Best firewall & VPN terminaton for datacenter?
 

Can anyone comment on their experiences with the different firewalls and VPN termination gear? I'm interested in both what a typical colocated environment would need for its own cabinet, and what a datacenter operator might offer for a shared environment (that is, multiple customers share a single HA-firewall pair, and a single VPN termination point, which could be on a different box or HA-pair).

What strengths/weaknesses do you find for the major brands? Netscreen, Nokia/Checkpoint, PIX, Watchguard, etc.

What is your requirement? I think each product has its +'s and -'s. Also whats your budget and how much BW/sessions do you need to support?

The requirements for the shared firewall are:
-stability
-high availability
-scalability (separate rules for hundreds of customers)

VPN concentration currently requires:
-dozens of simultaneous L2TP/PPTP clients (using OS built-in Dial-up VPN networking), auth via RADIUS; preferably each L2TP/PPTP client could be associated with a VLAN to access (via RADIUS), but filter or access-list per user may work also.

I'm looking at Altiga/Cisco VPN concentrator to terminate PPTP sessions; or maybe just use a PIX.

We've used the Ciscos, Watchguards, Netscreens and the Sonicwalls. From our experience the SonicWalls are th easiest to manage and provide the best bank for the buck.

Interesting about SonicWalls. I've used Netscreen, Watchguard, and a little PIX. I'll have to revisit the SonicWalls.

The Watchguards are inexpensive, but that doesn't help as much in a shared H/A firewall installation. If you have hundreds of customers behind a firewall pair, then cost per customer is watered-down quite a bit. Cost for any kind of unavailability (or, in the case of Watchguard, inability to apply a config change without reboot) goes way up.

Netscreens support recursive named objects (e.g. customer1-remote includes customer-1-branchA, customer-1-branchB and customer-1-branchC; each of those branches is an object naming a set of network numbers). With lots of customers, each with their own policies, that is handy. Watchguards only allow named objects to refer to a list of network numbers.

Watchguards support policy-based VPNs with separate traffic filters: I can define a IPSec tunnel from an object on my end (say, a list of /24 networks) to an object on the far-end; then use filters to limit traffic to just some IPs, and to just some TCP ports. With Netscreen, if I want to filter traffic within the tunnel, then I seem to need to use routed VPNs, not policy-based VPNs. But policy-based VPNs are the norm, so to use route-based, I have to explain to customers how to configure their end.

The CLI interface of the Netscreens and PIXes is easier to use when you have a long list of policies and tunnels. When the Watchguard GUI display is many screens long, it becomes awkward to view only the parts you need to edit.

The Watchguard GUI doesn't promote revision control: engineers file their maintenance plan with a textual description of what they intend to change (e.g. "configure new policy FOO to do blah blah"). With PIX and Netscreen, engineers can file a complete list of proposed commands they will execute, for review and comment, before their maintenance window occurs.

Watchguard's config file is really a database dump, making context-diff difficult. With PIX and Netscreen, it is easier to get automated reports of config changes.

Marketability is also a feature: enterprise customers ask what kind of firewall you use; they seem most-comfortable if you answer PIX or Netscreen or Checkpoint. But those customers tend not to use a shared firewall or VPN concentrator, so for the shared firewall, stability and scalability are still most important.

Watchguards support IPSec/PPTP tunnels with RADIUS authentication; but to limit what services/devices the remote clients can access, a filter for each user must be defined on the firewall, making RADIUS pointless. Netscreen doesn't support OS-native PPTP clients (e.g. Windows DUN, Mac OS X dialup VPN) in all the required configurations. It sounds like Altiga (Cisco VPN Concentrator 30xx) has the only product that can terminate those VPNs with RADIUS-assigned access lists.

It looks like Cisco is supporting larger numbers of VPN clients in the regular PIX firewalls, while Cisco is not introducing new models of the VPN Concentrator, so perhaps a PIX is best for the role of IPSec PPTP/L2TP VPN concentrator. SSL concentrators are coming along in features, and everybody is selling those, so maybe the era of IPSec PPTP/L2TP tunnels is ending.

I read this information and found that it would be very useful for all of us. So I thought it would be good to bring it back out so that those people who do not read the older threads can comment themselves on this.

I think that everything depends on your budget and on your demands to the shared firewall. You must consider all cons and pros and then make the decision.

As far as SonicWalls go, stay away. I have set some up for customers, and they leave a good bit to be desired. Netscreens are good. Cisco ASA5505/5510 firewalls are probably the best for the money. If you are open to *NIX based firewalls, check out Astaro (Astaro Internet Security - All-in-One Unified Threat Management Solutions for Complete Network, Web and Mail Security Protecting Against Hackers, Spyware, Phishing, Viruses, Worms and Spam). They have appliances as well as downloadable wares. Customers that have been sold Astaro firewalls, have loved them.

For me, the biggest thing is supportability - what does your staff already know/ have training in. When it comes to the purchase cost, if you also have to re-train your staff then this obviously makes a huge difference. Also, if your teams aren't working with them daily it could create a whole world of support issues!

Firebox Watchdog's look good but wow, $2000 - $3290 a year for the "Unitifed threat Management" license. That seems quite a bit. Are there more affordable / bang for your buck options available for a shared hosting provider?