Broadband Tech > Security > Security > Sonicwall / Netscreen / Cisco / other?

Sonicwall / Netscreen / Cisco / other?

• have the usual: DHCP client / server, 1-to-many NAT
• be a STRONG firewall with SPI, intrusion detection, logging, reporting, and anti-DoS features
• perform bandwidth management per IP (xxx.xxx.xxx.xxx can have a max of X, is guaranteed a min of Y, etc.)
• some sort of "LAN server" protection/exposure scheme where a server on the LAN can be accessed via the internet, but the other machines on the LAN are secured. Don't open a can of worms on this, please.
• a hardware method for rules evaluation and/or a security ASIC. I'd like this box to have negligable impact on both bandwidth and latency.
• support my use of a VPN client to tunnel thru the internet to my VPN at work.
• an interface that is easy to understand for someone who understands the concepts of internet security, but isn't willing to devote his life to the interface (e.g. Cisco IOS.
• support up to at least 10 client machines.

• ability to perform content filtering of SOME sort (keyword, list of URLs, etc) without requiring an additional service or server
• VPN host ability so I can tunnel from anywhere into my LAN, if I want.
• log analysis / traffic graphs
• support for a "virtual DMZ" where the WAN server can be seen by the WAN, but is isolated from the LAN. (PC1 should not be able to see the DMZ server via its local address, only it's WAN address, and the server should have no route to PC1 thru the LAN)
• a *really* easy to use interface.

(other folks' comments)

quote:

---

Basically the 5XP vs. 5XT is number of LAN ports. 5XP has only one (so you will need a hub/switch to serve multiple PCs), 5XT has 4.

---

quote:

---

It's Pretty good, but kind of confuse to use at start. but overall it's a excellent Firewall for it's class.

---

quote:

---

Sonicwalls are a lot cheaper and have bandwidth management
(ip 192.168.1.5 gets guaranteed 128Kbps, max 384...etc).
but it has practically no graphing/statistics.
It does give you graphs, however, if you purchase the
viewpoint upgrade.

Basically, netscreen is much better, but also much more $$.

---

said by sushid:

---

Sonicwalls are a lot cheaper and have bandwidth management
(ip 192.168.1.5 gets guaranteed 128Kbps, max 384...etc).
but it has practically no graphing/statistics.
It does give you graphs, however, if you purchase the
viewpoint upgrade.

---

I am running a webramp 700 (which is a rebadged Sonicwall Soho-original model)

Got it here for $18
»centrix-intl.com/

They seem to be out of the 18 OEM version, but have the boxed for $35. Can upgrade it to the latest sonicwall firmware (5.1.7)

Went to ebay and grabbed an IC upgrade chip which upgrades it to unlimited users and Ipsec VPN with the license for 1 VPN client (software)

Webramp is out of business, but since it is a sonicwall box, works as a sonicwall after it is flashed with latest firmware.

For $60, I couldnt be happier.

reply to sushid

Re: Sonicwall / Netscreen / Cisco / other?

reply to sushid
No single appliance that I know of will do everything you ask in the price range you specify.

A custom configured and built Linux based router would probably offer the most functionality. If you have more time than money, and want to learn the "nuts and bolts" about firewall technology, this is a good way to get the job done. Several good basic kernels are readily available off the new. This is a good application for recycling a low end pentium PC equipped with a pair of halfway decent NIC's. There's even a couple of good books to assist, although everything you need to read is on the net.

A few commercial products do come close to meeting your requirements. One affordable product missing from your short list is the Zyxel Zywall 50 II. The Zywall 10 is also worth considering, but has a few less features.
--
Macy Hallock APK Net, Inc. Cleveland, Ohio

reply to sushid
mboy -- very intriguing. But I was under the impression that Sonicwall allowed downloads / upgrades of their firmware only if you have registered your Sonicwall product. Can you send me a pointer to more about the Sonicwall firmware and what hardware it works with?

godgundam -- I forgot to mention I'll have at least 1 *nix box with syslog in the future, so I'll be sending the log there eventually.

macyh -- I was originally going to do as you suggested, but the more I thought about it the more I realized that I just don't have the time for that. I'd have to keep the OS itself hardened and up to date, as well as ensure that I've set up ipchain and snort properly... it just wouldn't happen. I need to plug in a box for now and learn as I go. I seem to recall eliminating Zywall products, but I'll have another look.

What I'm looking for here is comments on the products I've mentioned, or recommendations for others, with regard to my criteria. Thanks!
--
"Industrious people can only create industry. It takes lazy people to create a civilization."

reply to mboy

Re: (other folks' comments)

quote:

---

SonicWALL TELE, SOHO, DMZ, XPRS, PRO, PRO-VX and GX
NEW! Firmware, VPN Clients, and ViewPoint for all SonicWALL models. (link: »www.mysonicwall.com/)

Please note: To download firmware and other software, your products must be registered at www.mysonicwall.com

---

reply to sushid

Re: Sonicwall / Netscreen / Cisco / other?

reply to sushid
Since the original SoHo has been pretty much replaced, the newest firmware for it is 5.1.7. I am running the 6.3 on my Pro 200.

Here is a good thread on the webmramp with all the info you need:

»arstechnica.infopop.net/OpenTopi···80958835

Obviously, a $600 SOHO 3 or tele 3 would be better then an original Soho, but that is beyond my means right now and a $60 Soho (with upgrade chip to unlimited users and Ipsec VPN endpoint is FAAAAAR better then a linksys, netgear or smc soho router.
It is an GREAT option for the discretionary income impaird like myself right now.
The original Soho will not be insecure or obsolete for a loooong time!
Read the whole thread @ the link I posted. Good info there.

reply to sushid
Okay, someone was asking what's the difference between the Netscreen 5XP and 5XT as well as it's comparative differences between other devices. So I thought I'd pipe in.

The 5XP has 2 interfaces : untrust (outside) and trust (inside). It has a really small footprint (size of a small paperback book?)

The 5XT has 5 interfaces : untrust (outside) and trust (inside) but the trusted interface actually has 4 ports (10/100). It also has more onboard memory and has the ability to dial into an ISP if the main link goes down. (dial up backup). Other items include greater overall throughput (70Mbps vs 20Mbps), a little bit wider, 3.5x the performance of the 5XP, etc. By the way, the PIX 501 runs at max of 10Mbps. Don't get confused with these numbers as they don't mean as much as they sound because most people's broadband isn't greater than what... say 1.5Mpbs?

As for how it compares to other devices, it's an extraordinary powerful box in that it has the performance to match the lower end cisco PIXs, has the GUI to match watchguard and checkpoint, and my favorite is it has onboard IDS sensors (so if someone does a ping sweep or searches for open ports it'll notify you) by emailing a log to any email address you want. (inclusive of SNMP or SYSLOG notifications as well).

Having said that, it's a pricey penny. I think there's a 10 user unit for around SushiD's price point. It's not really meant for mom/pops. It's mainly designed for those who can take advantage of it's flexibility.

SushiD, you also mentioned bandwidth mgmt. It has that as well. (ie: throttle WEB traffic to x packets/sec) and it can make pretty little traffic graphs for upper management. However, consider using MRTG instead.

However, these two units don't, as far as I know, offer a DMZ port.

As for the PIX 501, b/c it's based on the PIX platform, it's highly flexible and powerful, but ya gotta know the CLI very well. Changes are not pretty as you need to know the commands and understand how to build ACLS. Not a big deal, but if your requirement is to click here and there and be done with it in order to make a change - it aint gonna cut it. (its web interface is 1st generation, vs a more intuitive interface of Watchguard, netscreen, sonicwall, and all the rest). Don't get me wrong, I love the PIX, but it has a learning curve.

phew....
[text was edited by author 2002-12-11 23:41:53]

reply to belushi
Thanks, Belushi -- I had looked at the TELE 3 a while ago and had forgotten about it. It's hard enough to keep one company's products straight, let along five.

I'd only need 1 VPN client license, so the $75 seems reasonable.

If I read you, Sonicwall.com, and CDW.com correctly:

basic TELE 3 : 5 nodes (devices) on LAN, VPN endpoint, ~$400
basic SOHO 3 : 10 nodes on LAN, no VPN, ~$400
TELE 3 upgrade : 5 --> 10 node, ~$200
SOHO 3 upgrade : add VPN, ~$400

Sonicwall is also currently running some kind of promotion... SOHO3 + 10 --> 25 node + VPN, ~$600.
Which seems to be the way to go for Sonicwall.

mboy -- thanks for the links. I've been mulling over the webramp idea for a day and a night, and I don't think it's for me. My time is more expensive to me than my money these days (I'd almost rather it be the other way 'round) and I think that the Webramp route is unattractive right now in the same way a *nix box is. Plus, I like to have room to expand Thanks tho!

reply to Ult
Thanks, Ult, for the info! I have actually figured out the obvious differences between the XP and XT, I was wondering if there were unobvious ones.

BTW, I read an independent evaluation of the Netscreen-5XP and other, SERIOUS players (e.g. a $14,000 Cisco), and the 5XP came in only SECOND in throughput for encryption and bandwidth management. I was impressed.

said by Ult:

---

(Netscreen) has the GUI to match watchguard and checkpoint, and my favorite is it has onboard IDS sensors (so if someone does a ping sweep or searches for open ports it'll notify you)

---

quote:

---

However, these two units don't, as far as I know, offer a DMZ port.

As for the PIX 501, b/c it's based on the PIX platform, it's highly flexible and powerful, but ya gotta know the CLI very well.

---

reply to sushid
If money is not a super issue fr you (like it is for me for my home LAN, ie webramp (I run no business stuff at home), I would go for the SonicWall Pro 100. It does everything you want. My Pro 200 a work I admin is very easy to deal with and pretty damn secure. It is a bit more pricey the a SOHO or tele

reply to macyh
Did you mean zywall 10 II cleveland?? Which would be my recommendation. It does most of what you ask and very well.
As for bandwidth management/throttling, Im not aware of any low-medium cost router doing this or providing a true separate DMZ.
--
Laugh at yourself before laughing at others!

said by Anav:

---

Did you mean zywall 10 II cleveland?? Which would be my recomendation.

---

reply to mboy
I use a SonicWall Pro 200 at home, and the benefits are enormous. The main benefit of the Pro is the ability to create secure VPN's between it and other sonicWall's, and you can also use RADIUS authentication. As far as bandwidth & performance, I regularly push 12-15 GB's of data through it pretty much everyday and it doesn't even hiccup. My last one overheated, but they were on the ball and got me a replacement in my hands within 3 days. I don't normally use any more than 30-40 concurrent connections, so most people think it's overkill.. but I have secure tunnels set up throughout houses in my area w/ soHo's on the other end, which provides a seamless high bandwidth secure network.

To anyone who doesn't mind dumping 2k on a enterprise class firewall, this is the one for you. I'd jump at that, when I bought mine 2 years ago, it was $4800

-cj

reply to sushid
The Pro 200 also has a fully configurable DMZ, which can be set up with a switch & AP to provide a hotspot independent of the private LAN.

said by seejaywhy:

---

The Pro 200 also has a fully configurable DMZ, which can be set up with a switch & AP to provide a hotspot independent of the private LAN.

---

reply to sushid

Last chance for Netscreen!