Enterprise Firewall

[CougTek]

We have an old (~6 years-old) Watchguard XTM 510 firewall which needs to be replaced at the office. Watchguard warned us that they won't support it more than another year, so it has to go. The office it deserves has grown and the XTM no longer suffices anyway.

We have two other Watchguard firewalls in other branch offices and we have VPN tunnels configured between them. I would prefer to stay with Watchguard to simplify the management.

I've looked into the competition's offerings and I'm unconvinced there's a better value elsewhere anyway. Fortinet seems less efficient while being more expansive. PfSense has some interesting boxes, but while the performance per $ is great, I wouldn't trust the deep packet filtering (AV scan, malware blocking) compared to the active cloud-based inspection offered by Watchguard. Same goes for the Microtik's routerboard, which is fine for a home setup or a test environment, but simply doesn't cut it for an enterprise main network.

I know many other companies offer midrange firewalls, but of course, I don't know them all.

What are you using to shield your companies' networks?

 

[Mercutio]

I used to use SonicWall products because one of my customers had a Sonicwall system set up before I started doing work for them, but they're expensive to maintain and not as flexible as using Untangle, pfSense or IPCop. My customers aren't so large that running a security appliance in a firewall is a performance concern.

 

[Howell]

I'm not sure what you mean that Fortinet is expansive. I would trust Watchguard to replace my Fortiguards along with my other security mechanisms. For you my recommendation would depend on where device management or auditing of config changes is more important. We have a 4 eye rule so that every change must be approved by another person and recorded.

 

[CougTek]

I used to use SonicWall products because one of my customers had a Sonicwall system set up before I started doing work for them, but they're expensive to maintain and not as flexible as using Untangle, pfSense or IPCop. My customers aren't so large that running a security appliance in a firewall is a performance concern.

Before I came in, they used an Aventail VPN firewall (Aventail=Sonicwall). I retired it two years ago. Support was indeed quite costly. The Watchguard units we use aren't cheap to maintain either, but significantly less than the Aventail used to be.

From a purely performance perspective, the best bang for the buck I could get would be, by far, a DIY system based on the SuperMicro SYS-1018D-FRN8T. But then I have to forget about cloud-based packets analysis and threat protection. That would work for a company of mostly computer-savvy people. That's deeply not the case where I work. I thought about protecting my host servers with 5Nine security suite, which would do a similar job, but only for the data going thru the servers. Individual computers would only be protected by their antivirus/security suite. It's a defendable option, but I feel it's inferior to scanning the packets for malware directly on the firewall.

I'm not sure what you mean that Fortinet is expansive.

It was a typo. I meant expensive. The Fortinet are ~20% more expensive than the similar Watchguard units, from the few stores I've checked.

I would trust Watchguard to replace my Fortiguards along with my other security mechanisms. For you my recommendation would depend on where device management or auditing of config changes is more important. We have a 4 eye rule so that every change must be approved by another person and recorded.

In the 10-companies conglomerate I work for, there's only a 2 eyes rules: mine. As long as the finance department has the cash flow, it's pretty much me and no one else's call. There's an IT director theorically above me, but he doesn't have a clue about IT infrastructure management, so I only tell him what's coming by courtesy and more often than not, deal directly with the been counters myself.

BTW, it's no party here despite the freedom I have. I've spent a quarter of a million less this year than my predecessor did on average for the past 3 years and they still cringe at every penny they have to spend.

 

[CougTek]

I've checked Untangle's pricing and for the amount of devices I have on all my networks (5 offices connected via an MPLS network with a single internet link), the NG complete firewall would cost us 14400$ for 3 years. That's without the hardware I'd to buy to host it. All in all, it's almost twice the price I would pay for a Firebox M440, a second PSU and a 3-years security suite license.

No thanks.

 

[blakerwry]

Coug, a lot of networks are built around the unprotected "outside" and the trusted "inside" model - basically what you get with your average residential NAT router. That model was never very good, but it was cheap and simple and thus it became popular. In a security conscious environment, separation between users, departments, and servers is (and always has been) a must. Similarly, visibility into the network (both real time and historically) is a must. I also agree that having AV or some amount of network intrusion/anomaly detection built into the network is highly desirable and this usually means shelling out for a commercial product and the associated support agreement. I've used products from Sonicwall and Cisco. Some of my clients use Watchguard and seem pretty happy (I haven't played with their gear in a decade). They are all pretty comparable, my recommendation is to pick the one you're the most comfortable with and stay up on your support contract so you can apply the latest updates (crucial in a application layer firewall).

 

[CougTek]

In a security conscious environment, separation between users, departments, and servers is (and always has been) a must. Similarly, visibility into the network (both real time and historically) is a must.

Separation is quite hard to implement here. There are managers from 8 different companies into the same building at the main office and from 7 companies at the secondary office. The other three offices only have people from a single company each. The administrative personal is shared between all companies and they constantly shift from one company to another, with most working on several companies simultaneously.

To top it all, the administration and the project managers (the guys in the field) all play in the same shared folders. It is a clusterfuck so deeply entrenched I wouldn't know where to start to fix it. So my strategy so far has been to build a shield around the whole thing. Security-wise, it still is a swiss cheese and even though I've been bashing security concepts to their head for the past three and a half years, more often than not, it doesn't penetrate in. Their skulls are stegoceras-like thick.

Some days, I feel like a guy paid to shovel shit from a slurry tank, with the entry valve full open. At least I'm left free to do it however I see fit.

 

[blakerwry]

Some days, I feel like a guy paid to shovel shit from a slurry tank, with the entry valve full open. At least I'm left free to do it however I see fit.

That's a good start - better than a lot of folks in the IT field that receive edicts from management (or worse sales) that have little clue into the best practices, costs, or limitations of available technology.

I would be willing to bet that a lot of businesses are ran the same way you describe and it creates a lot of challenges for security personnel. That doesn't mean security is impossible (or not worth attention) nor does it mean that the business model needs to suddenly change to fit with the most secure setup possible. Finding the balance of keeping assets safe, mitigating risks, and providing users access to the resources they need is not always easy, but can be accomplished with, hopefully, few compromises.

Your questions and responses indicate that you already are on a good path and are trying to achieve that balance now. As long as you can identify your business' assets, the risks to those assets, and mitigate these risks reasonably I'd say you are on the right track. A good application layer firewall is one layer in that strategy.

Two common mistakes that my clients make with application layer firewalls are A) Not keeping them updated and B) Not sizing them appropriately. The third, fourth, and fifth mistakes relate to firewalls in general and that is C) a lot my clients will install a firewall and then put everything they possibly can behind it - This results in a slew of web servers, exchange servers, etc that are publicly accessible (thanks to intentional holes in the firewall) and are sitting on the same network segment as internal domain controllers, file servers, workstations, etc. These servers are often outdated and would be a great way to gain entry into a network. D) my clients will assume that something behind the firewall is not connected to the internet simply because they do not access the www, email, or similar application on that device. and E) my clients do not setup logging or they ignore the logs.

A is easily addressed by including the support in the total cost of ownership calculations.
B is addressed by remembering that gig ports does not mean gig performance and doing some research into the number of devices on your network, connections at any given time (state table size), and bandwidth used by these devices and then comparing these numbers against the stated performance of the firewall in question with the features you plan to use. Performance with application layer features enabled is often many times less than with only layer 3/4 firewall features enabled. Include room for spikes/peak usage, forecast error, and growth in your calculations. For example, if you see a peak of 10k connections over the course of a week, size for 50-100k.
C is generally addressed by not putting your internet facing servers behind any firewall appliance (use the OS firewall or security suites), putting them behind a separate firewall, or placing them on dedicated interfaces behind the firewall and placing restrictions on them as if they were less trusted than non-internet facing/connected devices.
D - Remember, NAT does not equal firewall and firewall does not equal NAT. Using a non-routable IP with NAT connects devices to the internet. It's the firewall that enforces policy to devices, whether NAT'd or not. The needs of each device should be assessed and firewall rules applied to the device - either individually or as a group/network segment. These rules should include both incoming and outgoing traffic (many folks implicitly trust outgoing traffic generated from devices on their network - this is an oversight, in my opinion).
E is simple. Setup logging: either via email, local syslog on the device, or remote syslog to a central server. Setup alerts. Setup graphing of bandwidth usage or device health. And then regularly review this information - say weekly - to verify healthy operation. Any abnormalities should be checked into.

Any of the commercial brands of application layer firewalls you mentioned should allow you to address the above issues.