Firewall

Coral · February 20, 2013, 04:52:12 PM

I am sitting here looking at a proposal for a Palo Alto pa-500 Firewall. I really want to do this. It's either this, or update my over 3 year old Cisco firewall. How do I sell this to the boss?

Mark · February 20, 2013, 04:57:01 PM

Palo Alto is awesome. Tell them features that you need in the Palo Alto that aren't available in the Cisco. I'm sure that you can come up with some.

Which Cisco? ASA?

Mark · February 20, 2013, 04:58:18 PM

And/Or, let him know that technology is constantly changing and the Palo Alto can better protect against current threats, whereas the Cisco will begin chugging along after 3+ years of software updates (which I hope you've been applying!)

Coral · February 20, 2013, 05:06:51 PM

Yeah it's an ASA. Problem is I don't speak Cisco, so every little thing I want done requires an outside tech. I think that is probably going to be my biggest pitch, the user friendly interface.

Bloody Jack Kidd · February 20, 2013, 09:29:23 PM

I did an extensive eval of UTM / NGFW over the course of many months, although we went with Checkpoint, the whole endeavour has been rather frustrating. I've never believed in all-in-one wunder-boxes and so far my instincts seem to have been good.

ASA is a good device, and even these fancy new devices are not fire-and-forget; the Checkpoint is looking like it will require much more upkeep than our current ASA.

Mark · February 21, 2013, 08:31:25 AM

Quote from: Coral on February 20, 2013, 05:06:51 PM
Yeah it's an ASA. Problem is I don't speak Cisco, so every little thing I want done requires an outside tech. I think that is probably going to be my biggest pitch, the user friendly interface.

Have you ever used ASDM? It's not that difficult.

Quote from: Bloody Jack Kidd on February 20, 2013, 09:29:23 PM
ASA is a good device, and even these fancy new devices are not fire-and-forget; the Checkpoint is looking like it will require much more upkeep than our current ASA.

Although I do like what I saw in Palo Alto (when I looked at them, they did NOT have a SMB product), I'd have to agree with BJK here. The ASA is a solid device. If all you're lacking is user friendlyness, next time you need something done on it, come find me.

Coral · February 21, 2013, 11:32:15 AM

I don't like my web monitor I have right now. Any uncomplicated suggestions for that?

Mark · February 21, 2013, 11:33:01 AM

Web monitor?

Coral · February 21, 2013, 11:34:37 AM

the Palo Alto has a web monitor filter feature in it. It is part of the reason I want it.

Mark · February 21, 2013, 01:09:51 PM

OH, ok. To monitor web traffic? What are you using right now? It does annoy me that with the ASA, you need to have websense or something else. I wish you could integrate open source tools in that respect, but you can't as far as I have figured out.

Bloody Jack Kidd · February 21, 2013, 01:43:01 PM

The UTMs have two things usually - some level of URL and layer 7 (application) awareness and filtering and coinciding with that, some fancy GUI display to see all the threats and bad behaviour in near real-time.

Initially this wowed me - esp. SonicWall, that one was really slick.

It's unfortunate that at least currently Cisco does not have a competitive product in this space. If you are looking at UTM - consider evaluating more than one product:

Fortinet
Checkpoint
SonicWall
Sophos
Palo Alto

There are a number of other vendors as well. I was not able to really give the Fortinet products a fair shake and I would strongly advise giving those a try.

Also, don't get too wowed by all the "look what this thing does" stuff - the Checkpoint for example is a linux OS, you can install it on almost any hardware... sophos utm (astaro) is similar.

For many a good firewall with egress rules and a proper proxy (Sophos WSA for one) makes a fairly solid foundation.