15 Replies Latest reply on Nov 1, 2013 11:48 PM by michael stump

    All Around The World - Same (Firewall) Song?

    Brandon Carroll

      I've talked about Firewall virtualization, how you're handling IPv6 with your firewalls, and even the current state of Firewall management.  What I haven't asked that's been on my mind is this; Are all firewalls equal, or is there a feature in one versus the other that is truly a trump card?  For years we've heard about Cisco ASA's, previously the PIX.  We've also heard about Checkpoint, Junipers NetScreen, HP's TippingPoint , Palo Alto, and so on.  Do vendors get into this market just to carve off a slice of the pie, or are they really addressing a need in the market that nobody else is considering?  In my personal opinion I don't think that a great deal has changed with firewalls over the last 5 years.  Sure more features have been added, but in general, they just do the same old thing.


      What's your take?  Does it really matter who's hardware I drop in?  Do the vendors really "get it" when it comes to the demands of a firewall in todays network?  Or is it better to just stick with the vendor of my liking so I can take advantage of all my hardware being supported by one TAC?

        • Re: All Around The World - Same (Firewall) Song?

          Who's hardware do I drop in?

          • I started with Cisco PIX and so have become most comfortable with PIX/ASA.  What I like is that I have everything I need in a single appliance and can easily backup, as well as cut/paste configs, with a simple terminal and text editor.  I prefer the CLI because I can prepare an entire config script in a single notepad doc for review rather than having to click through various GUI screens.
          • However, I've also used and liked Checkpoint and Palo Alto firewalls because of their capabilities (especially packet/application inspection) and the included management GUIs are good enough that I'm willing to live without the CLI.
          • NetScreen isn't bad, but I just don't like their web-based interface.  I think they have a command line interface but I haven't had enough experience with one to know for sure.
          • I do NOT like WatchGuard products.  I've used their firewalls from versions 4.5 through 7.0 because the VAR I worked for at the time pushed those boxes almost exclusively.  The problems I had was the need for a separate management console, upgrading the mgmt console forced upgrading all firewalls managed by that console, proprietary management protocols, not-so-interoperability with other vendors IPSec products, and not so clear order of precedence for the rules.
          • Never touched a Tipping Point appliance so I cannot make any comment there.


          Who do I think "gets it"?

          My impression is Palo Alto and Checkpoint.  Despite my preference for ASA, Cisco always seems to be playing catch-up regarding new features and capabilities.


          Is it better to stick with a single vendor?

          My initial paranoid reaction would be to use alternating vendors between consecutive layers (i.e. user > interface > app > data) so that a vulnerability in a single firewall doesn't provide a single hole through the stack.   But if the attacks are against apps and servers rather than the firewalls, then does varying firewalls really make a difference?


          Bottom line: I prefer using a Cisco appliance but I'll use whatever my employer or customer asks me to use.

          1 of 1 people found this helpful
            • Re: All Around The World - Same (Firewall) Song?
              Kurt H

              Honestly you might want to keep the same vendor, that way you are not dealing with multiple maintenance contracts. Nothing has changed that much in the past 5 hours, maybe the GUI, or other minor changes. There is not a lot that Firewall Manufacturers are incorporating into their firewall systems today. I have not seen much progress on IPv6 for one thing, and I do not think we will see much progress in another few years either. I think the most a manufacturer is looking at is make firewalls that incorporate into other components instead of it being  single box, The software has not changed though.

              • Re: All Around The World - Same (Firewall) Song?
                Brandon Carroll

                I think my feelings are similar, but i have no experience with WatchGuard or Palo Alto. 

              • Re: All Around The World - Same (Firewall) Song?

                I would like to stay with what works... until it stops working, of course.

                Vendors can keep all those fancy features, flashy lights, turny-knobs, and clicker-majiggs... if the basics work, and cover our needs, we get it and stick with it until it is EOL... which is a good, solid, 3-5 months...


                I think having a single vendor is better, in regards to only having to go to one place for support... BUT... on the flip side, if support is not proving their value, you only have that one place to go to...


                I would prefer to have streamlined devices, each with a specific purpose. no bells, no whistles, no problems...  Just the faq mam!

                • Re: All Around The World - Same (Firewall) Song?

                  We are mostly a one stop shop; and Big Enough to shake things up when, if for some reason we are lacking in a response for support. Besides shaking things up is one of the good things that I do... Give me something wide spread enough that I can google any issue. ASA's ASDM is easy to maneuver and not overly cumbersome. Juniper's CLI interface has always shown to be straight forward and makes some changes and settings easy; but their GUI can be cryptic for Troubleshooting and so is info sent from their boxes.


                  Having a one stop shop can be less troublesome in integration, but I like the argument of being tied to one horse. Unless it's winning all the time; you get the experience or shoveling everyone's mess.

                  • Re: All Around The World - Same (Firewall) Song?

                    I don't think any one vendor brings anything special to the table. Really it depends on picking a vendor that works well in your environment, a vendor that has good support, a vendor that you may already be using for other devices, etc. 

                    • Re: All Around The World - Same (Firewall) Song?

                      Sticking with one vendor is definitely helpful but at least I look for the throughput I need for the price range I am allowed. They all do pretty much the same, it is eliminating the bottle neck that is my main concern.

                      • Re: All Around The World - Same (Firewall) Song?

                        A great point raised Brandon


                        I think it is important that whatever the vendor that is put in the device enables the business requirements. If your requirements are to secure a DMZ and enable web transactions or to build an application tier that requires isolation from app/web/data then it doesn't matter about the device as much as the fit for purpose. Business requirements don't care if it is a red box, a blue box, a teal box or a black box. They care about doing the job.


                        In regards to specific vendors getting it? The big teal has a massive footprint with ASAs due to customers always having had them. I think the SRX gained a massive foothold for features, stability and price. With that being said I think long term Cisco will re-awaken (after all, they are the sleeping giant) and integrate the source-fire solution bringing a new lease on life for the stagnant ASA.

                        1 of 1 people found this helpful
                          • Re: All Around The World - Same (Firewall) Song?
                            Brandon Carroll

                            What a great point pandom_!  Cisco integrating SourceFire may breathe new life into their product.  I know they have done a great deal with the ASA, but its nothing new.  CX has some cool stuff for content filtering, but really, how long can a firewall live in the market before it can't keep up with todays threats?  I don't know the answer to that, but I think its worth evaluating when someone buys new gear. 


                            In the end, I like Cisco because I'm trained in Cisco.  I guess they got what they wanted right?

                          • Re: All Around The World - Same (Firewall) Song?

                            "... the need for a separate management console, upgrading the mgmt console forced upgrading all firewalls managed by that console..."

                            My biggest beef with the Juniper/Netscreen.  That and the GUI of the NSM (management system) is at times cumbersome and difficult to get real time information from.

                            Which leads me to the feature that I think all modern firewalls should be able to provide:  A "Show me what's going on right now" button that will show clear concise information on traffic passing through the firewall with links to the rule set that can be viewed side by side.

                            • Re: All Around The World - Same (Firewall) Song?

                              I believe that a firewall is a firewall is a firewall... features are just there to push up sales but at heart, a firewall is just that and should remain so.


                              I say stick with what you know and feel comfortable because navigating through multiple support can be time consuming and frustrating. The one TAC is a plus and depending on your size and the number of employees/device you have, it may be worth more than features.


                              Features ? We don't need no stinkin' features !

                              • Re: All Around The World - Same (Firewall) Song?

                                I think Palo Alto gets it. It just seems when we look for a feature, they have already thought it through. I would prefer to stick with one vendor but there isn't a huge benefit to doing so. I wouldn't hesitate mixing/matching.

                                • Re: All Around The World - Same (Firewall) Song?
                                  michael stump

                                  I agree with others who point to the business and functional requirements of a system being more important than the solution's features. And most importantly, the skill of the engineer and administrator is what makes a firewall effective or deceptively insecure.


                                  I've also noticed that many Cisco infrastructure shops tend to have ASAs. Perhaps the Cisco account managers were just really effective at closing the sale to an existing customer. Management certainly loves the "one throat to choke" metaphor for support (as violent as that is!).


                                  I've personally done some work with WatchGuard, and found them to be easy to use. They've also been around forever (my first install was in 2000). On the bad side, I've heard their hardware has a relatively high failure rate. So.... there's that.