Archived from groups: comp.security.firewalls (More info?)

We are setting up a new office network and would like some advise/experience
on firewalls. I have looked at the messages but am still confused



Today we have a single external connection (business cable 2/4) but may want
to expand with a backup. There will be 2-3 externally visible servers with
their own IP and a small LAN - 15 users. We need VPN access (10 licenses)
to the servers for external users. We will probably set up the internal lan
using a "store" router for NAT but could also use the firewalls NAT. We
would like (of course) as much protection as we can get - including
intrusion, VP. The degree of "inspection" on the firewall is important but
it is hard to see around the marketing. I expect to set up some wireless,
but using a separate access point - we will also set up a "guest" wireless
(possibly outside the firewall). We also want to make sure we can still use
applications - FTP, Netmeeting, etc.



It is even hard to tell what these things really cost when you get the
protection packages. I have listed what I THINK they cost. Questions I
have are;

- Stability

- Degree of protection

- Speed

- Expected life/upgrades

- Support for multiple IP addresses and routing

- Real cost

- Complexity to admin (Tech users but no dedicated support)

- Marketplace position

- Support



We are looking at;

Checkpoint Safe@office 225 Comprehensive security $1230 ($180 per year)

-- Or perhaps VPN-1 Edge, seems similar

-- Best "deep inspection"?

-- Market leader?



Juniper NetScreen 5GT Extended $1100

-- Well respected, solid



Fortigate 60 all in one security bundle $800 ($350/year)

-- Fast but may have more limited protection? Hard to upgrade due to
hardware?

-- No user limits

-- Best deal and good rep, But not much of a market leader?



SonicWALL TZ 170 25-Node Comprehensive Gateway Security Bundle $750 (May be
more hidden $)

-- But it looks like VPN clients are $$30/each, so ad $300!

-- Hints of stability problems.

-- Market leader?



Cisco PIX 501

-- Seems to lag the others



We would really appreciate thoughts and experience!

Archived from groups: comp.security.firewalls (More info?)

You may want to check out Watchguard and Snapgear too.

Duane

Archived from groups: comp.security.firewalls (More info?)

"CCMiami" <nospam@modeldriven.org> wrote in message
news:fGeZe.29808$dm.25937@lakeread03...
> We are setting up a new office network and would like some
advise/experience
> on firewalls. I have looked at the messages but am still confused
>
>
>
> Today we have a single external connection (business cable 2/4) but may
want
> to expand with a backup. There will be 2-3 externally visible servers
with
> their own IP and a small LAN - 15 users. We need VPN access (10 licenses)
> to the servers for external users. We will probably set up the internal
lan
> using a "store" router for NAT but could also use the firewalls NAT. We
> would like (of course) as much protection as we can get - including
> intrusion, VP. The degree of "inspection" on the firewall is important
but
> it is hard to see around the marketing. I expect to set up some wireless,
> but using a separate access point - we will also set up a "guest" wireless
> (possibly outside the firewall). We also want to make sure we can still
use
> applications - FTP, Netmeeting, etc.
>
>
>
> It is even hard to tell what these things really cost when you get the
> protection packages. I have listed what I THINK they cost. Questions I
> have are;
>
> - Stability
>
> - Degree of protection
>
> - Speed
>
> - Expected life/upgrades
>
> - Support for multiple IP addresses and routing
>
> - Real cost
>
> - Complexity to admin (Tech users but no dedicated support)
>
> - Marketplace position
>
> - Support
>
>
>
> We are looking at;
>
> Checkpoint Safe@office 225 Comprehensive security $1230 ($180 per year)
>
> -- Or perhaps VPN-1 Edge, seems similar
>
> -- Best "deep inspection"?
>
> -- Market leader?
>
>
>
> Juniper NetScreen 5GT Extended $1100
>
> -- Well respected, solid
>
>
>
> Fortigate 60 all in one security bundle $800 ($350/year)
>
> -- Fast but may have more limited protection? Hard to upgrade due to
> hardware?
>
> -- No user limits
>
> -- Best deal and good rep, But not much of a market leader?


I work rather heavily with Fortigates, deploying them in front of small
offices, branch offices, head offices, very large enterprises, universities,
school boards, hospitals.

Their protection is very good -- they can reassemble and scan through data
in hardware enabling them to Antivirus and IPS at very good speed while
still using comparatively simple (ie reliable) hardware. A 60 for example
has Internal, WAN1, WAN2, DMZ interfaces, but no moving parts. The only
failures I've seen in thousands of units is the odd dead port, which occured
in the field most likely via user error. And in that same box it does full
firewall, software or site-to-site VPN, 1300 Intrusion Protections,
web/mail/ftp AntiVirus, SPAM filtering, Content filtering, and web Category
blocking (ie, stop porn/gambling/etc).

They don't upgrade -- but neither do most any other ones in the roundup I
bet, unless they artificially limit themselves in the first place and
"upgrade" by removing the limit, or by putting in an expansion card to make
up for hardware deficiencies to start with. Do you really need to upgrade
from a 70Mbps firewall? All Fortigates come with no user limits, no
per-user fees, on anything except for software VPN clients which are very
cheap. They run like champs right up to their limits. I've got big
Fortigate boxes doing IPS at Gig speeds and AV at hundreds of megs. The 60
has complete internal (or even external) logging and packet sniffing and can
even be set up as an HA pair.

The 60 has been around for 2 years, and it's been through the last 2 major
code updates (2.5, 2.8) and will soon run the 3.0 code which will add even
more neat tricks to it -- unfortunately I can't tell you what under my NDA
Beta agreement, but I have live Beta code that I've seen, and it's very
cool. The thing is the hardware is so flexible they can add new
capabilities to it readily... the 60 today does all sorts of neat things
that it didn't do when I first saw it, due to new code using the flexible
ASIC chips on board.

I've done lots of NetScreen too, they're very solid boxes indeed. But they
got away from their bread-and-butter ASIC design with the 5GT -- the AV and
DI components are implemented in software, so the performance of those bits
can't touch the FG.

I've put in lots of Fortigates and I work with them every day along with
lots of NetScreen and a handfull of other things. Let me tell you, I think
they're awesome. The fact that they're also a great deal to me is
astounding.

-Russ.

Archived from groups: comp.security.firewalls (More info?)

Ok - One will informed vote for the Fortigate! Thanks Russ!
Do you have any concern about the company or the legal stuff going on?

"Somebody." <somebody.@spamout.russdoucet.com> wrote in message
news:xzqZe.12814$p5.5515@nnrp.ca.mci.com!nnrp1.uunet.ca...
>
> "CCMiami" <nospam@modeldriven.org> wrote in message
> news:fGeZe.29808$dm.25937@lakeread03...
>> We are setting up a new office network and would like some
> advise/experience
>> on firewalls. I have looked at the messages but am still confused
>>
>>
>>
>> Today we have a single external connection (business cable 2/4) but may
> want
>> to expand with a backup. There will be 2-3 externally visible servers
> with
>> their own IP and a small LAN - 15 users. We need VPN access (10
>> licenses)
>> to the servers for external users. We will probably set up the internal
> lan
>> using a "store" router for NAT but could also use the firewalls NAT. We
>> would like (of course) as much protection as we can get - including
>> intrusion, VP. The degree of "inspection" on the firewall is important
> but
>> it is hard to see around the marketing. I expect to set up some
>> wireless,
>> but using a separate access point - we will also set up a "guest"
>> wireless
>> (possibly outside the firewall). We also want to make sure we can still
> use
>> applications - FTP, Netmeeting, etc.
>>
>>
>>
>> It is even hard to tell what these things really cost when you get the
>> protection packages. I have listed what I THINK they cost. Questions I
>> have are;
>>
>> - Stability
>>
>> - Degree of protection
>>
>> - Speed
>>
>> - Expected life/upgrades
>>
>> - Support for multiple IP addresses and routing
>>
>> - Real cost
>>
>> - Complexity to admin (Tech users but no dedicated support)
>>
>> - Marketplace position
>>
>> - Support
>>
>>
>>
>> We are looking at;
>>
>> Checkpoint Safe@office 225 Comprehensive security $1230 ($180 per year)
>>
>> -- Or perhaps VPN-1 Edge, seems similar
>>
>> -- Best "deep inspection"?
>>
>> -- Market leader?
>>
>>
>>
>> Juniper NetScreen 5GT Extended $1100
>>
>> -- Well respected, solid
>>
>>
>>
>> Fortigate 60 all in one security bundle $800 ($350/year)
>>
>> -- Fast but may have more limited protection? Hard to upgrade due to
>> hardware?
>>
>> -- No user limits
>>
>> -- Best deal and good rep, But not much of a market leader?
>
>
> I work rather heavily with Fortigates, deploying them in front of small
> offices, branch offices, head offices, very large enterprises,
> universities,
> school boards, hospitals.
>
> Their protection is very good -- they can reassemble and scan through data
> in hardware enabling them to Antivirus and IPS at very good speed while
> still using comparatively simple (ie reliable) hardware. A 60 for example
> has Internal, WAN1, WAN2, DMZ interfaces, but no moving parts. The only
> failures I've seen in thousands of units is the odd dead port, which
> occured
> in the field most likely via user error. And in that same box it does
> full
> firewall, software or site-to-site VPN, 1300 Intrusion Protections,
> web/mail/ftp AntiVirus, SPAM filtering, Content filtering, and web
> Category
> blocking (ie, stop porn/gambling/etc).
>
> They don't upgrade -- but neither do most any other ones in the roundup I
> bet, unless they artificially limit themselves in the first place and
> "upgrade" by removing the limit, or by putting in an expansion card to
> make
> up for hardware deficiencies to start with. Do you really need to upgrade
> from a 70Mbps firewall? All Fortigates come with no user limits, no
> per-user fees, on anything except for software VPN clients which are very
> cheap. They run like champs right up to their limits. I've got big
> Fortigate boxes doing IPS at Gig speeds and AV at hundreds of megs. The
> 60
> has complete internal (or even external) logging and packet sniffing and
> can
> even be set up as an HA pair.
>
> The 60 has been around for 2 years, and it's been through the last 2 major
> code updates (2.5, 2.8) and will soon run the 3.0 code which will add even
> more neat tricks to it -- unfortunately I can't tell you what under my NDA
> Beta agreement, but I have live Beta code that I've seen, and it's very
> cool. The thing is the hardware is so flexible they can add new
> capabilities to it readily... the 60 today does all sorts of neat things
> that it didn't do when I first saw it, due to new code using the flexible
> ASIC chips on board.
>
> I've done lots of NetScreen too, they're very solid boxes indeed. But
> they
> got away from their bread-and-butter ASIC design with the 5GT -- the AV
> and
> DI components are implemented in software, so the performance of those
> bits
> can't touch the FG.
>
> I've put in lots of Fortigates and I work with them every day along with
> lots of NetScreen and a handfull of other things. Let me tell you, I
> think
> they're awesome. The fact that they're also a great deal to me is
> astounding.
>
> -Russ.
>
>

Archived from groups: comp.security.firewalls (More info?)

Russ,
One more question if you don't mind...
I was not aware that the 5GT didn't use ASIC, but where do you see the
performance hit? The 5GT is rated at 75Mbps, about the same as the Fortigate
60. So either it doesn't keep up with that speed in the real world or it
can't process as many packet inspections. Or, do the rated speed not
include DI/AV? Where does the user or server notice?

Also, do these firewalls do CIDR as well as support the "standard" VPN
client, such as is found on devices by default (even my PDA has a VPN
client)?

Thanks again for your excellent response.

"Somebody." <somebody.@spamout.russdoucet.com> wrote in message
news:xzqZe.12814$p5.5515@nnrp.ca.mci.com!nnrp1.uunet.ca...
>
> "CCMiami" <nospam@modeldriven.org> wrote in message
> news:fGeZe.29808$dm.25937@lakeread03...
>> We are setting up a new office network and would like some
> advise/experience
>> on firewalls. I have looked at the messages but am still confused
>>
>>
>>
>> Today we have a single external connection (business cable 2/4) but may
> want
>> to expand with a backup. There will be 2-3 externally visible servers
> with
>> their own IP and a small LAN - 15 users. We need VPN access (10
>> licenses)
>> to the servers for external users. We will probably set up the internal
> lan
>> using a "store" router for NAT but could also use the firewalls NAT. We
>> would like (of course) as much protection as we can get - including
>> intrusion, VP. The degree of "inspection" on the firewall is important
> but
>> it is hard to see around the marketing. I expect to set up some
>> wireless,
>> but using a separate access point - we will also set up a "guest"
>> wireless
>> (possibly outside the firewall). We also want to make sure we can still
> use
>> applications - FTP, Netmeeting, etc.
>>
>>
>>
>> It is even hard to tell what these things really cost when you get the
>> protection packages. I have listed what I THINK they cost. Questions I
>> have are;
>>
>> - Stability
>>
>> - Degree of protection
>>
>> - Speed
>>
>> - Expected life/upgrades
>>
>> - Support for multiple IP addresses and routing
>>
>> - Real cost
>>
>> - Complexity to admin (Tech users but no dedicated support)
>>
>> - Marketplace position
>>
>> - Support
>>
>>
>>
>> We are looking at;
>>
>> Checkpoint Safe@office 225 Comprehensive security $1230 ($180 per year)
>>
>> -- Or perhaps VPN-1 Edge, seems similar
>>
>> -- Best "deep inspection"?
>>
>> -- Market leader?
>>
>>
>>
>> Juniper NetScreen 5GT Extended $1100
>>
>> -- Well respected, solid
>>
>>
>>
>> Fortigate 60 all in one security bundle $800 ($350/year)
>>
>> -- Fast but may have more limited protection? Hard to upgrade due to
>> hardware?
>>
>> -- No user limits
>>
>> -- Best deal and good rep, But not much of a market leader?
>
>
> I work rather heavily with Fortigates, deploying them in front of small
> offices, branch offices, head offices, very large enterprises,
> universities,
> school boards, hospitals.
>
> Their protection is very good -- they can reassemble and scan through data
> in hardware enabling them to Antivirus and IPS at very good speed while
> still using comparatively simple (ie reliable) hardware. A 60 for example
> has Internal, WAN1, WAN2, DMZ interfaces, but no moving parts. The only
> failures I've seen in thousands of units is the odd dead port, which
> occured
> in the field most likely via user error. And in that same box it does
> full
> firewall, software or site-to-site VPN, 1300 Intrusion Protections,
> web/mail/ftp AntiVirus, SPAM filtering, Content filtering, and web
> Category
> blocking (ie, stop porn/gambling/etc).
>
> They don't upgrade -- but neither do most any other ones in the roundup I
> bet, unless they artificially limit themselves in the first place and
> "upgrade" by removing the limit, or by putting in an expansion card to
> make
> up for hardware deficiencies to start with. Do you really need to upgrade
> from a 70Mbps firewall? All Fortigates come with no user limits, no
> per-user fees, on anything except for software VPN clients which are very
> cheap. They run like champs right up to their limits. I've got big
> Fortigate boxes doing IPS at Gig speeds and AV at hundreds of megs. The
> 60
> has complete internal (or even external) logging and packet sniffing and
> can
> even be set up as an HA pair.
>
> The 60 has been around for 2 years, and it's been through the last 2 major
> code updates (2.5, 2.8) and will soon run the 3.0 code which will add even
> more neat tricks to it -- unfortunately I can't tell you what under my NDA
> Beta agreement, but I have live Beta code that I've seen, and it's very
> cool. The thing is the hardware is so flexible they can add new
> capabilities to it readily... the 60 today does all sorts of neat things
> that it didn't do when I first saw it, due to new code using the flexible
> ASIC chips on board.
>
> I've done lots of NetScreen too, they're very solid boxes indeed. But
> they
> got away from their bread-and-butter ASIC design with the 5GT -- the AV
> and
> DI components are implemented in software, so the performance of those
> bits
> can't touch the FG.
>
> I've put in lots of Fortigates and I work with them every day along with
> lots of NetScreen and a handfull of other things. Let me tell you, I
> think
> they're awesome. The fact that they're also a great deal to me is
> astounding.
>
> -Russ.
>
>

Archived from groups: comp.security.firewalls (More info?)

"CCMiami" <nospam@modeldriven.org> wrote in message
news:FoGZe.29959$dm.14125@lakeread03...
> Ok - One will informed vote for the Fortigate! Thanks Russ!
> Do you have any concern about the company or the legal stuff going on?

No, my visibility into the internals seems ok, the signals all look good.
That leagal stuff at worst will end up as a cash settlement and a license
fee -- the code bits are probably already re-written.

-Russ.

Archived from groups: comp.security.firewalls (More info?)

"CCMiami" <nospam@modeldriven.org> wrote in message
news:G9IZe.29968$dm.24466@lakeread03...
> Russ,
> One more question if you don't mind...
> I was not aware that the 5GT didn't use ASIC, but where do you see the
> performance hit? The 5GT is rated at 75Mbps, about the same as the
> Fortigate 60. So either it doesn't keep up with that speed in the real
> world or it can't process as many packet inspections. Or, do the rated
> speed not include DI/AV? Where does the user or server notice?
>
> Also, do these firewalls do CIDR as well as support the "standard" VPN
> client, such as is found on devices by default (even my PDA has a VPN
> client)?
>
> Thanks again for your excellent response.

The 5GT has ASIC for firewall and VPN, just like the 5XT and the 5XP. But
AV and DI are done in software. That rated througput is for firewall only.
Try to get some solid numbers for DI and AV, I couldn't, and haven't had the
opportunity to test one that hard.

I can tell you that the 60 would run about 50Mbps IPS and up to around 8 to
10Mbps AV, give or take depending on the traffic and the configuration. And
I mean that very literally, it varies a lot based on those two things.

The FG does not support CIDR. If that's a show-stopper, the FG is out.

Standard VPN clients should be fine, if they're standard. The windows
client for example, is a pain in the butt and rarely works reliably on
anything for very long in my experience -- which I admit, is limited. We
usually go with a proper IPSec client. But, if it's a standards based
client, it should be just fine. The unit doesn't care what it talks to, as
long as it talks in a standard way.

-Russ.

Archived from groups: comp.security.firewalls (More info?)

"Somebody." <somebody.@spamout.russdoucet.com> wrote in message
newsEWZe.13031$p5.2775@nnrp.ca.mci.com!nnrp1.uunet.ca...
>
> "CCMiami" <nospam@modeldriven.org> wrote in message
> news:G9IZe.29968$dm.24466@lakeread03...
>> Russ,
>> One more question if you don't mind...
>> I was not aware that the 5GT didn't use ASIC, but where do you see the
>> performance hit? The 5GT is rated at 75Mbps, about the same as the
>> Fortigate 60. So either it doesn't keep up with that speed in the real
>> world or it can't process as many packet inspections. Or, do the rated
>> speed not include DI/AV? Where does the user or server notice?
>>
>> Also, do these firewalls do CIDR as well as support the "standard" VPN
>> client, such as is found on devices by default (even my PDA has a VPN
>> client)?
>>
>> Thanks again for your excellent response.
>
> The 5GT has ASIC for firewall and VPN, just like the 5XT and the 5XP. But
> AV and DI are done in software. That rated througput is for firewall
> only. Try to get some solid numbers for DI and AV, I couldn't, and haven't
> had the opportunity to test one that hard.
>
> I can tell you that the 60 would run about 50Mbps IPS and up to around 8
> to 10Mbps AV, give or take depending on the traffic and the configuration.
> And I mean that very literally, it varies a lot based on those two things.
>
> The FG does not support CIDR. If that's a show-stopper, the FG is out.
>

Hey there, sorry I hadn't heard the term CIDR and my quick google lead me
astray. Subnets can be any arbitrary size on the FG or the NS, no problem.
In fact you can put them in either 255.255.255.128 format or /25 format,
they're fully interchangable in the same dialogue boxes in most cases. But
certainly you aren't limited to just /8 /16 /24 subnets.

Sorry for the incorrect answer there!

BTW, the 60 also understands VLANs if that helps with your network design.


-Russ.

Archived from groups: comp.security.firewalls (More info?)

Based on the note from Russ (below) the speed of the firewall with all the
options turned on is an issue. We would like to have some protection turned
on internaly (to the servers in the DMZ) as well as on the external side in
case people pick up viruses and bring them in (we have a lot of people with
laptops). We aslo don't want the network running at a crawl!

Has anyone done speed tests on the routers with the options on? Or, are
there reviews or information from the suppliers?

The Data point from Russ is; the Fortigate 60 would run about 50Mbps IPS and
up to around 8 to 10Mbps AV, give or take depending on the traffic and the
configuration.

"Somebody." <somebody.@spamout.russdoucet.com> wrote in message
newsEWZe.13031$p5.2775@nnrp.ca.mci.com!nnrp1.uunet.ca...
>
> "CCMiami" <nospam@modeldriven.org> wrote in message
> news:G9IZe.29968$dm.24466@lakeread03...
>> Russ,
>> One more question if you don't mind...
>> I was not aware that the 5GT didn't use ASIC, but where do you see the
>> performance hit? The 5GT is rated at 75Mbps, about the same as the
>> Fortigate 60. So either it doesn't keep up with that speed in the real
>> world or it can't process as many packet inspections. Or, do the rated
>> speed not include DI/AV? Where does the user or server notice?
>>
>> Also, do these firewalls do CIDR as well as support the "standard" VPN
>> client, such as is found on devices by default (even my PDA has a VPN
>> client)?
>>
>> Thanks again for your excellent response.
>
> The 5GT has ASIC for firewall and VPN, just like the 5XT and the 5XP. But
> AV and DI are done in software. That rated througput is for firewall
> only. Try to get some solid numbers for DI and AV, I couldn't, and haven't
> had the opportunity to test one that hard.
>
> I can tell you that the 60 would run about 50Mbps IPS and up to around 8
> to 10Mbps AV, give or take depending on the traffic and the configuration.
> And I mean that very literally, it varies a lot based on those two things.
>
> The FG does not support CIDR. If that's a show-stopper, the FG is out.
>
> Standard VPN clients should be fine, if they're standard. The windows
> client for example, is a pain in the butt and rarely works reliably on
> anything for very long in my experience -- which I admit, is limited. We
> usually go with a proper IPSec client. But, if it's a standards based
> client, it should be just fine. The unit doesn't care what it talks to,
> as long as it talks in a standard way.
>
> -Russ.
>

Archived from groups: comp.security.firewalls (More info?)

"CCMiami" <nospam@modeldriven.org> wrote in message
news:ypc_e.70756$Cc5.61492@lakeread06...
> Based on the note from Russ (below) the speed of the firewall with all the
> options turned on is an issue. We would like to have some protection
> turned on internaly (to the servers in the DMZ) as well as on the external
> side in case people pick up viruses and bring them in (we have a lot of
> people with laptops). We aslo don't want the network running at a crawl!
>
> Has anyone done speed tests on the routers with the options on? Or, are
> there reviews or information from the suppliers?
>
> The Data point from Russ is; the Fortigate 60 would run about 50Mbps IPS
> and up to around 8 to 10Mbps AV, give or take depending on the traffic and
> the configuration.

A FG60 is a great box for most smallish offices running DSL, T1, or
something up to maybe around 10Mbps.

It's not sufficient for using in front of internal servers from which you
expect 100Mbps LAN-speed performance.

If your servers are things like web servers with a moderately low demand,
you're probobably fine with using it with IPS enabled and getting in that
50Mpbs range. Similar for mail servers unless they're a well-used Exchange
or Notes type application server, but a sendmail type box for strictly email
should be fine. I would think you could probably enable virus scan on
incoming email only in that config (mail server in the DMZ) but I wouldn't
push your luck much farther than that, and I would tune it as much as
possible and keep an eye on the system resources.

The numbers I'm giving to you come from Fortigate's internal testing and my
own field experience. They really, truly do vary a lot based on your
implementation.

Why don't you tell me a big more about that... what kind of servers are
going where, how busy they are, what your main Internet feed is, and what
protections you want where?

I have done implementations of Fortigates in front of internal servers but
they were significantly bigger boxes than a FG60.

-Russ.

Archived from groups: comp.security.firewalls (More info?)

"Somebody." <somebody.@spamout.russdoucet.com> wrote in message
news:Y6v_e.13258$p5.13093@nnrp.ca.mci.com!nnrp1.uunet.ca...
>
> "CCMiami" <nospam@modeldriven.org> wrote in message
> news:ypc_e.70756$Cc5.61492@lakeread06...
> > Based on the note from Russ (below) the speed of the firewall with all
the
> > options turned on is an issue. We would like to have some protection
> > turned on internaly (to the servers in the DMZ) as well as on the
external
> > side in case people pick up viruses and bring them in (we have a lot of
> > people with laptops). We aslo don't want the network running at a
crawl!
<snipped for brevity>

and though bandwidth calculations are good, routers are measured by the
number of packets they can pass per second (pps)... might be good when
shopping around as it's the only REAL measurement off of which to base
performance as far as routers (firewalls, vpn appliances, whatever) and
guage when pricing and comparing.

$0.02.

Ron!

Archived from groups: comp.security.firewalls (More info?)

Ok,
The servers in the DMZ provide Mail, web, wiki, ftp, minor DBMS and version
control.
The FTP and version control can demand high bandwidth - but these are
exactly the places I would like to have an extra check for, so we don't get
a virus checked in or infecting the servers from an infected laptop.
The external connection is 2 up/ 4 down business cable (he said with
trepidation)

So, (he said cringing) how far up the scale do you have to go to get AV
running at better than, say, 50Mbps?

"Somebody." <somebody.@spamout.russdoucet.com> wrote in message
news:Y6v_e.13258$p5.13093@nnrp.ca.mci.com!nnrp1.uunet.ca...
>
> "CCMiami" <nospam@modeldriven.org> wrote in message
> news:ypc_e.70756$Cc5.61492@lakeread06...
>> Based on the note from Russ (below) the speed of the firewall with all
>> the options turned on is an issue. We would like to have some protection
>> turned on internaly (to the servers in the DMZ) as well as on the
>> external side in case people pick up viruses and bring them in (we have a
>> lot of people with laptops). We aslo don't want the network running at a
>> crawl!
>>
>> Has anyone done speed tests on the routers with the options on? Or, are
>> there reviews or information from the suppliers?
>>
>> The Data point from Russ is; the Fortigate 60 would run about 50Mbps IPS
>> and up to around 8 to 10Mbps AV, give or take depending on the traffic
>> and the configuration.
>
> A FG60 is a great box for most smallish offices running DSL, T1, or
> something up to maybe around 10Mbps.
>
> It's not sufficient for using in front of internal servers from which you
> expect 100Mbps LAN-speed performance.
>
> If your servers are things like web servers with a moderately low demand,
> you're probobably fine with using it with IPS enabled and getting in that
> 50Mpbs range. Similar for mail servers unless they're a well-used
> Exchange or Notes type application server, but a sendmail type box for
> strictly email should be fine. I would think you could probably enable
> virus scan on incoming email only in that config (mail server in the DMZ)
> but I wouldn't push your luck much farther than that, and I would tune it
> as much as possible and keep an eye on the system resources.
>
> The numbers I'm giving to you come from Fortigate's internal testing and
> my own field experience. They really, truly do vary a lot based on your
> implementation.
>
> Why don't you tell me a big more about that... what kind of servers are
> going where, how busy they are, what your main Internet feed is, and what
> protections you want where?
>
> I have done implementations of Fortigates in front of internal servers but
> they were significantly bigger boxes than a FG60.
>
> -Russ.
>