Firewall recommendations

"Mha" <miha.bernik@email.si> wrote in message
news:ugMJ%23Vh$IHA.4800@TK2MSFTNGP03.phx.gbl...
> Hi Leythos
>
> I have another question regarding Firebox x550e about throughput that is
> specified:
> - Firewall Throughput 300+ Mbps
> - VPN Throughput 35 Mbps
> - AV Throughput 50 Mbps
> I'm a little concerned if I enable all UTM services
> (Anti-Spam,Anti-Spyware,GW-AntiVirus,IPS...) will there be any problems
> with performance or throughput at all?
> We have 100/100 internet connection, so with all these services enabled,
> also about 10 users will use client-site SSL VPN (sometimes), can I expect
> any problems with Firebox performance or with firewall throughput?

Yes it matters. But is has nothing to do with bandwidth, network speed,
throughput, etc.
It matters with respect to the CPU of the Firewall. The more you give it to
do the longer it takes to process,..the longer it takes to process,..the
more "processor lag" you introduce. To speed it up you need a Model with a
faster processor.

> I'm also wondering if there are any differences between Mobile VPN Tunnels
> and SSL VPN tunnels? Since Firebox x550e only has 5 Mobile VPN client
> licences included, but with Firmware PRO upgrade I get full (75) SSL VPN
> client licences, I'm thinking of using SSL VPN access for all users who
> will

Watchgaurd tends to rerite the dictionary to suit themselves or just simply
"make up" terminology out of nowhere.

Mobile VPN = what the industry called Remote Access VPN.
Watchgaurd used to call it MUVPN (Mobile User VPN)
This is individual "humans" that establish their own personal inbound VPN
connection into the LAN from the "outside". It is not meant nor designed to
"stay up". The user is supposed to connect,..do the job they connected to
do,...and then disconnect. This type of VPN can potentially, and often
does, disrupt the users ability to connect to things on thier own local LAN
during the time it is "up".
Remote Access VPN can use PPTP, L2TP, or IPsec

SSL VPN Tunnels = Wow, they are really getting "vague" here. SSL VPN can
mean a *lot of things* that are nothing alike. They might mean Site-to-Site
VPNs or they might mean Application Publishing via a web browser over
SSL,..which tecnically is not even true VPN. I've always though SSL VPN was
an oxy-moron that really meant nothing in reality and was just a Marketing
Term. It is a term used by products such as Whale that was bought-out by MS
and renamed "Intelligent Application Gateway" and incorporated into the
Forefront Security Suite. While at MS myself in a meeting with the ex-Whale
employees and some MS Forefront people I think I annoyed them by telling
them that I did not think it was a "true VPN" and that it should not be
called "SSL VPN" and that they should call it something else. It is also
similar to the Web Interface that Citrix is capable of using to make things
available to user.

Anyway,...if they use the term to mean what the industry calls Site-to-Site
VPN.....
Watchgaurd used to call this ROVPN (Remote Office VPN)
these probably nearly always use IPsec but some products like MS ISA Server
lets you choose between PPTP, L2TP, or IPsec which can be dictated by what
equipment it has to work with.
A Site-to-Site VPN is the connecting of two Networks over a VPN link. There
are no "humans" involved,..only computers. This type of connection is
designed and expected to be "always up". It does not disrupt or adversly
effect local traffic on either one of the connected LANs however the two
LANs need to have the routing schemes properly designed so that the correct
traffic goes over the VPN while other traffic does not.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

In article <ugMJ#Vh$IHA.4800@TK2MSFTNGP03.phx.gbl>, miha.bernik@email.si
says...
> Hi Leythos
>
> I have another question regarding Firebox x550e about throughput that is
> specified:
> - Firewall Throughput 300+ Mbps
> - VPN Throughput 35 Mbps
> - AV Throughput 50 Mbps
> I'm a little concerned if I enable all UTM services
> (Anti-Spam,Anti-Spyware,GW-AntiVirus,IPS...) will there be any problems with
> performance or throughput at all?

AV scanning of HTTP sessions does tend to slow them down, but only when
an object is being scanned, it doesn't really matter what firewall you
use, scanning is going to slow you down on a fast internet connection.

When I browse the web with any firewall that scans HTTP using an AV
filter, I can notice a hit, but, I still get the full rated speed for
file downloads, etc... Meaning, on my 100mbps fiber I get about 15mbps
downloads from most sites (inside the firewall or outside it, so the
firewall is not the issue). What I do see is a hesitation as it scans
large documents in a website, but it's barely noticeable.

> We have 100/100 internet connection, so with all these services enabled,
> also about 10 users will use client-site SSL VPN (sometimes), can I expect
> any problems with Firebox performance or with firewall throughput?

You have a 100mbps connection and you want to pick the lowest version of
the firewall?

If you're doing site-site, with both sites having 100mbps connections,
then you want a faster firewall - notice the 35mbps of the VPN above.

> I'm also wondering if there are any differences between Mobile VPN Tunnels
> and SSL VPN tunnels? Since Firebox x550e only has 5 Mobile VPN client
> licences included, but with Firmware PRO upgrade I get full (75) SSL VPN
> client licences, I'm thinking of using SSL VPN access for all users who will
> need access from home computers.Are there any other differences/features
> between these two types of VPN? Primary my clients need to access (from
> their home computers) file-shares on servers and some local applications?
> Thanks again!

First, let me say that file sharing is a bad idea over VPN, in general,
as it often has people not waiting long enough for things to happen,
since you never get a fast response - because their home ISP connection
is normally very slow. I would rather see you SSL into the firewall,
authenticate with it, then allow Remote Desktop into a terminal server.

So, with a 100mbps connection, should consider a 100mbps VPN capacity
also, if you're going to make that much use of VPN's.

Any method you use, SSL or Mobile will work, it's just how you setup the
vpn.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Thanks again for all informatins, they are always very helpful.
Yes I know it's the lowest version of the firewall, but there won't be any
high activieties on it. Users behind it will primary use HTTP to surf the
web, the general purpose of 100Mbps fiber is that we have one apache web
server with a few internet sites on it and internal mail server (Exchange)
for 50 users, so we need a strong line, but I think that for our line of
business and a small profile of a company also 50Mbps line would be enough.
Also users who will VPN from their home computers (slow DSL line) will
primary connect to terminal server, and we have one small branch office with
2 users that will be connected via site-site VPN connection (they have 2Mbps
DSL connection) so I think the x550e appliance would be enough or am I
wrong?
I don't want to go for a higher Firebox like x750e or x1250e because UTM
services subscription is much more expensive than on x550e model, and also
higher model is much more efficient that we need for our company.
So if I got this right, there is no need to buy extra licences for Mobile
IPSec VPN for home users to conenect, since I get with FirewarePRO full (75)
client-licences for SSL VPN and users can use this kind of VPN instead of
Mobile IPSec with the same functionalities?
Regards,Miha

"Leythos" <void@nowhere.lan> je napisal v sporocilo
news:1218813295_320608@news.usenet.com ...
> In article <ugMJ#Vh$IHA.4800@TK2MSFTNGP03.phx.gbl>, miha.bernik@email.si
> says...
>> Hi Leythos
>>
>> I have another question regarding Firebox x550e about throughput that is
>> specified:
>> - Firewall Throughput 300+ Mbps
>> - VPN Throughput 35 Mbps
>> - AV Throughput 50 Mbps
>> I'm a little concerned if I enable all UTM services
>> (Anti-Spam,Anti-Spyware,GW-AntiVirus,IPS...) will there be any problems
>> with
>> performance or throughput at all?
>
> AV scanning of HTTP sessions does tend to slow them down, but only when
> an object is being scanned, it doesn't really matter what firewall you
> use, scanning is going to slow you down on a fast internet connection.
>
> When I browse the web with any firewall that scans HTTP using an AV
> filter, I can notice a hit, but, I still get the full rated speed for
> file downloads, etc... Meaning, on my 100mbps fiber I get about 15mbps
> downloads from most sites (inside the firewall or outside it, so the
> firewall is not the issue). What I do see is a hesitation as it scans
> large documents in a website, but it's barely noticeable.
>
>> We have 100/100 internet connection, so with all these services enabled,
>> also about 10 users will use client-site SSL VPN (sometimes), can I
>> expect
>> any problems with Firebox performance or with firewall throughput?
>
> You have a 100mbps connection and you want to pick the lowest version of
> the firewall?
>
> If you're doing site-site, with both sites having 100mbps connections,
> then you want a faster firewall - notice the 35mbps of the VPN above.
>
>> I'm also wondering if there are any differences between Mobile VPN
>> Tunnels
>> and SSL VPN tunnels? Since Firebox x550e only has 5 Mobile VPN client
>> licences included, but with Firmware PRO upgrade I get full (75) SSL VPN
>> client licences, I'm thinking of using SSL VPN access for all users who
>> will
>> need access from home computers.Are there any other differences/features
>> between these two types of VPN? Primary my clients need to access (from
>> their home computers) file-shares on servers and some local applications?
>> Thanks again!
>
> First, let me say that file sharing is a bad idea over VPN, in general,
> as it often has people not waiting long enough for things to happen,
> since you never get a fast response - because their home ISP connection
> is normally very slow. I would rather see you SSL into the firewall,
> authenticate with it, then allow Remote Desktop into a terminal server.
>
> So, with a 100mbps connection, should consider a 100mbps VPN capacity
> also, if you're going to make that much use of VPN's.
>
> Any method you use, SSL or Mobile will work, it's just how you setup the
> vpn.
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)

On 15 Aug, 16:31, "Mha" <miha.ber...@email.si> wrote:
> Thanks again for all informatins, they are always very helpful.
> Yes I know it's the lowest version of thefirewall, but there won't be any
> high activieties on it. Users behind it will primary use HTTP to surf the
> web, the general purpose of 100Mbps fiber is that we have one apache web
> server with a few internet sites on it and internal mail server (Exchange)
> for 50 users, so we need a strong line, but I think that for our line of
> business and a small profile of a company also 50Mbps line would be enough.
> Also users who will VPN from their home computers (slow DSL line) will
> primary connect to terminal server, and we have one small branch office with
> 2 users that will be connected via site-site VPN connection (they have 2Mbps
> DSL connection) so I think the x550e appliance would be enough or am I
> wrong?
> I don't want to go for a higher Firebox like x750e or x1250e because UTM
> services subscription is much more expensive than on x550e model, and also
> higher model is much more efficient that we need for our company.
> So if I got this right, there is no need to buy extra licences for Mobile
> IPSec VPN for home users to conenect, since I get with FirewarePRO full (75)
> client-licences for SSL VPN and users can use this kind of VPN instead of
> Mobile IPSec with the same functionalities?
> Regards,Miha
>
> "Leythos" <v...@nowhere.lan> je napisal v sporocilonews:1218813295_320608@news.usenet.com...
>
>
>
> > In article <ugMJ#Vh$IHA.4...@TK2MSFTNGP03.phx.gbl>, miha.ber...@email.si
> > says...
> >> Hi Leythos
>
> >> I have another question regarding Firebox x550e about throughput that is
> >> specified:
> >> -FirewallThroughput * *300+ Mbps
> >> - VPN Throughput * * * *35 Mbps
> >> - AV Throughput * * * * * 50 Mbps
> >> I'm a little concerned if I enable all UTM services
> >> (Anti-Spam,Anti-Spyware,GW-AntiVirus,IPS...) will there be any problems
> >> with
> >> performance or throughput at all?
>
> > AV scanning of HTTP sessions does tend to slow them down, but only when
> > an object is being scanned, it doesn't really matter whatfirewallyou
> > use, scanning is going to slow you down on a fast internet connection.
>
> > When I browse the web with anyfirewallthat scans HTTP using an AV
> > filter, I can notice a hit, but, I still get the full rated speed for
> > file downloads, etc... Meaning, on my 100mbps fiber I get about 15mbps
> > downloads from most sites (inside thefirewallor outside it, so the
> >firewallis not the issue). What I do see is a hesitation as it scans
> > large documents in a website, but it's barely noticeable.
>
> >> We have 100/100 internet connection, so with all these services enabled,
> >> also about 10 users will use client-site SSL VPN (sometimes), can I
> >> expect
> >> any problems with Firebox performance or withfirewallthroughput?
>
> > You have a 100mbps connection and you want to pick the lowest version of
> > thefirewall?
>
> > If you're doing site-site, with both sites having 100mbps connections,
> > then you want a fasterfirewall- notice the 35mbps of the VPN above.
>
> >> I'm also wondering if there are any differences between Mobile VPN
> >> Tunnels
> >> and SSL VPN tunnels? Since Firebox x550e only has 5 Mobile VPN client
> >> licences included, but with Firmware PRO upgrade I get full (75) SSL VPN
> >> client licences, I'm thinking of using SSL VPN access for all users who
> >> will
> >> need access from home computers.Are there any other differences/features
> >> between these two types of VPN? Primary my clients need to access (from
> >> their home computers) file-shares on servers and some local applications?
> >> Thanks again!
>
> > First, let me say that file sharing is a bad idea over VPN, in general,
> > as it often has people not waiting long enough for things to happen,
> > since you never get a fast response - because their home ISP connection
> > is normally very slow. I would rather see you SSL into thefirewall,
> > authenticate with it, then allow Remote Desktop into a terminal server.
>
> > So, with a 100mbps connection, should consider a 100mbps VPN capacity
> > also, if you're going to make that much use of VPN's.
>
> > Any method you use, SSL or Mobile will work, it's just how you setup the
> > vpn.
>
> > --
> > - Igitur qui desiderat pacem, praeparet bellum.
> > - Calling an illegal alien an "undocumented worker" is like calling a
> > *drug dealer an "unlicensed pharmacist"
> > spam999f...@rrohio.com (remove 999 for proper email address)- Hide quoted text -
>
> - Show quoted text -

Hi i hope this helps

We use Watchguard Firewalls in our company (In a Global Env) after
trying several different types we found these to work great including
Domain Replication, Data, Mail (Exchange), Dameware, MSTSC just about
everything a network needs including security. Have a look on ebay
you can get some cheap ones, i saw this the other day, 2 months old
and only been used 3 days - something like this may be of some use.

http://cgi.ebay.co.uk/watchguard-x20...d=p3286.c0.m14

Trev

In article <b9fd5daa-df8b-444a-b7cb-c61aca966301
@e39g2000hsf.googlegroups.com>, trevor-dustan@lycos.co.uk says...
> We use Watchguard Firewalls in our company (In a Global Env) after
> trying several different types we found these to work great including
> Domain Replication, Data, Mail (Exchange), Dameware, MSTSC just about
> everything a network needs including security. Have a look on ebay
> you can get some cheap ones, i saw this the other day, 2 months old
> and only been used 3 days - something like this may be of some use.

If you buy on ebay you need to make sure that you get a release and if
you want to use it, actually change rules, depending on the version, you
will need a valid live security certificate - the box is worthless
without the ability to upload the rules.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)