Question: What Firewall and or IDS would you recommend?

  • Like
    1Like
  • Unlike
    1Like

We are currently looking at upgrading our existing firewall (A Cisco ASA5550) and would appreciate any suggestions from the academic community.

What make/model of firewall are you using and how many users does it currently support? We would also be interested in what people are using as an IDS.

If you prefer to comment off-list you can email me at k.ackroyd@bradfordcollege.ac.uk.

Any help or advice would be appreciated.

Answers

0
+1 -1

Hi Kevin.

We moved from Cisco5550's several years back.
We opted to switch vendor and went with Junipers SRX line (the 1400). In the main the decision was driven by the lack of advanced routing support at the time on the ASA line.

Had we stuck with the ASA we were looking at buying ASA kit (doubled-up for HA) and also a Cisco router (something like an ASR) to set beyond it to do our BGP with JANET.

We found that the Juniper SRX had full featured routing capabilities as well as some really great advanced routing features. This allowed us to do our BGP peering at the SRX and thus only require the firewall hardware.

Note: You may be aware that Cisco have since seen wisdom and added BGP, NULL routes etc to the newer ASA line; I think because they were losing sales to their competitors for the reasons I have pointed out above.

Comparing the ASA to the SRX I would say you should consider how you work however. While the ASA has the very nice ASDM interface for management the SRX has a more limited web-based management interface (J-Web).
For us this was not an issue since we operate mainly at the CLI level and the SRX runs Junipers JUNOS which I personally find to be a fantastic CLI interface; superior to Cisco IOS in my opinion.

As for IDS our SRX's do have the feature but it does come at the cost of lowering the potential throughput of the devices considerably.

Cisco's top line ASA (the 5585x's) offer different scales of hardware with IDS/IPS to suite your budget; none are cheap though from my investigations!

Hope this is of some use!

Kind regards,

Simon (UEL).