Recommendation for a good hardware firewall?

[lchyi]

Man, after looking firewalls on the net, it seems like there are a TON of options available to me ranging from $80 to $8000. I'm confused as to why most firewalls require user licenses now. The current one we use (a Netgear FVL) is a simple and effective plug and play with no licensing involved. Am I missing something here? Should I stick with a SOHO type firewall and not use corporate level stuff?

 

[xollox]

For that many users I highly recommend you don't go with a "off the shelf" router. You'll run into performance and connection limitations. I also can't tell you how many Linksys-type routers I've replaced that have died for no reason.

With that said, I've had lots of success with the Safe@Office 500 series (available in both wired-only and wireless models)
http://www.safeatoffice.com/landing/

They have a licensing scheme, but it's well worth the money. It's essentially an enterprise grade router on the cheap. It has a nice web interface (much like your basic Linksys, Netgear, etc) so the learning curve won't be steep on it.

They also have a yearly subscription fee (about $99 IIRC.) Again, it's well worth it. It automagically updates its own firmware plus gets new virus definitions.

It's a VPN endpoint (letting you do user->router VPN and router->router VPN) and comes with 5 licenses (more can be purchased.)

There's also a upgrade (called the Power Pack) that will let you create a DMZ along with some other features.

I swear I don't work for them I do, however, setup networks for small businesses, so this is right up my alley. A competitive product (with similar features and pricing) is the SonicWall TZ170.

 

[InlineFive]

The TZ-170 is a solid unit and the firmware is very mature, very stable. As long as you don't pile on tons of security services the performance will be good.

Sonicwall's support hasn't always been the best and they only officially support their own VPN implementation. L2TP is supposed to with with the Enhanced firmware but so far nobody can get it to work with Standard.

 

[dphantom]

I have supported Watchguard in the past and support client installs of various PIX boxes. Either are good choices. I would also stay away from SonicWall.

 

[xollox]

My experience with the PIX 501 interface is that it's annoying to use at best. Is there a different model you were thinking of?

 

[nweaver]

I'm all about the cheap. Smoothwall/IPCop/Monowall are great solutions.

 

[RebateMonger]

Originally posted by: lchyi
I'm confused as to why most firewalls require user licenses now.

There's probably a couple of reasons:

1) It allows the Firewall vendor to charge higher prices to the larger companies that can afford it, but have lower prices for small companies. MS does this with its Windows Server and CAL licensing.

2) It helps ensure that companies buy an appropriately-powerful firewall solution. If a tiny low-power box was allowed to be used with 1000 clients, it'd likely have problems and the firewall maker would be blamed.

3) Many of the boxes have added-value components (anti-spam, anti-virus, etc) that justify charging per-seat pricing.

 

[dphantom]

Originally posted by: xollox
My experience with the PIX 501 interface is that it's annoying to use at best. Is there a different model you were thinking of?

CLI knowledge is obviously needed for the PIX. I support mostly 515 and 525 with some lower end Pix's thrown in.

 

[lchyi]

The Safe@Office looks very tempting for the money! Thanks for that recommendation Xollox. I used to work for a company that was a big Sonicwall supporter but I haven't been reading rave reviews about their product.

I guess since I don't know what CLI is Watchguard stuff is out of my league...

 

[xollox]

CLI = command line interface

(as opposed to web interface)

 

[kevnich2]

My vote is for the sonicwall TZ170 I've got about 40 users on this and I've had ZERO problems in the last year and a half with it. Web interface is nice, it's nice and speedy but for me, it's extremely stable. What more could I ask for?

 

[lchyi]

I went ahead and got a Safe@Home UTM 500 for 25 users. It's the wireless version. I think it has a great feature set and isn't too pricey. The TZ170 was so much cheaper though and I might go with that for the other office just to compare the two. Thanks for all your suggestions!