Looking around at different SMB firewalls to standardize on so we can start
training up our level 2/3 techs instead of dealing with a mess of different vendors
at cust premises.
I've run into a few firewalls that were not sip or 323 friendly however, wondering
what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better)
that we are comfortable telling endpoints to toss current gear/buy additional gear.
Basic firewalling of course is covered, but also need port range forwarding
(not available until later ASA versions for eg was an issue), QoS (port/flow
based as well as possibly actually talking some real QoS protocols) and VPN
capabilities (not sure if many do without #seats licensing schemes which get
irritating to clients).
We'd like a bit of diagnostic capability (say tcpdump or the like, via shell
preferred) - I realize a PFsense unit would be great, but might not have
enough brand name recognition to make the master client happy plopping down as
a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a
bit $$ and licensing acrobatics get irritating for end customers.)
We deploy SonicWALL TZ300 or SOHO using Dell's Security as a Service. That
way our monthly cost per customer is under $50 and includes all security
services plus GMS centralized management. Works great with our VOIP service.
Regards,
Ray Orsini – CEO
Orsini IT, LLC – Technology Consultants
VOICE DATA BANDWIDTH SECURITY SUPPORT
P: 305.967.6756 x1009 E: ray@orsiniit.com TF: 844.OIT.VOIP
7900 NW 155th Street, Suite 103, Miami Lakes, FL 33016 http://www.orsiniit.com | View My Calendar | View/Pay Your Invoices | View
Your Tickets
We have a lot of luck for smaller VOIP customers having all of their services run through a FortiGate 60D, or higher models. 60D is our go to solution for small enterprise. However, if we are the network carrier for a particular customer and they have a voip deployment of more than about 15 phones, then we deploy a dedicated voice edge gateway, which is more about voice support and handset management than anything. You do need to disable a couple of things on the FortiGate such as SIP Session Helper and ALG. We never have voice termination, origination or call quality issues because of the firewall.
FortiGate has a lot of advanced features as well as fine tuning and adjustment capabilities for the network engineering type and is still easy enough for our entry level techs to support. Most of our customers have heavy VPN requirements and FortiGates have great IPsec performance. We leverage a lot of the network security features and have built a successful managed firewall service with good monitoring and analytics using a third-party monitoring platform and Fortinet's FortiAnaylzer platform.
Worth looking at, if you haven't already. If you want to private message me, happy to give more info.
Sincerely,
Nick Ellermann - CTO & VP Cloud Services
BroadAspect
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto firewalls. The best SMB devices are definitely SonicWall and Fortigate. SonicWalls are easier to configure, but have fewer features. Fortigate has many knobs and dials and a very powerful virtual router facility that can do amazing things. The two vendors have equivalent support in my opinion, although Fortigate tends to be more personal (Dell is big and you get random techs).
Cisco ASA is overpriced and under-featured. Cisco-only shops like them, but mostly I think because they’re Cisco-only. PaloAlto is expensive for what you get. Functionally they are on the same level as Fortigate, with a slightly more elegant GUI. But Fortigate can be configured via a USB cable, which is a huge advantage in the field. Legacy RS-232 serial ports are error-prone and slow.
Your exactly right, Mel. Dell has really turned the Sonicwall platform around in the past few year. We dropped it a year or two before Dell took them over. Back then Sonicwall was full of issues and lacked important features that our enterprise customers required. If you have budget, Palo Alto is something to look at as well, but don't overlook Sonicwall and FortiGate.
Sincerely,
Nick Ellermann - CTO & VP Cloud Services
BroadAspect
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
I'm a huge fan of Juniper's SRX line. I use all the features you point out
at home on my SRX210, although that product is end-of-life. A refurbished
SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
support is extra, but I'm not sure how much.
I haven't used it myself but I have seen the packet capture in action.
It'll save any traffic you want right out to a pcap file too. I also like
"show security flow session" - shows you the source, destination, ports,
how long a session has been going, and number of packets and number of
bytes transferred.
I should mention that both SonicWall and Fortigate have superb packet capture engines. Not only can you do capture view and first-level decode right in the web GUI, you can save captures in PCAP format or pipe the capture stream to an available Ethernet port. Both have extensive filtering for both capture and viewing within capture, and decent-sized capture buffers.
I don't manage many small businesses networks anymore because we now do
only 100% cloud and remote work but I started deploying them to all my old
clients I still have on retainer.
It is a wonderful solid set it, and forget it device and you can manage it
with ssh (it is basically running a fork of Vyatta under the hood on Cavium
hardware which is nice because it does lots of hardware offload like any
other enterprise device.)
I won't use pfsense anymore because it's project was taken over by a-holes,
but that is just my personal experience.
I’ll +1 the Edgerouter series. They are cheap and hit the right price
performance ratio for most homes.
You can do site-to-site IPSEC VPN stuff and easily SSH + tcpdump if necessary.
If you are looking for more complex blocking rules and services, you need to be
looking at something like the Deteque DNS service or the Cisco/OpenDNS services
instead to nuke outbound malware connections and such.
The SIP ALG in the Juniper SRXs is definitely one of the best I’ve come across.
I defaulted to turning it off based on my previous experiences with SIP ALGs and NAT however it became apparent that it actually worked really well and I ended up defaulting it to on.
>
> I'm a fan of the EdgeRouterLite3
>
>
> I don't manage many small businesses networks anymore because we now do
> only 100% cloud and remote work but I started deploying them to all my
old
> clients I still have on retainer.
>
>
> It is a wonderful solid set it, and forget it device and you can manage
it
> with ssh (it is basically running a fork of Vyatta under the hood on
Cavium
> hardware which is nice because it does lots of hardware offload like any
> other enterprise device.)
I’ll +1 the Edgerouter series. They are cheap and hit the right price
performance ratio for most homes.
came here to say this, also they do v6, PD and all that jazz.
You can do site-to-site IPSEC VPN stuff and easily SSH + tcpdump if
necessary.
If you are looking for more complex blocking rules and services, you need
to be
looking at something like the Deteque DNS service or the Cisco/OpenDNS
services
instead to nuke outbound malware connections and such.
also agree whole-heartedly with this sentiment.y
Yeah, the EdgeRouter series do not suck.
Fast, stable, easy to manage (although the broken tab completion drives me
nuts ('sho ip route' should just work, I'm too old to retrain my
fingers...) - other than that they are great...
+1 to a "Can you substantiate that claim please?" sentiment here. I've
used it for years and found it to be reliable, flexible, feature-filled.
And having the BSD CLI fully available has been a godsend.
+1 to a "Can you substantiate that claim please?" sentiment here. I've
used it for years and found it to be reliable, flexible, feature-filled.
And having the BSD CLI fully available has been a godsend.
The code quality is terrible in a 1990s sort of way. I.e. no separation
of code, html, logic, data structure or anything else. Everything is
jumbled in together using coding methodologies which don't scale and
which make it almost impossible to audit in a meaningful way.
Specific problems:
1. the installation image ships with static dh params files, e.g.
2. http params validation: a cursory glance at the output of "grep -r
_GET pfsense/src" show that the authors did not use any http parameters
validation. In addition, the output of $_GET is used unsafely in
multiple locations.
3. the output of "grep -wr exec pfsense/src | grep 'rm -rf'" shows what
looks like exploitable problems due to poor shell escaping.
This isn't an audit or anything, btw. It's the result of a couple of
minutes glancing over the code. I'm sure an audit would produce a lot more.