Question Help in purchase of firewall.

[Gabefh]

Hi.
It is planned to implement a firewall in the company´s network where I work.
I don´t have a clear idea of what considerations should i have, when buying the firewall for the network.
Can you help me please?
Currently the network is: 20 cellphones via wifi, 13 MFP´s, 114 pc/laptop and 70 poe security cams in another vlan, planning in buying a drytek vigor router 3910 and vigor switch g2280x later to manage them.


Thanks in advance.

 

[bill001g]

Only you can say what you are trying to protect. If the security cameras are in a different vlan and there is no routing between the vlans then that would be good enough for that part.
It all depends on what kind of servers you have and what restrictions you have on them. If they are exposed to the internet then the size of the firewall will be based on the amount of traffic. Very few people run their own servers anymore most are hosted and the firewalls are setup with the hosting company help. Internal servers only used by internal machines are not commonly placed behind a firewall but it is the same consideration. Mostly it is the amount of traffic. It take cpu power to run the filter lists so the more traffic the more cpu.

You do not really need to worry about protecting your machines from internet attacks. Your router and the NAT will prevent any direct attacks. Firewall claim to prevent virus and the ability to say filter traffic but that is not really possible. They used to do all this fancy stuff with "deep packet inspection" but because bad people or the governments could do the same all traffic has pretty much been encrypted. Even the ability to protect internet based servers is much harder because the attacks are done inside the https and https is end to end encrypted so nobody can look inside. It has moved back to the server needing to protect itself.

 

[Gabefh]

I´m trying to protect and monitor the internal connections on servers, of each local user and internet access, internet bandwidth,
allow or block attempts to access information on our servers. Monitor communication between computers. View and block applications that may generate risk. Warn of connection attempts from other computers. Warn of connection attempts by applications on your computer that connect to other computers. Etc. I don´t know a firewall who can accomplish this or more. Any suggestions?

If the security cameras are in a different vlan and there is no routing between the vlans then that would be good enough for that part.

Unfortunally it´s gonna be a routng between both Vlans. Maybe i can convince them to do the connection from the corporate vlan to the cam vlan via Internet,

It all depends on what kind of servers you have and what restrictions you have on them.

Don´t follow about restrictions, sorry. Its 2 accounting servers, 1 assists server, 1 file server, 1 samall nas. 2 erp via internet.
I need to know also what services/servers do i have to get for a basic enterprise network.

 

[SamirD]

I´m trying to protect and monitor the internal connections on servers, of each local user and internet access, internet bandwidth,
allow or block attempts to access information on our servers. Monitor communication between computers. View and block applications that may generate risk. Warn of connection attempts from other computers. Warn of connection attempts by applications on your computer that connect to other computers. Etc. I don´t know a firewall who can accomplish this or more. Any suggestions?

I need to know also what services/servers do i have to get for a basic enterprise network.

I think you pretty much answered what you need to be looking for--enterprise grade utm firewall with the capability to handle your network's traffic and your monitoring requirements. I know watchguard, and pfsense can do what you want, but there are many others and you will want one that you're comfortable with as functionally they will all be able to do what you want. Draytek stuff is small business at best. I wouldn't put that equipment in a true enterprise environment.

 

[bill001g]

You are now to the point you need a enterprise firewall. You are going to design your network so the traffic must pass through the firewall so for example the servers must be a different subnet.

What firewall you buy is hard to say. Checkpoint,sonicwall and paloalto are some of the better known brands. All these brands come at a premium price but part of that price includes the pre sales assistance. Most these companys will work with you to help you with a design and tell you what equipment you need.

If you want to do it yourself there are many free software solutions but you need strong knowledge is firewall and network design to get them setup properly.


Note a lot of the application restrictions must be done on the end devices. Like I mentioned all traffic is now encrypted so you can not see what is actually being done other than the IP addresses being accessed. Many of the commercial firewalls have add on options to load monitor software to the clients.

 

[nigelivey]

I would look at pfSense.

 

[kanewolf]

I would recommend that you look at software on the clients to do most of the work rather than routing all traffic through a single point of failure. There are lots of endpoint monitoring software solutions that do much of what you want. That is then distributed on the clients rather than centralized.
If the devices are owned by the business, then there is no expectation of privacy on the device and you can install any software required for business goals.
If the devices are privately owned they should be isolated from the business network in a guest network.

 

[Gabefh]

Draytek stuff is small business at best. I wouldn't put that equipment in a true enterprise environment.

I see, what brands do u think i should get?

I would recommend that you look at software on the clients to do most of the work rather than routing all traffic through a single point of failure. There are lots of endpoint monitoring software solutions that do much of what you want. That is then distributed on the clients rather than centralized.

I use currently Sophos endpoint AV central with edr. The provider suggest me to get a sophos firewall also, so i have everything unified.
But i think i rather get another brand for the firewall for better results.

If the devices are owned by the business, then there is no expectation of privacy on the device and you can install any software required for business goals.
If the devices are privately owned they should be isolated from the business network in a guest network.

I see, tyvm for the advice.

 

[SamirD]

I would recommend that you look at software on the clients to do most of the work rather than routing all traffic through a single point of failure. There are lots of endpoint monitoring software solutions that do much of what you want. That is then distributed on the clients rather than centralized.
If the devices are owned by the business, then there is no expectation of privacy on the device and you can install any software required for business goals.
If the devices are privately owned they should be isolated from the business network in a guest network.

This is a maintenance and configuration nightmare though so I wouldn't go this route.

I see, what brands do u think i should get?

I use currently Sophos endpoint AV central with edr. The provider suggest me to get a sophos firewall also, so i have everything unified.

This is a great idea since you are used to the sophos interface and 'way of doing things'. Having two different one will make you simply have to learn two different devices and you'll get confused.

 

[kanewolf]

This is a maintenance and configuration nightmare though so I wouldn't go this route.

Not true in my experience. Endpoint software has workgroup/enterprise management solutions that provide single panel admin. Most of the time this would integrated with the active directory/group policies.

 

[Gabefh]

Not true in my experience. Endpoint software has workgroup/enterprise management solutions that provide single panel admin. Most of the time this would integrated with the active directory/group policies.

Active directory, group policies, so do i need to implement a windows server for better results or i keep managing pcs and laptops with local administrator accounts?

 

[kanewolf]

Active directory, group policies, so do i need to implement a windows server for better results or i keep managing pcs and laptops with local administrator accounts?

You will definitely have better security with a domain and group policies.

 

[Gabefh]

You will definitely have better security with a domain and group policies.

Okok, any recomendations to watch,read, to know how to use domain n group policies in a enterprise network? If u say it´s worth it, i shall look into it.

 

[kanewolf]

Okok, any recomendations to watch,read, to know how to use domain n group policies in a enterprise network? If u say it´s worth it, i shall look into it.

I am not a windows admin.

 

[SamirD]

Not true in my experience. Endpoint software has workgroup/enterprise management solutions that provide single panel admin. Most of the time this would integrated with the active directory/group policies.

Much, much more work than setting up a firewall that handles all the traffic that way. Most businesses will be handling the endpoints anyways, but most small businesses do not spend the type of money you need to really secure these things, so I wouldn't bet on them.

 

[SamirD]

Okok, any recomendations to watch,read, to know how to use domain n group policies in a enterprise network? If u say it´s worth it, i shall look into it.

Even having these in place won't secure your endpoints. You need multiple layers on top of this to secure the endpoints and you need a firewall solution and then a lot of upkeep to stay on top of every little hack that comes along. Good luck!

 

[Gabefh]

Even having these in place won't secure your endpoints. You need multiple layers on top of this to secure the endpoints and you need a firewall solution and then a lot of upkeep to stay on top of every little hack that comes along. Good luck!

I see, tyvm for the advice.