Interesting about SonicWalls. I've used Netscreen, Watchguard, and a little PIX. I'll have to revisit the SonicWalls.
The Watchguards are inexpensive, but that doesn't help as much in a shared H/A firewall installation. If you have hundreds of customers behind a firewall pair, then cost per customer is watered-down quite a bit. Cost for any kind of unavailability (or, in the case of Watchguard, inability to apply a config change without reboot) goes way up.
Netscreens support recursive named objects (e.g. customer1-remote includes customer-1-branchA, customer-1-branchB and customer-1-branchC; each of those branches is an object naming a set of network numbers). With lots of customers, each with their own policies, that is handy. Watchguards only allow named objects to refer to a list of network numbers.
Watchguards support policy-based VPNs with separate traffic filters: I can define a IPSec tunnel from an object on my end (say, a list of /24 networks) to an object on the far-end; then use filters to limit traffic to just some IPs, and to just some TCP ports. With Netscreen, if I want to filter traffic within the tunnel, then I seem to need to use routed VPNs, not policy-based VPNs. But policy-based VPNs are the norm, so to use route-based, I have to explain to customers how to configure their end.
The CLI interface of the Netscreens and PIXes is easier to use when you have a long list of policies and tunnels. When the Watchguard GUI display is many screens long, it becomes awkward to view only the parts you need to edit.
The Watchguard GUI doesn't promote revision control: engineers file their maintenance plan with a textual description of what they intend to change (e.g. "configure new policy FOO to do blah blah"). With PIX and Netscreen, engineers can file a complete list of proposed commands they will execute, for review and comment, before their maintenance window occurs.
Watchguard's config file is really a database dump, making context-diff difficult. With PIX and Netscreen, it is easier to get automated reports of config changes.
Marketability is also a feature: enterprise customers ask what kind of firewall you use; they seem most-comfortable if you answer PIX or Netscreen or Checkpoint. But those customers tend not to use a shared firewall or VPN concentrator, so for the shared firewall, stability and scalability are still most important.
Watchguards support IPSec/PPTP tunnels with RADIUS authentication; but to limit what services/devices the remote clients can access, a filter for each user must be defined on the firewall, making RADIUS pointless. Netscreen doesn't support OS-native PPTP clients (e.g. Windows DUN, Mac OS X dialup VPN) in all the required configurations. It sounds like Altiga (Cisco VPN Concentrator 30xx) has the only product that can terminate those VPNs with RADIUS-assigned access lists.
It looks like Cisco is supporting larger numbers of VPN clients in the regular PIX firewalls, while Cisco is not introducing new models of the VPN Concentrator, so perhaps a PIX is best for the role of IPSec PPTP/L2TP VPN concentrator. SSL concentrators are coming along in features, and everybody is selling those, so maybe the era of IPSec PPTP/L2TP tunnels is ending.
|