We have an old Netscreen 10 firewall here at the firm and it's beyond it's support life. This is usually not a good thing with firewalls as you can't get software updates for them (which is probably how they get you to keep to a faster upgrade cycle).
Anyhow, I had previously looked at a Netscreen 25, but I'm wondering what other firewalls are good out there in that price range (last time I got a quote the NS 25 was $3500 with support contract and everything).
Most likely I will stick to Netscreen as I already have an installed base of SecureRemote users (yes I know that SonicWall also uses the same VPN client, but I have had more than a few problems with SonicWall firewalls).
The biggest issues are speed, particularly VPN speed, how good security is out of the box and ease of setup. Netscreen is pretty good with respect to these points, although it is a bit more complicated than the SonicWall firewalls in same class (but seems a bit more flexible too, and flexibility usually comes at a price of higher complexity - Adobe's products are a good example of that).
Some other issues that aren't important are VPN reliability and ease of setup (so far the Netscreen has performed less than spectacularly in these areas), although this issue isn't as important as it once was now that I have our two main resources available through SSL over HTTP.
I do need a firewall that can deal with multiple NAT to external IP translations so please don't suggest something cheap and inflexible like SmoothWall.
Based on past experience, would probably not go with any CheckPoint product either, as they seem to be needlessly complex, hard to support and more expensive to boot.
Any other ideas are welcome though.
Netscreen is probably one of the best firewall options on the market. I have never used their smaller offerings, but the larger enterprise versions are what I want to see in an enterprise firewall environment so sticking with them is probably your best bet.
Checkpoint based machines are also excellent, a little more complex to setup since most of them are based on a server that you need to setup/maintain, but day to day maintenance isn't too complex. The Nokia appliances are excellent, but not quite up to the same standard as the Netscreens.
Raptor (now Symantec Enterprise Firewall) isn't a bad choice for a small-medium sized business. It is a very easy to setup/manage product, but you pay the price here that it isn't as flexible as the Netscreens or Checkpoints. Personally I don't like Raptor all that much, but I've worked with it and it's a viable option if you are really focused on the product being simple and easy to manage.
Another option that just popped into my head was Alteon. They make a pretty good looking product that we've recommended in the past, but I have never worked with one in a production environment so I won't make any recommendations on how easy it is to work with or it's realworld performance.
Best performance is going to come from the Netscreen and Checkpoint boxes (in that order) and I figure that the Alteon would have similar/better performance than a Checkpoint box (including the Nokias) but I don't have any real world experience to back that up.
Phil
Posted by: Phillip Renouf | Wednesday, October 13, 2004 at 08:33 AM
I've found that the GTA GNATbox is quite good. It has quite a bit of flexibility in setting things up, and requires minimal hardware to run on - almost any old PC will work as long as it has 2-3 network cards in it...
www.gta.com
Posted by: Gary Berg | Monday, October 18, 2004 at 05:30 PM
Cool and thanks for the link. I looked them up, Gary. What's funny is that their VPN software is the same package that Netscreen and SonicWall use from SecuRemote.
Posted by: Alex Scoble | Monday, October 18, 2004 at 06:04 PM
I am curious if you have looked at Sonicwall in their new iterations. The newer products and firmware are incredibly capable and diverse. I have a number of them deployed at many client locations and am deploying them in more complex environments.
As far as your individual points, natting multiple external services on the same public IP to different internal servers is not very difficult at all - I have this set up myself at home on my own box. The VPN performance of the boxes in your price range (either the Pro 3060 or Pro 4060) is second to none - 75mbps on the 3060 and 190mbps on the 4060 using 3DES or AES encryption.
Keep in mind that Sonicwall does support other clients, like SecureRemote, but they developed their own VPN client some time ago, which I think works MUCH better than the original SecureRemote licensed product. If you would like to discuss it further (I am an IT consultant), shoot me an email - jamie at jamie jamison dot com (no spaces and replace).
Posted by: Jamie Jamison | Tuesday, October 26, 2004 at 12:58 PM
I suggest you to go for Sonicwall. They have good high end products like 5060 which has good throughput(go through the product datasheet).Its more simpler in configuring the device.No headaches in remembering the commands...everything is self explainatory..If you want more technical info.. contact their Tech Assistance Center....
Posted by: Pradeep | Sunday, September 30, 2007 at 03:38 AM