pcns - blog - eric braun, owner.

archives:


march 2007 - what does a business class firewall buy?


I've seen several - large offices - 10 to 50 users - on a dedicated T1, or high speed DSL, and they have a consumer branded D-Link, Netgear, or Linksys router.  A majority of these Firewall's fall into the $50 to $100 price range.  So jumping up to a mid-class router, for 10 to 100 users, what does $500 to $2,000 buy?  I deployed a Watchguard Soho 6tc and a Watchguard E_Series X55e and I'll try to point out the differences between a unit like this, and a "consumer" or "prosumer class" firewall router.  I'm not endorsing Watchguard, similar business class Firewalls are available from Cisco, Sonicwall, Netopia, Ascend, 3Com, and Fortinet, to name a few.

Oct 2007 Update

Watchguard x20e PCNS has installed another Watchguard Security Appliance, the X20e.  This unit included in line Virus Scanning, Spam Protection, and Web Blocker, as well as one year of Watchguard Support.  It is licensed for up to 30 outbound connections.  As of Oct 2007 it is a current, not discontinued model.  It was purchased "cash price" from guardsite.com, and it was purchased for $585 USD.  This would be ideal for an office of about 20 pc's.   Remember, user connections not only count for the total number of PC Internet connections, but all Network attached Printers, dedicated File/Print Servers, Wireless Access Points, Internet Connected Copier/MFC's, plus room for growth.

(March 2007) Upfront Costs

Purchase price Soho6 TC*: $550, includes 1 year webblocker, 1 year Security subscription $95.

Purchase Price X55E $869, 2 Year Live Security Renewal $414, 1 Year Webblocker Subscription $265.

Soho 6 TC:  What do you get for $650?  The Watchguard Soho Series is intended for up to 10 outbound connections.  Many business class vendors "meter", or limit the total number of users connecting from inside the network.  This allows the vendor to "right price" a firewall according to the number of users in your environment.  What happens to the 11th user?  No Internet access, so if your company's rapidly growing, you may be upgrading the firewall user count a few times, up to 50 users.

Soho6 TC* and X55e Features:

1.  VPN Endpoint, and up to 5 users of a mobile VPN environment.  If you want a secure connection between your home office, and either Home or a branch office, the 6TC can form a VPN Tunnel between the two offices.  This would allow you to see your network resources, such as a Network drive, from either offices.  This feature is not available in all consumer class routers.  For additional fees, a software package "mobile user VPN" can be purchased, which allows portable users to connect to your business network from a laptop computer.  This cannot be done on consumer Firewall Routers.  Some prosumer Firewall routers such as the Netgear Professional Class can.

2.  Content Filtering:  Called Webblocker, this feature queries a database of web services hosted by Surf Control, the same company who makes the consumer class Cyberpatrol software, and business class Surf Control.  What this does is filter inappropriate websites.  You can specify in the Watchguard appliance categories of websites which are not appropriate for business use.  I have discovered some home users often use the 6tc, as a way to prevent their kids from accessing Adult Web sites.  If you have an office of 10 users, buying 10 subscriptions of Cyberpatrol would cost about $400 per year, versus $95 per year for the Webblocker option, per year.  Since consumer products are prone to tampering (ending the Cyberpatrol task would effectively remove content filtering), having it in the firewall prevents users from try to deliberately circumvent Web Content filtering because the filtering isn't occurring on the PC.  This cannot be done on a consumer or prosumer Firewall router.

3.  Business class routers have more granularity in their configuration.  You could block Youtube.com, for example to prevent employees from playing videos at the workplace.  However that won't stop them from going to MSN or Yahoo or Google Videos and playing videos.  With the X55e, you can prevent playing of content type.  For example, you could deny all access to "video/x-flv" which would block all access to the Flash based video format "flv" on all websites.  This cannot be done on a consumer or prosumer Firewall router.

4.  Support:  If you've ever tried to call Linksys or Netgear for support, the Technical Support is pretty bad.  Many times you call techs located in foreign countries, and they are reading scripted answers to problems you be having.  Support subscriptions from business class Firewall vendors (sometimes called Security subscriptions) are a yearly fee you pay, which enables you to get support and configuration assistance from technically savvy Firewall people.  In addition, paying yearly fees allows you to get downloads of the latest Firmware.

X55E Features

1.  Traffic Shaping.  The X55e can shape traffic.  Companies may do this to help prioritize outgoing and incoming Internet traffic.  If the business lifeline is Email and corresponding with their customers, traffic priority can be set which makes the Firewall give E-Mail traffic higher priority, than, say, HTML (web surfing) traffic.  Suppose you want to limit the use of Instant Messengers or Peer File Sharing programs, such as Limewire.  You can configure the Firewall to curtail, or completely block non-business traffic like IM and File Sharing.  This cannot be done on a consumer or prosumer Firewall router.

Performance

Performance.  Contrary to popular belief, you do get what you pay for.  Business class routers give you better performance, throughput and TCP/IP connections to the outside world.  To a company of 50 users, using a consumer class router, your T1 may perform faster with a business class Firewall.  The prosumer Netgear FV114 has a maximum VPN throughput of 2.1 Megabit per second (3DES encryption), versus 20 megabit per second VPN throughput (3DES Encryption) for the Watchguard Soho 6 TC.  Wan to Lan throughput on the Netgear is rated 11.5 megabit per second, 75 Megabit per second for the Soho 6Tc. If you have Verizon Fios (with capabilities of up to 20 megabit/second downloads, Fios could feed data faster than the Consumer Netgear could handle so you may not see the full benefits of Fios.

Netgear continues edging into Business Class Firewall Router territory with their Pro series line of routers.  Something I thought which held promise was the dual wan Netgear Gigabit VPN Router FVS-124G.  It has an astonishingly low price compared to business class routers, like Watchguard, but end user reports give it very bad reviews.  I imagine it may be a good product, however these routers appear to lack real world testing.  Perhaps in a year (or two) this may be a worthy contender.

*Note the Soho Series of Watchguard Routers have been discontinued.