPN from their home computers (slow DSL line) will
primary connect to terminal server, and we have one small branch office with
2 users that will be connected via site-site VPN connection (they have 2Mbps
DSL connection) so I think the x550e appliance would be enough or am I
wrong?
I don't want to go for a higher Firebox like x750e or x1250e because UTM
services subscription is much more expensive than on x550e model, and also
higher model is much more efficient that we need for our company.
So if I got this right, there is no need to buy extra licences for Mobile
IPSec VPN for home users to conenect, since I get with FirewarePRO full (75)
client-licences for SSL VPN and users can use this kind of VPN instead of
Mobile IPSec with the same functionalities?
Regards,Miha
 
Thanks again for all informatins, they are always very helpful.
Yes I know it's the lowest version of thefirewall, but there won't be any
high activieties on it. Users behind it will primary use HTTP to surf the
web, the general purpose of 100Mbps fiber is that we have one apache web
server with a few internet sites on it and internal mail server (Exchange)
for 50 users, so we need a strong line, but I think that for our line of
business and a small profile of a company also 50Mbps line would be enough.
Also users who will VPN from their home computers (slow DSL line) will
primary connect to terminal server, and we have one small branch office with
2 users that will be connected via site-site VPN connection (they have 2Mbps
DSL connection) so I think the x550e appliance would be enough or am I
wrong?
I don't want to go for a higher Firebox like x750e or x1250e because UTM
services subscription is much more expensive than on x550e model, and also
higher model is much more efficient that we need for our company.
So if I got this right, there is no need to buy extra licences for Mobile
IPSec VPN for home users to conenect, since I get with FirewarePRO full (75)
client-licences for SSL VPN and users can use this kind of VPN instead of
Mobile IPSec with the same functionalities?
Regards,Miha

"Leythos" <[email protected]> je napisal v sporocilo











- Show quoted text -

Hi i hope this helps

We use Watchguard Firewalls in our company (In a Global Env) after
trying several different types we found these to work great including
Domain Replication, Data, Mail (Exchange), Dameware, MSTSC just about
everything a network needs including security. Have a look on ebay
you can get some cheap ones, i saw this the other day, 2 months old
and only been used 3 days - something like this may be of some use.

http://cgi.ebay.co.uk/watchguard-x2...39:1|66:3|65:12|240:1318&_trksid=p3286.c0.m14

Trev
 
Back
Top