SBS 2008 Firewalls – reader replies and Webinar reminder

Folks – as I promised in my SMB Advisory newsletter, I am posting up reader replies to our conversation about firewall security in Small Business Server 2008 (2008).

Do not forget to attend our webinar tomorrow morning discussion this exact topic. Sign up here:

http://www.smbnation.com/events_listpage.asp?Category=Webinars&Cat=Category 

Here is the reply from Jason Harrison (thanks Jason for replying!)

 

In response to the firewall question in the latest newsletter….

 

I too have an extensive background with ISA / SBS firewalls (dating back to Proxy 2.0) and decided last year to start making the move towards stand alone UTM devices replacing ISA and the basic SBS standard firewall solution.  Why?  UTM’s provide yet another critical layer of enhanced security that the SBS platform did not offer.  Now with the SBS 2008 changes, I find myself ahead of the curve a bit in this area.

 

I started off working with SonicWALL devices.  I continued to look for alternatives because I was not that satisfied with what SonicWALL had to offer.  I did deeply investigate WatchGuard and several others (all that were mentioned in the newsletter plus a few more).  I choose Calyptix Security as the UTM / firewall device of choice for the following reasons:

 

  • Easy to configure and manage
  • Hardware platform was far superior to the competition (1GHz processor, 512MB RAM, 40+ GB HD – killer hardware man!  Pair it up with SBS 2008 premium and you have EBS lite! J)
  • Software platform – Open BSD OS: The most secure OS on the planet!  Snort technology: sets the bar by which all other IDS/IPS systems are compared – THE gold standard in the industry, used by FBI and the Pentagon / US Dept of Defense.  DyVax: Calyptix own ground breaking, zero day, anti-malware, signature-less, scanning engine – first to catch all of the major threats over the last couple of years based on independent reports.
  • SBS Integration / AD Integration
  • Company has the SBS market square in their sights and wants to become THE UTM choice for the SBS market.
  • Killer features, solid information about security events, traffic trends, web use, etc.
  • Friendly flexible licensing
  • Incredible performance – one user streaming video or some other bandwidth intensive process does not bottleneck at the gateway like on other lower powered devices (SW would choke – only 200Mhz processor and 16MB cache)
  • It just works really, really well

 

Simply put, Calyptix is the box!  We’ve been using it here since early spring.  I have been recommending / deploying it everywhere including replacing quite a bit of other firewalls with the Calyptix solutions.

 

Advertisements

2 Comments

Filed under SMB PC Magazine

2 responses to “SBS 2008 Firewalls – reader replies and Webinar reminder

  1. Good points Jason. I’m not familar with Calyptix but I would like to say a few words about Watchguard and the comparison of these products.

    I’m less concerned about HD size and CPU Hz in a Firewall Appliance because of the law of diminishing returns. Most firewalls today have more than enough hardware and horsepower to perform any task thrown at them. When comparing Firewalls I primarily look at throughput and concurrent sessions. I didn’t see these listed on Calyptix’s datasheet. For comparison the WG X1250 supports 1.5Gb of throughput, (100Mb w/ AV/IPS scanning) and 200,000 concurrent sessions.

    The major features that set Watchguard apart is that they have the most granular proxies of any vendor on the market and their logging and reporting features are far beyond anything else I’ve seen.

    To address some of the other comparisons:

    Concerning the OS. Almost all firewall vendors started with a flavor of OpenBSD, however most vendors have modified the code so drastically (hardened as they say) that it is now considered proprietary. So I consider this to be a draw.

    Also concerning IPS, everyone uses Snort based signatures. So this is a draw as well.

    The primary features I look for in a firewall are the logical and intuitive interface, logging/reporting features, and granular proxies.

    I’ve never used Calyptix and I’m sure they make a fine product. I’m definitely no fan of SonicWall. I just wanted to throw in my 2 cents and support for Watchguard products. They make wonderful appliances and have excellent support.

    I appreciate the discussion gentleman.

  2. Tsudohnimh,

    You do make some valid points; however, I did note s few inaccuracies in your post that I wanted to address for all that may stop by and read this thread.

    Don’t take my comments as being negative against a particular brand. They all have their strengths and weaknesses including Calyptix; however, I found the experience of deploying, managing, and sitting behind Calyptix to be far superior to the others I have used. I have tried SonicWALL, WatchGuard, Untangle, Netgear, and Cisco/Linksys – all business class level devices. We for years used ISA as part of SBS Premium. My experience with Calyptix was far better in most areas. In the very few areas where Calyptix was a little weak, I can personally assure you that the development team at Calyptix is working very hard to fill in those small gaps. They are a nimble, dedicated, hard working group and are very dedicated to the SMB / SBS market segment. It’s only real weakness is with reporting, which is already being addressed by the development team.

    Most of the firewall devices I have reviewed are running Linux not OpenBSD. Yes, they are all hardened. Linux has seen far more vulnerabilities in recent years than OpenBSD. That’s not my opinion that is fact. So for me personally, I feel more confident with the OpenBSD platform sitting on the perimeter of our and our clients networks.

    Although currently undocumented on Calyptix’s web site (something that will be changed very soon from what I’ve heard), the throughput and sessions capabilities of the Calyptix devices exceed everything else in its class based on my own personal experience. Until published officially, I am not at liberty to state them here yet, but will follow up as soon as they are officially released. Unofficially, I’ve seen throughput in the 380 MB range with a full load and full scanning (AV/AS, SPAM, and full IPS), which is the real number that counts. Who cares what the raw throughput is with everything turned off or just basic firewall functionality enabled – that defeats the purpose as base firewalls are not enough anymore.

    Networking experts seem to agree that these numbers don’t really mean much as everyone’s mileage will vary based on the specifics of the type and volume of traffic your network has. They simply serve as vague talking points and guidelines for comparison. What really matters is the true experience behind a particular device. Simply put, my experience using a Calyptix device on our network has been the best UTM device experience to date.

    WatchGuard’s proxies are very good and are the most granular; however, if fully utilized, they tend to add a heavy performance burden on the device and in my experience really slowed things down quite a bit.

    Based on my own research, most companies use their own home-grown IDS/IPS system, not Snort. While many are based off the same concept – they are not actually using Snort. If they were, I’m sure they would be claiming to be due to the value of Snort being THE IDS/IPS standard by which all others are compared. When scouting devices I specifically asked each device manufacture was their IDS/IPS system home-grown or based on a standard such as Snort. Home-grown was the answer from all of them.

    Calyptix’s logging and reporting are very good as is, but they are working to really expand the devices capabilities in this area. When we connected up the Calyptix device on our own network I knew more about what was taking place at the gateway in a matter of hours than I had ever known using other devices. In part this was because of how simple, yet how powerful, the Calyptix solution is. It does not require you to syslog off (although this is an option) to generate reports, etc. It collects the log data on its own internal hard drive and then starts producing solid management reports automatically with minimal effort. You just set what reports you want to see, how often, and provide an e-mail address. It does not get any easier than that! While currently, the reports are not as robust as I would like, they are sufficient to manage most of the really important aspects of the gateway.

    The UI on the Calyptix device is one of its real sweet spots. For the most part is very intuitive and easy to use. It hands down beats every other overly cluttered interface I have ever used on a UTM device.

    I do encourage everyone to take a real serious look at what Calyptix has to offer! http://www.calyptix.com

    Jason Harrison
    Harrison Technology Consulting

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s