We are currently planning a rather substantial upgrade of our network, one aspect of which is a new firewall to manage our WAN connection. I'll briefly describe what the new network should end up looking like:
- Network core will consist of 72 Gigabit Ethernet ports of various media, across two switches linked at 8Gbps. Copper ports will provide server connections (either single or aggregated links, depending on throughput requirements of each server); fibre ports (again, single or aggregated) will provide downlinks to about 30 edge areas.
- About 30 network areas will contain a total of around 300 desktop workstations, connecting at 100 megabit/s (or in a handful of cases, 1 gigabit/s). Additionally, about 50 staff have laptop computers and will connect them to an 802.11b/g network of about 15 APs.
- There is a single WAN connection, which currently consists of a frame relay connection to our ISP of 5Mbps bandwidth, which comes out of the CPE as 100Base-T Ethernet (IIRC; it might be 10B-T). This will probably be changed in the future, but to something similar in nature. We have a /24, and may also consider peering with several providers, using BGP.
- All end-user machines have addresses in RFC1918 subnets, and access the WAN via proxies and NAT. Only network devices, servers, and NAT, will use addresses from the /24.
- Up to 30 staff may get (or already have) broadband at home, and wish to access the network via a VPN. These would preferably be terminated at, and completely handled by, the firewall. It would be nice to be able to specify differing levels of network access for each VPN user (based upon authentication name).
We are considering firewalls from the Watchguard Firebox line. My research would suggest that these have a pretty good reputation. I've looked at the specs of the X700 and the X1000, and either would seem from the marketing materials to suit our needs. However, I'm sure someone out there can provide a little more insight than the marketing material ;-)
Is there anyone who has experience administering these firewalls, or designing networks that include them? Is it possible, based on the network description above, to provide an opinion on which of the two seems most suitable?
I'd be interested in any general opinions on these products, and also information about any other firewall brands you like better.
-- James Tolchard System Administrator Christ's College Canterbury Phone: +64 3 364 6806