Firewall Appliance With Eight Segments

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
It's been a while since I have looked at firewall appliances.   I am looking
for 1U or 2U appliance that has at least six separate ethernet segments.
I'm not looking for six ports on a single segment.   These need to be
completely isolated segments that I can write rules about in the firewall
software.

I'm trying to use an appliance instead of a server because a 2U server will
typically take about 350 watts of energy, whereas an appliance typically
uses under 80 watts.   A firewall is not a very CPU intensive activity.

I am not interested in building my own Linux appliance.  I want something
off the shelf that has commercial support and very well-developed and
evolved and stable software.

I know Watchguard had something like what I describe some time ago.   I
bought one, and the firmware upgrade procedure was broken and would not
work.   Watchguard refused to take the box and make the firmware work.   The
firewall software itself was a real mess, not really up to the standards of
Checkpoint or even Microsoft ISA Server.    Maybe Watchguard has improved
since then.

What options are there today for the product I am describing?

--  
W



Re: Firewall Appliance With Eight Segments
Quoted text here. Click to load it

The Sophos software firewall can do this for you. I don't know what
their appliance is like because my datacentre's purely virtual. But it's
probably worth a look.

Chris

Re: Firewall Appliance With Eight Segments
Quoted text here. Click to load it
...

Any number of Fortinet Fortigate firewalls will do what you want, just
stay away from the lowest end. (they have many levels targeted for
SMB, but with different feature price-points). Most of the devices are
something like 3 ports, plus a internal segment with # switch ports.
BUT, they let you change that switch over to interface mode as well,  
and end up with port1, port2, ... port# as well as the 3 WAN/DMZ ports.

Ie. something like a FGT-60D is 7 x internal + 2 WAN + 1 DMZ.
And you can cut the internal over to interface mode and use port1..port7.

Another option is Juniper SRX. The SRX210 has 2 "WAN" + 6 "LAN" (100Mbps).  
You can setup each in a different VLAN and L3 connectivity per VLAN.  
The SRX220 is 8 Gig, and the SRX240 is 16 x Gig.  


--  
Doug McIntyre
doug@themcintyres.us

Re: Firewall Appliance With Eight Segments
Quoted text here. Click to load it
looking

I don't generally trust VLANs.   VLANs aren't true physically isolated
segments, and I have seen too many situations where some kinds of broadcasts
will sneak past the VLAN rules.   It's also too easy to make one
configuration error and break the VLAN entirely, exposing traffic across
segments.

--  
W



Re: Firewall Appliance With Eight Segments
On Sat, 08 Feb 2014 16:40:05 -0800, W wrote:

Quoted text here. Click to load it


Check out the ssg netscreens (Juniper), should do what you need.

Re: Firewall Appliance With Eight Segments
Quoted text here. Click to load it

Although, the SSG's are mostly all EOL, replaced by the SRXs..  
If some models aren't EOL, its not like there have been many OS
updates, and the writing on the wall is to go to the SRX.  
--  
Doug McIntyre
doug@themcintyres.us

Re: Firewall Appliance With Eight Segments
On Sun, 09 Feb 2014 10:26:08 -0600, Doug McIntyre wrote:

Quoted text here. Click to load it

https://www.juniper.net/us/en/products-services/security/ssg-series/

Where did you read that exactly?

Re: Firewall Appliance With Eight Segments
On 2/8/2014 3:33 PM, W wrote:
Quoted text here. Click to load it


  I used to use Sonicwall and Watchguard products but I've moved over to  
Zyxel and been very happy with their equipment. You might take a look at  
their Zywall USG 300 or USG 2000 boxes and see if they might fit your needs.


--  
Are we having fun yet?

Re: Firewall Appliance With Eight Segments
Quoted text here. Click to load it
looking
firewall
needs.

Are there any illustrations showing the configuration software screens?
That would be important to me before going with a less well known vendor.

This is basically a Chinese company?   I guess there is always a question do
you want your company's firewall rules and VPN traffic in the hands of a
device created by a company that might have connections to Chinese political
organizations.    My applications are all very low security, but it still
gives me pause.

--  
W



Re: Firewall Appliance With Eight Segments
On 2/9/2014 5:11 PM, W wrote:
Quoted text here. Click to load it


  There should be screenshots sprinkled through the User Manuals for  
their products. You can take a look here:

http://www.zyxel.com/us/en/support/download_library/product/usg_2000_1000_300_12.shtml?c=us&l=en&pid=20110504103042&tab=User_s_Guide



Quoted text here. Click to load it


  Yes, they're based in Taiwan. I would be more concerned if they were  
based in mainland China but I can understand where you're coming from.


Quoted text here. Click to load it


  Can't really comment on a Fortinet as I haven't used any of them. I  
prefer the Zyxel product over the Sonicwalls I've worked with, but it's  
been a couple of years since I last bought a Sonicwall and they may well  
have improved their hardware.



--  
Are we having fun yet?

Re: Firewall Appliance With Eight Segments
Quoted text here. Click to load it

Since you are using the USG product, I have to ask how often has it caught a
Trojan or Virus?

Do they have any kind of traffic profiling capability to identify a computer
that is already infected by virtue of the type of traffic pattern it
generates, target IPs, request formats, etc?

--
W



Re: Firewall Appliance With Eight Segments
On 2/9/2014 11:40 PM, W wrote:
Quoted text here. Click to load it


  Couldn't tell you since I don't trust any appliance's built-in AV/AM  
capabilities to handle my main line of defense against such threats. I  
prefer doing that on the computers themselves with a client I can choose  
and/or change as conditions warrant over the years.


Quoted text here. Click to load it


  Again I couldn't tell you since I haven't gone looking for that  
capability in an appliance. I primarily use them for network  
segmentation, WAN failover, DMZ provision and primary firewall duty.



--  
Are we having fun yet?

Re: Firewall Appliance With Eight Segments
Quoted text here. Click to load it
computer

The ZyWALL products (310 and 1100) without the USG capability look much
stronger for those requirements.   They have about eight times the
performance as well, since they don't have the overhead for the features you
are avoiding using.

--
W



Re: Firewall Appliance With Eight Segments
Quoted text here. Click to load it
looking
firewall
needs.

I went through the 500+ page user manual for the ZyWall 310, and there is a
lot of functionality there.   I feel more comfortable with the ZyWall
environment instead of USG because that is more the traditional
high-performance Checkpoint-like environment I am used to.   I have a
Fortinet wireless "appliance" at home and absolutely hate it.      I spent
hours to configure all of the security features and it doesn't log anything
of interest, constantly recycles through the logs it does capture (thus
losing information), and in six years has not stopped a single trojan or
virus.   Even if it did stop something, it doesn't notify you of that fact
in any way that is useful.    To me it looks like a marketing product to
make people who understand nothing about security feel safe without doing
the actual work to design a safe network.

How do you think the ZyXEL USG compares against Fortinet or Sonicwall or
ZyWall?

--  
W



Site Timeline