OT: Favorite Enterprise Firewalls?

From: Bret McHone 
------------------------------------------------------
We're migrating to a new internet pipe so we'll be making a log of changes.
I see this as a great opportunity to re-architect our firewall deployment
and was wondering what everyone's favorite enterprise grade firewall vendor
is?

When I say enterprise I mean the ability to have 24/7 4 hour
parts/maintenance and high level phone support. I personally prefer
companies with call centers based in the U.S. and not Inida, but I know
that's not always an option to get the vendor I want.

We've been using a couple Cisco ASAs which are pretty old so I figure we'll
end up replacing them with either a newer model of the same thing or
perhaps go another route.

I've heard good things about Sonicwall and Palo Alto firewalls, though I
haven't had much experience with them..

What's your opinions?

Thanks,
Bret

=============================================================== From: Lynn Dixon ------------------------------------------------------ Bret, Give Palo Alto a good look. We are replacing all of our Cisco gear here with them. The Network and Security guys LOVES them. http://www.paloaltonetworks.com/ Cisco has been scrambling here for us to try to give us something that is even remotely close to the ease of use and flexibility that is Palo Alto. It's actually quite funny.

=============================================================== From: Dave Brockman ------------------------------------------------------ My bias aside, the fact that your ASA are the age they are should be a testament itself. I personally find the interface on a Sonicwall horrid and bass-ackwards. I have heard good things about Palo Alto, but they are $$$$ very pricey, I have yet to actually put my hands on one. If you get one, let's schedule an afternoon before you deploy :) --dtb

=============================================================== From: Joe Freeman ------------------------------------------------------ I'm loving the Palo Alto's. We're replacing the ASA's, pixen, and Fortigates we've got with them as fast as they'll let us spend the money. However, as others have said, they are pricey.

=============================================================== From: Jason Brown ------------------------------------------------------ I have to plug pfSense. ("Enterprise" is a bullshit buzzword to me). I have never understood the 24/7 parts replacement / repair requirement that IT departments insist on. It is MUCH easier to just have hot redundant hardware than to continually pay for that kind of support. No matter how good your support contract, hardware WILL fail, expect it and make failover seamless. It saves me a lot of headache. 4 Hours is way more downtime than I am comfortable with. 4 minutes is way too long for me. 4 seconds I can deal with. For those people that want it, pfSense also provides the 24/7 support at a reasonable price. I have not used it personally. https://portal.pfsense.org/index.php/support-subscription --Jason

=============================================================== From: Ed King ------------------------------------------------------ amen...=A0 and that philosophy also works with automobiles ;-) --- On Wed, 4/17/13, Jason Brown wrote: From: Jason Brown Subject: Re: [Chugalug] OT: Favorite Enterprise Firewalls? To: "Chattanooga Unix Gnu Android Linux Users Group" Date: Wednesday, April 17, 2013, 10:10 AM =0A =0A=0A =0A =0A =0A I have to plug pfSense. ("Enterprise"=0A = is a bullshit buzzword to me). =0A =20 =0A I have never understood the 24/7 parts replacement / repair=0A = requirement that IT departments insist on. It is MUCH easier to=0A j= ust have hot redundant hardware than to continually pay for that=0A ki= nd of support. =0A =20 =0A No matter how good your support contract, hardware WILL fail,=0A = expect it and make failover seamless. It saves me a lot of=0A head= ache. 4 Hours is way more downtime than I am comfortable with.=0A 4 mi= nutes is way too long for me.=A0 4 seconds I can deal with. =0A =20 =0A For those people that want it, pfSense also provides the 24/7=0A = support at a reasonable price. I have not used it personally.=0A = =0A https://portal.pfsense.org/index.php/support-subscription =0A =20 =0A --Jason =0A =20 =0A =20 =0A On 04/17/2013 09:36 AM, Bret McHone wrote: =0A =0A =0A =0A =0A =0A We're migrati= ng to a new internet pipe so we'll be=0A making a log of chang= es. I see this as a great opportunity=0A to re-architect our f= irewall deployment and was wondering=0A what everyone's favori= te enterprise grade firewall vendor=0A is?=20 =0A =20 =0A =0A When I say enterprise I mean the ability to h= ave 24/7 4 hour=0A parts/maintenance and high level phone suppor= t. I personally=0A prefer companies with call centers based in t= he U.S. and not=0A Inida, but I know that's not always an option= to get the=0A vendor I want. =0A =20 =0A =0A We've been using a couple Cisco ASAs which are pr= etty old so I=0A figure we'll end up replacing them with either a = newer model=0A of the same thing or perhaps go another route. =0A =20 =0A =0A I've heard good things about Sonicwall and Palo Alto = firewalls,=0A though I haven't had much experience with them.. =0A =20 =0A What's your opinions? =0A =20 =0A Thanks, =0A Bret =0A =0A =20 =0A =0A =20 =0A

=============================================================== From: Dave Brockman ------------------------------------------------------ While I agree with your sentiments..... There are failover options available on Cisco kit at least. It's harder to buy that second $20k, $40k, $80k unit however. And often "support" with firewalls is not actually support, but subscriptions to their Anti-virus signatures, Anti-SPAM signatures, IPS/IDS signatures, botnet traffic filter licenses, etc etc etc. Did you see support in that list? Me neither. A much wiser man than myself once told me this: "I can decrease your downtime directly proportional to the size of your wallet, it's up to you and your wallet to determine how much downtime you can actually afford." pfsense (and BSD's IPSec stack) have shortcomings compared to other OS offerings. Specifically, NAT before IPsec is not an option, so connecting overlapping subnets via pfsense is not possible. There are also issues with UDP traffic (specifically Microsoft AD traffic from workstation to servers) across VPNs. Not a big deal to make a registry change to one remote workstation. Huge pain in the ass to make the same change to 100 remote workstations. You have to be aware of a products limitations as well as its capabilities. And not all carpentry work requires a standard claw hammer. Sometimes you need an utility knife too.... Regards, dtb

=============================================================== From: Nick Smith ------------------------------------------------------ What about brocade stuff? I have no experience with them, but i know our vendor likes to try to push them on us when we order cisco gear, stating that they are alot less expensive than cisco and you dont have to deal with smartnet. Ive never touched one, but it might be worth looking into. http://www.brocade.com/index.page I guess they are cisco competitor.

=============================================================== From: Bret McHone ------------------------------------------------------ The term "Enterprise" is as much political as it is technical. Sure, I could grab a couple PE2950s that i've decommissioned and put PFSense on it and it would probably outperform a lot of what's out there. However, if something breaks it falls on me 100%. I am one of two people that support our entire infrastructure. That includes wired & wireless LAN, Virtualization, storage, etc.. It all falls on me. I'm a bit of a jack of all trades, but a master of none so vendor relationships are actually pretty dang important to me. I actually do use PFSense as a firewall for my public access network. It's a good system and I think it works well, but that back-end support and local "feet on the street" support just isn't there. My Brocade and Enterasys vendors have actually come on-site and helped me out at no extra cost with various migrations. Our Brocade engineer actually drove over from Nashville to help me out at 2AM during our switch migration from nortel passport 8610 to the MLX a few years back just to give me an extra set of hands and troubleshoot a couple simple network configuration issues.. Your input is appreciated and you are welcome to your opinions, but we do differ in what we think of "Enterprise" equipment. -Bret

=============================================================== From: Bret McHone ------------------------------------------------------ I honestly haven't even looked to see if Brocade has a firewall. As far as the switches go... We have a couple Brocade MLX chassis and four ICX 6610s. They are actually pretty good equipment and the look and feel of the Brocade command line is VERY much like the Cisco NX-OS. We had one MLX that had some really funky & intermittent issues and Brocade ended up shipping us out FULL replacement of the entire unit. Chassis, power supplies, high speed fabric modules, and all line cards. No issues since the replacement and our old unit was shipped to their engineering so they could tear it apart to find the problem. They also sent their local engineer to help me do the replacement of the unit. -Bret

=============================================================== From: Mike Harrison ------------------------------------------------------ My limited experience with older Sonicwalls was/is (they are still there...) pretty bad. They have weird ideas of what is allowed, and what they block and a crappy interface. I just reflashed a pfSense box with the latest version, I was impressed. On apropos hardware and sane expectations I think it's a serious contender. And you can buy several spare complete units for the price of other systems. They are limited for fringe features, unless you want to get nitty gritty with the CLI. And remember, some of the fringe features (nat before...) are workarounds for bad overall network design, lazy admins and incompatible networks that can't be tweaked.

=============================================================== From: Jason Brown ------------------------------------------------------ Yep, support is in that list, from the linked page: A support subscription provides you with 24x7x365 direct access to the pfSense team with guaranteed response time for all your firewall,..... This is ABSOLUTELY true! But in my opinion the approach to infrastructure design is much more important than the vendor / hardware. If you are going for more than "three nines" then every part of the infrastructure should be redundant. If that means that it costs less for one, you can buy two, or four. Agreed, sometimes there are shortcomings. I wasn't aware that connecting overlapping subnets was possible (reliably) with any product? Perhaps I am misunderstanding? I've typically separated VPN services anyway, not leaving those up to the firewall at all (Unless it is site to site). I'm particularly interested in the UDP AD traffic issue, I have not heard of that particular issue.

=============================================================== From: Jason Brown ------------------------------------------------------ If you need one of the product, and have high availability concerns, then you need two of the product. It does not matter who makes it, or what the support contract is. I think the back-end support is there, if you pay for it. Just like other vendor support. (Even the "feet on the street". Just ping this list for example). You paid for it, whether it was an extra charge or not. If that's cool with you, it's cool with me. I differ with a lot of people on a lot of things but the main point I wanted to make is not "pfSense saves the world" or "Never buy the big guys". Not at all, my point is that redundant infrastructure trumps vendors support / on site warranties. A hot fail-over or load balance configuration (should) always provide better availability. If you can do both? Awesome! I do still feel that the term "Enterprise" lost it's meaning long ago. Google "Enterprise Edition" for hundreds of pages of examples where that just means: "We left out feature x so we could add a zero to the price" and nothing more. --Jason

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was actually referring to the "Enterprise" competitors there.... We are in agreement here. More than one of us on this list [can|have|do] provide support for pfsense as well. Same holds true for Cisco as well though :) Cisco kit has done it for ... at least 15 years. And I mean connecting overlapping subnets on both ends of a L2L VPN, yes... 10.0.0.0/24|SiteA SiteB| 10.0.0.0/24 You "NAT before IPsec" to overcome this, so from SiteA network, you access 10.0.1.0/24, and your device NATs this to 10.0.0.0/24 on the other end of that particular tunnel, and does the reverse for traffic coming from the other direction. You also have to overcome it on the other side, so you have to do the same, although you are free to choose any network you like.... 10.0.0.0/24|SiteA>NAT>10.0.1.0/24>VPN I'm particularly interested in the UDP AD traffic issue, I have My Google-Fu is failing me, so it's either been fixed since 2.0, or I am mis-remembering some detail. It involved a remote XP workstation, AD at HQ, and some type of AD related UDP traffic that could be reghacked to use TCP. I didn't work the issue in depth, although I did locate the definitive issue at the time. I will inquire with the coworker who was more deeply involved and circle back to you on this. Regards, dtb -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJRb19oAAoJEMP+wtEOVbcdU8QIAI5fPKNOaKurgQTkarjxZM9x 1ClUveu4eXY7DskYtf71Ky6izFVuXkZBUyYl0joNZvr6G3OczltGKD8dwrl9/poT awhDbICk/0tJ0vNXN2SQCGzIU2C03lcDyEDz2Z5t4X0l1zWlfsf2HBglIzLPK/aq tChOUxw9cXEmIQQkAruKuTsGowmMOkU2cMWhbTQq/ePrR86bmp8MOdWBOyAcbkjo ZQ4GXxHLQQ3MeXREURHAKBS13di1LYcW70JHvAJtJei5KV/7yhQ7A7/GyQ0Ew1sp lwgGn4l9McRoh+8sxzUwdZhwOKXlbA2kO7UrDZmW2EyhE6AzMWW/KKYGnDuqObM= =/z3W -----END PGP SIGNATURE-----

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

=============================================================== From: Jason Brown ------------------------------------------------------ Gotcha, I really should send them some money. We have submitted patches and fixes to them though (only small ones). Yeah, let me know if you find anything. We deal with AD federated sign on for some clients and if an issue crops up this is now in my "check on it" list.

=============================================================== From: Bret McHone ------------------------------------------------------ Just updating the list that we decided to go with a Palo Alto PA-3020. This thing is a marvel of a device and it's going to make our management overhead a lot easier. We're going to replace 3 firewalls (two ASA 5510s & a PFSense) as well as a Barracuda Web Filter with them. When we compared the cost of the devices with everything it can do and what all it will be replacing it actually came out cheaper. Go figure! They gave us a big PA-5020 unit to play with over the last month and it's really surprised me just how much visibility it adds in comparison to other offerings I've seen. I just really haven't seen much competition out there for these devices. -Bret

=============================================================== From: Eric Wolf ------------------------------------------------------ http://dilbert.com/dyn/str

=============================================================== From: Bret McHone ------------------------------------------------------ In my case it's always the web filter.. I'll be glad to get the barracuda ga= rbage out. -Bret

=============================================================== From: Joe Freeman ------------------------------------------------------ The only issue I've had with the PAN devices was an OSPF authentication code bug last year that caused them to start to fail authentication if you saved a change to the OSPF config without re-applying your md5 password at the same time. I've got five in the network now (2050's to 5050's) with four more on order, mostly replacing fortigate 200B's and 5140's. If I can get the windows guys to install the user id agent on the dc's, life will be golden.