firewall survey

At the main entrance points and at the departmental levels within the org. Meaning that we use several firewalls in the design.

Commercial, FireBox units from WatchGuard.

Appliance.

Less points of failure, less patching/expected exploits.

Reliability, levels of security, load handling ability, configuration of rule sets for custom filters.

No, I make the decisions for many customers based on our own internal testing of other solutions and experience with firewall solutions implemented by peers.

Support contract costs, firmware updates subscription costs, training.

Enterprise and Departmental

Commercial - CheckPoint Firewall-1 Running on Dual Nokia IP530s in HA Mode.

Hardware appliance.

No OS to worry about configuring or patching. Previously had used Windows 2000 as the Firewall-1 platform and could not harden securely due to needs in 2000 that had nothing to do with the Firewall product.

Our initial firewall selection was done by a committee several years ago, which wrote up the requirements, submitted a request for bids, reviewed and interviews, then final selection based on all of the above.

As described above, we had a formal committee. I'm sure we can share with you our process and experiences. If you want to contact me via my email here and I'll respond back to you from my work email.

The support you can get from the vendor including updates, on-call support ( both phone and on-site ), training, continuing review of account. Selecting your vendor is almost as important as the solution you decide upon.

Yes.

Commercial.

Both.

The product we use, Astaro, is the best of both worlds. It is distributed in a software format, but after loading it turns the hardware of your choice into a dedicated appliance. You can install it on a rackmount server, or an older machine if you wish (the performance may be lackluster on very old machines, however). As a network engineer, I prefer Astaro because I get the convenience of a hardware solution with the flexibility and power of a software solution.

Cost, features, performance.

Since I evaluate firewalls for a living, then yes.

Probably one of the greatest mistakes that people make when selecting a firewall is failing to do their homework because they feel it necessary to stay within a self- or corporate-defined "comfort zone". "We've always used Cisco and we won't consider anything else", or "our headquarters uses only Sonicwall, we should probably do the same". I'm an engineer, not a sales droid, and these attitudes make my head explode because it's a sign of being stuck in a rut. My personal favorite is Astaro, but I work with other brands as well -- in the end, though, I keep coming back to Astaro.

DH wrote: If you have time to answer these questions, it would be very much appreciated.

Yes.

Commercial product.

Currently, there is a software solution in place uniformly. The advance of security appliance that include layered security services will certainly replace the software firewalls soon.

At the time, software firewall was the best decision, but as we evaluate and beta one or two security appliances, they are fast-becoming the cream of the crop

Support quality and costs, recurring licensing costs; so I guess budget is the overriding theme

Nothing formal, just working with a VAR to get the product in-hand

Ability for staff to manage and in the case of the appliance with more than one service, more than one staff member will probably admin one or more of the appliance's services