I am the owner of a retailer company with 1-10 employees.
We host websites on Windows 2008 R2 servers and Norton Business Protection. We are looking for recommendations for the best network firewall.
Thanks! I appreciate the help.
Good commercial firewalls take a degree of expertise that small businesses rarely possess, for that reason, I would look for a managed security services provider that specializes in the SMB retail market. They should be able to do it affordably and with solid expertise. They should support Fortinet or Palo Alto Network firewalls which are the current gold standard for Next-Generation Firewall. You should also look at upgrading your Windows 2008 servers as they are end of life and tough to protect today.
Priority as below:
1. Best choice: CISCO FirePower 1120 as it is a strong FW and not necessary to renew the subscription if you just need a firewall.
2. Powerful but expensive: Palo Alto Networks PA or Check Point: small series and you have to renew subscription yearly.
3. Multi-functions: FortiGate, ForcePoint, SonicWall, Watchguard, Sophos: Forti is popular and high ranking, the others are lower ranks, but all these ask to renew subscription yearly as well.
4. Opensource: I do not recommend as there is no one responsible for your system unless you are very pro in Linux and opensource.
I think you should be looking more into a WAF. For firewalls with ~ 10 users a small FotiGate should be sufficient but the opportunity I see of the 2008 R2 servers. You should have moved off of these systems as of 2019 but that is not relevant to your question. I would invest in protecting those systems with an appropriately sized WAF. For this I recommend a FortiWEB.... these are distinctly different products.
1-10 employees., it's not that big, you should try the Unifi Platform from the Ubiquiti brand, it is a bargain for the price and resource you can manage, and the better for you is you don't have to pay licencing, you only pay the hardware an the IT for implement the solution.
FortiGate 60F will be a good and economical choice for you especially that you will host a website it will give you the best performance.
Better go with FortiGate 60E.
I like Watchguard Fireboxes for my firewall. We started out with less than 50 users and have grown to 80 and Firewall is easy to manage. The one negative it is expensive to keep the subscriptions updated. Worth it to us, as we've been viruses and malware-free for years.
The best solution in you case is a Fortinet or Sophos firewall. Use it with Endpoint protection from Fortinet or Sophos.
For your businesses that are under 50 employees but still require enterprise-class security, insight into traffic and ease of management, I usually point people to Cisco Meraki products. For businesses with relatively few users, these products are very simple to set up and usually do not require network admins or engineers to set up successfully and securely.
I would go for an OPNSense/PFSense solution. Thought It's no so easy to begin with it, but it will scale to your needs easily.
Selecting the "Best" firewall will give you many different answers from many different people. Firewalls and firewall vendors as well as the people that implement them are very partial to what they are familiar with. Same as me. I have what I consider the "best" but is the Best "for my installation". The real answer is another question, What are you looking for and need in a firewall?"
With such old web servers you will need a Web Application Firewall "WAF" much more that you would need, say a packet filtering firewall or even a NGFW.
Too many questions to list here but I would definitely need much more information about your situation before I could even start to make a recommendation.
You should be looking at the Juniper's SRX300, which is a bundle of switching, security and routing. You'll have embedded PoE+ functionality with its 6 Gigabit Ethernet Ports, and 2 uplinks running at 10 Gbps, Industry best, high-performance IPsec VPN solution with 2 FREE SSL VPN licenses and able to purchase up to 48 more licenses for a total of 50 remote collaborators.
Check this out for more information: https://www.juniper.net/us/en/products-services/security/srx-series/datasheets/1000550.page
It will depend on the budget and scalability you want, if you have a high budget, better to implement a commercial firewall, another alternative would be an open-source firewall.
- Commercial Firewalls: Palo Alto or Fortinet.
- Open Source Firewalls: pfSense or OPNsense.
I would recommend a Palo Alto appliance since you can watch up to layer 7 traffic.
From my experience, Fortinet or Cisco will work fine if you looking for NGFW, I am not sure about the price, you can ask the vendor partner in your area for the price list. Both Cisco & Fortinet firewalls will do the job perfectly.
I suggest installing a *pfSense* router as the gateway to the Internet.
I've also had success with a *Dlink* router and using *ClearOS*. Any of these would enable the user to place their Web servers in a separate zone.
Sophos XG 106 Firewall
Fortinet Firewall would be the best by far with built in wireless and vpn capabilities
With that number of employees, Sophos offers good solutions (XG line) at a reasonable price. That’s my recommendation.
In few words:
Looking at the best balance between Security functionalities, performance per Mbps of protected traffic and price, the best is FortiGate:
> Advanced security functionalities from basic ACL until level 7 security protection, that could be used for security functionalities consolidation (a typical scenario for SMB needs).
> Embedded Security Management functionality (on board of FortiGate appliance) really usable.
> A scalable platform from a few Mbps Throughput until high-end needs.
Open Source: PFSENSE
Good - Cheap - Easy on use: Sophos
The best: Cisco ASA Firepower
Web-sites do require additional protection that a firewall appliance by itself cannot achieve.
Having 1 to 10 employees is useful, however understanding the web-site traffic volumes is completely different.
So, making certain assumptions I would lean towards Fortinet or Sophos.
And what can we assume regarding EOL for OS?
For Open-source solution is PFSense/OPNSense and commercial is Check Point firewall. This is my recommendation.
What is the budget and who will the Firewall administrator be?
It does not matter what firewall you recommend, money and who is looking after it is the question to ask!!
If you spend £40k on a firewall and have an idiot configure it and administer it – the firewall is next to useless, what ever Vendor’s product you buy!!
Large sites = Fortinet
Small 2 -3 server sites = PFSense, available in the virtual or physical installation. Available in Opensource or with professional support.
You can take Fortinet 30E.BDL in the present situation. This model can easily fit the budget of the customer and their requirements in the full edge.
You have several options. if you want to add IPS functionality then I would recommend Sophos Firewall XG. If you want to go open source route then pfSense is the tool. There a other similar products that have different learning curves or prices. For my personal use I'm using Sophos Firewall XG since it is free for home users.
It depends if you have time and a server with 4 ->5 port (VM or physical) you should install pfSense firewall. It is open-source, it is quite easy to install and setup but you have to spend time on it.
If you have budget for FW you should choose
Fortinet price: 8/10 but admin's experience about 7/10
Palo Alto has an expensive price we could say: 7/10 but admin's experience is very good it is the best enterprise FW
When sizing FW you should inform the throughput so it helps the reseller pick a model for you. IF you have 1-10 employees and 1 server I would say your best solution is pfSense open-source FW.
Here are three options depending on your budget and overall security consideration based on your business. Strongly advise that you locate a
local resource to help you plan out your network and security work. There are many considerations to include server patching you need to keep an eye
3. Palo Alto Networks
I recommend and deploy Kerio Control Firewalls because you can install on an old desktop PC with that you add a 2nd network card. I use Dell OptiPlex i5 with 8 GB of RAM for my base router. I also know that Sophos and Untangle has the same option and they both have better end user support than Kerio. I stick with Kerio because i have been a partner from way before the GFI purchase so know the products very well and do not have need for support.
On the outdated server issue and if you are in a situation where with COVID-19 do not want to be spending the money to upgrade hardware and software I would reach out to Norton and see if their Business Protection suite protects against known threats to outdated software or has a protection add on. I use Trend Micro Worry Free Security for my clients and learned that Trend Micro has an addon or a separate product to add that type of protection.
Good luck in the coming days / months.
Agree 100% with Thomas Davis. As a Meraki partner, I can attest it is a great product but you need to work with an authorized Meraki partner. as for the servers, I would note that you are facing an upgrade from an unsupported OS (2008 R2) and will need to be purchasing a server OS license for 2016 or Windows 2019, Microsoft Licensing can be tricky so I suggest contacting an IT company that is both a Microsoft partner and a Meraki Partner. The firewall is a necessity but understands that if you are running web servers, there will be at least ports 80 and 443 open to public traffic. These Ports will be probed by malicious activities trying to make use of exploits in the hosting server OS and applications. Thus it is imperative that the environment be maintained and latest patches applied in a controlled manner. It is difficult to accurately understand what is meant by "Norton Business Protection" as they offer a range of products. We have had great success with the enterprise offerings from Symantec but they too have recently (Aug 2019) sold to Broadcom the Enterprise Security Business.
Impossible to keep current with IT Mergers & Acquisitions. Accenture Security is to acquire Symantec's Cyber Security Services business from Broadcom [ https://www.infosecurity-magazine.com/news/accenture-to-acquire-symantec/ ] Second ownership change but core product --for now remains the same offering.
First you need to upgrade to a supported platform. 2012r2 or Higher...
Cisco Meraki Firewall is the easiest to manage and deploy.
Fortinet or Sonicwall
Sophos XG firewall with RED devices to make tunnels
Just get Untangle it's the easiet and cheapest...but not weak by a long shot... 4 years multiple deployments and no breaches or ransomedware
Just get Untangle it's the easiet and cheapest...but not weak by a long shot... 4 years multiple deployments and no breaches or ransomers
How can gI et a Cisco ASA 5510 Firewall for a decent price? It has all the essential features.
What is the speed of your internet connection?
I would recommend you to use Cisco firepower, easy to configure and manage, this will be very helpful for you because you have a limited staff
based on the information that you provide, you will need small firewall (depend on size and growth of your company and bandwidth). Since you also locate your website on you premise, I suggest you to Protect the server with small WAF (Web Application Firewall). Regarding the brand, there are many justification as your required such as bandwidth, firewall feature (UTM or NG-Firewall) and budget.
You could go for CISCO MERAKI MX-64 with 1/3 yrs advanced security services license. Since it’s could based administration, very easy to deploy and Manage. Can support upto 50 devices including servers.
Take the FortiGate 40F with UTM protection (600 Mbps Threat Protection), easy management and low cost for your requirement. If you need load balance WAN links choose the 60F because it has more physical ports and 700 Mbps Threat Protection.
I personally use Cisco Exclusively because that is what I know. Palo Alto firewalls are also very good. Those are the two biggest players right now from my research and knowledge. Performance-wise the are clearly direct competitors and one may fair better in one feature and the other in another feature so it's hard to say one is really better than the other. Both can now be managed via a GUI however Cisco has the advantage of also being manageable via a fully developed and documented CLI.
As for which model to choose that would depend on the anticipated load and any additional features you would need. Both support a DMZ / public /
private network infrastructure. From what little information is provided the lower end firewall models would most likely be acceptable however the final is dependant on the incoming traffic more than the number of users behind it.
Windows Server 2008 is unsupported by Microsoft and you should migrate it to Windows Server 2019. I think your hardware is also very old. But you don't have to buy new hardware. You may create a virtual machine from a datacenter like Azure, AWS, etc. They also offer some security services like IPS, Next-Generation Firewall, DDOS protection, etc for your workloads and I am sure it will be cheaper instead of buying hardware. I advise you to use Fortinet, Palo Alto or Check Point virtual firewalls.
First, before proceeding with the firewall brand, I need to know what tasks must the firewall handle i.e IPS, Protection from the exterior, web application firewall, VPN users, protection for clients hosting their websites on your servers, web and application filter, mail filter? All of these will determine which firewall should you go for.
If you can send me these I will tell you which brands to follow and how the configuration shall be done.
As for windows 2008, yes it is not supported but this doesn't make your environment vulnerable since you have Norton in place and the next-generation firewall will do the protections unless you have a budget allocated to the migration to windows server 2016, then it is better to migrate first.
You have two challenges:
- First, Windows 2008R2 is no longer under Microsoft support (you will no longer receive security patches) - this makes your server MUCH more vulnerable.
- Second, firewalls. I tend to like Sonic Wall, but there are others as well. Each vendor has models that address a range of features, with cost considerations attached. Suggest working with a local vendor to consider a holistic approach to your org and needs.
I recommend using Cisco FPR 1010 (https://www.cisco.com/c/en/us/products/collateral/security/firepower-1000-series/datasheet-c78-742469.html).
I will prefer Cisco FPR 1120 for SMB as it is power of CISCO and no renewal fee for firewall subscription.
Better take the 60F instead of the 60E. more performance, ower price, same functionality.
Upgrading your 2008 servers is also a recommendation. But all firewalls of the major companies(Fortinet, Palo Alto, and CheckPoint) will be good enough for you. It all depends on your budget and how you manage your security policies.
A firewall isn't a silver bullet against all threats.
It depends on your budget, there are many options you can avail, but if you buy a Fortinet firewall, it will get you ease of management and having all the options which enterprise network needs.
One consideration that is throughput required to respond to your web server queries is essential, so please chose as per your requirement like 40E, 60E.