[geeks] Firewall recommendation?

[Paul Booth]

On 12/6/05, Nate <nate at portents.com> wrote:
>
> Do you guys have favorite firewalls?  What I need for $dayjob is:
> reliable, secure, low maintenance, good performance, can failover to
> a secondary WAN when the primary goes down.

Assuming you want appliance rather than roll-your-own...

Netscreen's are good, though they have their fair share of
vulnerabilities, they have a good range and iirc the same feature set
on all the machines through the range, just different throughput
figures.

Check Point are OK but can work out expensive, especially if you go
for an appliance with one on (Nortel ASFs, Nokias, Crossbeam), you end
up paying similar money for the appliance as you do with others, then
have to add on the Check Point licenses afterwards, can get a bit
scary.

PIXs are OK, and can be had very cheap nowadays, but the gui that they
use can cause odd side effects, and I've seen some really weird stuff
happening with them with proxy arp and 'selective' routing of packets
which makes tracking down problems hard if you haven't seen it before.
 Personally I'd avoid.

If you have a Watchguard already, they are doing a trade in at the
moment, Fireware does WAN failover, it seems to work OK.  You can
upgrade the Firebox X Core machines to Fireware, though by default
they don't do WAN failover.

There's also Stonewall, who look really good, but I've no direct
experience with, they wrote VPN-1 and had a product for doing
Firewall-1 clustering (Stonebeat) though they have since fallen out
with Check Point.

I would be very careful about appliances that you've seen little or no
user experiences with, firewalls can promise a lot, and deliver
relatively little.  Multi-WAN failover is one area where
implementations don't always meet sales blurb.  Definately try before
you buy if you can.

Paul.