0

I'm looking for any Firewall recommendations that meet our requirements below.

In one of our racks we're currently using a Watchguard Firebox Core 550e Firewall. It's served us well for the past few years but we're now in need of an upgrade.

Our main requirements for the new Firewall are:

Support for blocking of large IP ranges such as countries (The Firebox struggles with this)

Good DOS protection

Relatively easy to manage. The Watchguard GUI is very easy to use.

We currently average around 12,000 Connections (7000 Active) at any one time and will need to support a lot more (double) than this.

Many Thanks Nick

pplrppl
  • 1,242
  • 2
  • 14
  • 22
user2946
  • 263
  • 4
  • 8

2 Answers2

1

The Firebox X550e has built in intrusion prevention (DOS,DDOS,SYN Flood), supports 25,000 concurrent sessions, has 390Mbps of throughput, has the ability to block individual hosts, host ranges, as well as individual netblocks so what about it don't you like?

If you like Watchguard, the X750e and X1250e are the next step up in the XCore e-series.

http://www.watchguard.com/products/compare_results.asp?p1=x1250e&p2=x750e&p3=x550e

joeqwerty
  • 108,377
  • 6
  • 80
  • 171
  • On occasion we've maxed out the 25,000 sessions. We've also had packet loss when it's been really busy. We've also discovered using the host range blocking severely affects the Firewalls performance. – user2946 Sep 07 '09 at 14:29
  • Also as we've recently found out it didn't cope at all well under a DDOS attack. – user2946 Sep 07 '09 at 14:33
  • OK, I got it. If you move to Checkpoint or Cisco they're going to be very expensive. I like Checkpoint, but can't afford it. The only other brands I can think of are SonicWall and BorderWare. – joeqwerty Sep 07 '09 at 14:39
1

I'm not joking, a small server with OpenBSD and the PF filtering engine? Has excellent performance, even on the lowest end of servers, and the config file is quite readable IMHO.

In general, go with what your organization has competencies in. When it comes to routing and security, there is no substitute for experience and good training. I see most smaller places standardize on Cisco everywhere. They do so because it limits their training / skills need to only one manufacturer, and Cisco is chosen because they have a comprehensive product portfolio and a wide support network of techs.

If the above doesn't convince you, then I would consider Juniper, Checkpoint, Cisco, or Fortinet as the leading firewall brands today (in no special order).

Note that Junipers new SRX series is based on their router JUNOS software, not their previous firewall ScreenOS. It could be a bit rough right now, but it has really good future potential.

Cisco ASA are rock solid boxes in my experience, but I would not call their configuration 'easy' or 'logical' for people without Cisco training.

I don't have much personal experience with Checkpoint and Fortinet; I have just heard them praised by good people. Thus I can't really say much more about their ease of configuration..