Time for Some Firewall Changes
May 6th, 2008 @ 1:05 pm
I’ve been evaluating our current firewall situation and came to the following conclusion: We have too many products from too many vendors costing too much money and causing too many headaches.
Currently, we use a Watchguard Firebox X700 for our internal network and DMZ. It’s fine when it works, but gets flaky sometimes. It will randomly stop passing FTP traffic, or you add a new rule and it won’t actually work until you reboot. Overall, I’m not impressed.
Inside the Watchguard sites a Barracuda Web Filter. I like this box - it works great and causes very few issues. They do silly stuff sometimes like adding Northpoint.org to the “Spam” category, but, overall, I’m happy.
For our public network, there is a Sonicwall Pro 3060 running Sonicwall’s own content filtering service. The Sonicwall is a nice box, but has it’s issues with occasionally locking up and other weird stuff. I’ve used them in the past and came to the conclusion that it’s a great small office firewall, but really not an enterprise-class solution. The yearly support cost plus the yearly content filter license gets expensive too.
For VPN, we use a Cisco ASA 5510. This replaced the Watchguard VPN (with is absolutely horrible) and provides VPN access for laptops and a few remote sites (5505’s at the remote sites). I love the ASA firewalls. They are rock solid on both stability and performance and, in my opinion, easier to configure. This is definitely a keeper. Ironically, of the three boxes, the Cisco has the lowest yearly support cost.
I’m sure there were good reasons for implementing each product at the time, but everything but the Cisco was here before my time, so I don’t know all the details.
In putting it all together, this is what I’m seeing:
- We’re paying for subscriptions to two different content filtering services - one for the internal network and one for the public network.
- We have support contracts with 3 different vendors.
- There are some stability problems.
- Learning curve involved with multiple products.
Most of those contracts are up for some renewal, so now is the time for change. My thought is to get another ASA 5510 use it’s multiple interfaces to attach the internet network, the DMZ, and the wireless to one firewall. Then, hang the Barracuda Web Filter off another interface and redirect all outbound http traffic to it via WCCP.
It seems almost two simple. Once firewall for all the network segments, one content filter for everything, one less piece of hardware, more stability. It just makes sense all around. If anyone has an thoughts on this, I’d love to hear them.
If you’re at all happy with your 3060, you might should take a look at the latest SonicWALL products. The new NSA line (especially the E-class models) do some wicked stuff with content filtering and threat management. Even the base model NSA 3500 can do full UTM in real-time all the way up to a full 1Gbps on the WAN. Quite impressive actually.
Comment by Justin Moore — May 6, 2008 @ 3:05 pm
Derek,
I am a Systems Engineer for Sonicwall and was passed along your blog link so that I may answer any questions you have on our products. If you haven’t looked at the new Sonicwall Product line, I think you will be amazed at the changes. Many of the issues/concerns you have with working with multiple vendors can be addressed with the new NSA and E-class product lines. I hope this doesn’t sound too much like a sales pitch, but I think we can help you. If you would like to chat, I would be more than happy to answer your questions.
Comment by Tom Bulthaupt — May 7, 2008 @ 10:12 am
While you’re at it, why not have a look at ASSP for your spam filtering. Its free so there’s nothing really to lose. I’ve used it for about 3 years now and its great…
http://assp.sourceforge.net/
Comment by Miles — July 31, 2008 @ 9:34 am