Firewall Appliance With Eight Segments

The Sophos software firewall can do this for you. I don't know what their appliance is like because my datacentre's purely virtual. But it's probably worth a look.

Chris

...

Any number of Fortinet Fortigate firewalls will do what you want, just stay away from the lowest end. (they have many levels targeted for SMB, but with different feature price-points). Most of the devices are something like 3 ports, plus a internal segment with # switch ports. BUT, they let you change that switch over to interface mode as well, and end up with port1, port2, ... port# as well as the 3 WAN/DMZ ports.

Ie. something like a FGT-60D is 7 x internal + 2 WAN + 1 DMZ. And you can cut the internal over to interface mode and use port1..port7.

Another option is Juniper SRX. The SRX210 has 2 "WAN" + 6 "LAN" (100Mbps). You can setup each in a different VLAN and L3 connectivity per VLAN. The SRX220 is 8 Gig, and the SRX240 is 16 x Gig.

I don't generally trust VLANs. VLANs aren't true physically isolated segments, and I have seen too many situations where some kinds of broadcasts will sneak past the VLAN rules. It's also too easy to make one configuration error and break the VLAN entirely, exposing traffic across segments.

Check out the ssg netscreens (Juniper), should do what you need.

I used to use Sonicwall and Watchguard products but I've moved over to Zyxel and been very happy with their equipment. You might take a look at their Zywall USG 300 or USG 2000 boxes and see if they might fit your needs.

Although, the SSG's are mostly all EOL, replaced by the SRXs.. If some models aren't EOL, its not like there have been many OS updates, and the writing on the wall is to go to the SRX.

Where did you read that exactly?

Are there any illustrations showing the configuration software screens? That would be important to me before going with a less well known vendor.

This is basically a Chinese company? I guess there is always a question do you want your company's firewall rules and VPN traffic in the hands of a device created by a company that might have connections to Chinese political organizations. My applications are all very low security, but it still gives me pause.

I went through the 500+ page user manual for the ZyWall 310, and there is a lot of functionality there. I feel more comfortable with the ZyWall environment instead of USG because that is more the traditional high-performance Checkpoint-like environment I am used to. I have a Fortinet wireless "appliance" at home and absolutely hate it. I spent hours to configure all of the security features and it doesn't log anything of interest, constantly recycles through the logs it does capture (thus losing information), and in six years has not stopped a single trojan or virus. Even if it did stop something, it doesn't notify you of that fact in any way that is useful. To me it looks like a marketing product to make people who understand nothing about security feel safe without doing the actual work to design a safe network.

How do you think the ZyXEL USG compares against Fortinet or Sonicwall or ZyWall?

There should be screenshots sprinkled through the User Manuals for their products. You can take a look here:

Yes, they're based in Taiwan. I would be more concerned if they were based in mainland China but I can understand where you're coming from.

Can't really comment on a Fortinet as I haven't used any of them. I prefer the Zyxel product over the Sonicwalls I've worked with, but it's been a couple of years since I last bought a Sonicwall and they may well have improved their hardware.

Since you are using the USG product, I have to ask how often has it caught a Trojan or Virus?

Do they have any kind of traffic profiling capability to identify a computer that is already infected by virtue of the type of traffic pattern it generates, target IPs, request formats, etc?

Couldn't tell you since I don't trust any appliance's built-in AV/AM capabilities to handle my main line of defense against such threats. I prefer doing that on the computers themselves with a client I can choose and/or change as conditions warrant over the years.

Again I couldn't tell you since I haven't gone looking for that capability in an appliance. I primarily use them for network segmentation, WAN failover, DMZ provision and primary firewall duty.

The ZyWALL products (310 and 1100) without the USG capability look much stronger for those requirements. They have about eight times the performance as well, since they don't have the overhead for the features you are avoiding using.