RE: FYI: FW: [fw-wiz] Re: Home/SOHO "Firewall" Routers

> The thing is, "hardware" firewalls are pretty weak when it comes to true
> firewalling. The hardware firewall fans are still thinking of "opening
> ports" when the port based approach is no longer valid when it comes to
> protecting the network. You need stateful application layer inspection,
> strong user/group based authentication for all inbound and outbound
> connections, and the ability to adapt to threats based on more than the
> dumb*ss approach of "closing a port (like the moron ISP's are using to
> DoS legitimate secure Exchange RPC connections by blocking TCP 135).

Absolutely true. However, for a business that for whatever reason can not
afford the costs associated with the top-o-the-line best firewall that ISA
is, a dedicated hardware firewall is 2nd best, especially depending on what
the usage will be. 

Example, I just replaced an aging SonicWall Pro at a client with a new
SonicWall Pro 2040. For around $1.7K, they get an easy to administer solid
firewall with VPNs and easy logging with out 3rd party software. For another
$1K, they can get failover ISP and VPN support. This is a new feature, that
if the primary line goes down, the remote units will automatticcly failover
the active VPN tunnel to the secondary connection and the remote users never
new that a problem occurred. 

To equip a ISA server with similar features will be closer $4.5K or better,
and with a higher administration cost.

Now, I think everyone here knows were I stand on ISA. It is simply the
top-o-the-line firewall there is. 

However, you do not buy a Jaguar to pull a horse trailer around a cattle
ranch in the winter time.

Yes, I know a while back we were able to come up with a ISA box at a penny
under $2K, but that was a basic model.

John Tolmachoff
Engineer/Consultant/Owner
eServices For You




Other related posts: