Educause Security Discussion mailing list archives
Re: NGFW Usage Information
From: "Ferguson, Michael" <mferguson () CHAPMAN EDU>
Date: Wed, 19 Apr 2017 22:42:50 +0000
It was about 2 years ago that we did our Next-Gen FW POC. We didn't consider Juniper SRX's as finalists at the time because we were already running them at our DR site and the ability to manage complex policy configurations via a Web GUI was torturously slow. We generally had to revert to CLI to do configuration changes because of problems with the Web UI. It's gotten a little better since version 15, but in my humble opinion it's not at the level of usability of Palo Alto or Fortinet. Otherwise, I think Juniper is a great networking company and we use them extensively in our network. I can't speak about Checkpoint to any great degree, but I knew colleagues that had problems of them scaling at high levels of bandwidth usage particularly when doing Application Control. We therefore didn't include them as finalist in our POC because of problems reported by others. Hopefully CP has gotten better, but I think you would want to oversize by at least a factor of 2 (if not more) whatever they recommend to you. I wish we had considered Sonicwall during our POC as I would've really liked to have known how well they perform. But we factored them out because they just don't provide a meaningful CLI, unlike Palo Alto or Fortinet. And regarding Cisco Firepower, the combination of ASA+Sourcefire is still too convoluted and doesn't compare to the usability of Palo Alto or Fortinet, yet it was supposed to be fully integrated by now when we talked to them 2 years ago. So for our POC, the 2 finalists were a Palo Alto 5060 and a Fortinet 3700D (we also included Stonesoft--now owned by Forcepooint--but we ruled them out during testing due to stability problems which likely have been fixed by now). We did multiple tests to both solutions, such as using a visibility fabric to copy our production traffic to each solution simultaneously, assessing Security Effectiveness (with NSS Labs' help) and finally overall ease of use and manageability. But for us, the differentiator was running Breaking Point tests that simulated real-traffic flow so we could estimate expected performance for a certain amount of aggregate bandwidth, especially to know how each box would perform 3-5 years from now as our bandwidth increased. The network topology for the Breaking Point tests was fairly simple: 1 10G ingress port and 1 10G egress port, turning on many NGFW features simultaneously: App Control/ID, URL Filtering, A/V, IPS and Full Logging of all sessions. The tests we ran included the base NSS Labs tests of sending 44K, 32K and 16K http packets at high rates. We also used a breaking point test created by Palo Alto based on an AVR (Application Visibility Report) for edu customers and another breaking point test developed with Fortinet that simulated a high amount of multi-media content along with other applications like email, dns, ftp and p2p. I can say the Fortinet 3700D performed twice as fast as the PAN 5060 in all tests, with no errors. As a result, we selected Fortinet and we've been very happy with their solution since. It was also 30% cheaper than the Palo Alto solution. And we feel it gives us at least 3 more years of full capability before we have to think about upgrading. However, if we had chosen PAN, we would probably need to think about upgrading next year due to some of the performance limitations we noticed during our Breaking Point tests. That said, Palo Alto has finally come out with their 5200 series of firewall boxes that hopefully overcome the performance issues we noticed with the 5000 series. I can't speak to how well they've improved in this new line, but I would certainly throw a Breaking Point at it to confirm. In the case of ease-of-use, Palo Alto did a little better than Fortinet, but not by much. Also, PAN's tech support is well-known to be very good, but we've found Fortinet's support to be perfectly adequate and better than other vendors' support that we rely on. -- Mike Ferguson Chapman University Network Manager 714-744-7873 mferguson () chapman edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Miller, Richard H Sent: Wednesday, April 19, 2017 2:18 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] NGFW Usage Information Unless things have changed the problem with CP is that it is hard to get it into a high (> 10GB) performance mix. The PC architecture breaks down as the rate goes up which is one of the reasons we went away. In particular we had serious issues with thruput using 10GB PCI cards. The chassis architecture of both the Palo Alto and the Juniper support multi-gig thruput. Juniper will support 100GB interfaces and should be able to pass 100GB+ of traffic. In our case we are already approach consistent 10GB traffic so the ability to go higher is important. They do now have appliances that have 40GB interfaces and the carrier grade may reach 100GB I also have some reservations about combining IPS and NGFW in the same box when you start getting to these rates. Palo Alto appears to be able to combine both functions at higher data rates. In any case, get your vendors to do a PoC and try to span your interface to see if the proposed gear can handle your traffic, (You also can record it off and replay it to simulate higher volumes. It is not as real is live traffic but you can usually find the bottlenecks) -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Brian Epstein Sent: Wednesday, April 19, 2017 9:06 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] NGFW Usage Information ---------------------------------------------------------------------- We are a Checkpoint shop. Previously, we had a separate IPS, but chose to use Checkpoints IPS blade instead. Just like all IDS/IPS, it needs a lot of care and feeding. The one thing I like about Checkpoint is that I can run it on my own hardware. We have specific needs for copper and fiber. By buying a Dell server, we are able to populate it with the exact NICs we need at a huge cost savings over purchasing a ready-made appliance. I also like that Checkpoint can attach IPv4 and IPv6 addresses to the same object. This reduces the number of objects in the ruleset significantly. Thanks, Brian On 04/19/2017 09:46 AM, Pardonek, Jim wrote:
I’ve finally been able to convince our leadership to pursue swapping out our IPS and ASA’s for a set of next gen firewalls. We are still in the evaluation phase and as a part of our evaluations we are asked by senior leadership to quert other universities to get a barometer of what is being used. If you would (and you can PM me) let me know if you have a NGFW and what it is (not needing specifics) It will help us with our decision. The 3 we looked at were Palo Alto, Check Point, and Cisco Firepower. Appreciate any responses in advance! Best, Jim *James Pardonek, MS, CISSP, CEH* *Information Security Officer** Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL 60660 ** (**: (773) 508-6086* *standard_isc2_cissp*
-- Brian Epstein <bepstein () ias edu> +1 609-734-8179 Manager, Network and Security Institute for Advanced Study Key fingerprint = A6F3 9F5A 26C5 5847 79ED C34C C0E5 244A 55CA 2B78
Current thread:
- Re: NGFW Usage Information, (continued)
- Re: NGFW Usage Information Bradley, Stephen (Apr 19)
- Re: NGFW Usage Information Thomas Carter (Apr 19)
- Re: NGFW Usage Information Thomas Carter (Apr 19)
- Re: NGFW Usage Information Robert Lau (Apr 19)
- Re: NGFW Usage Information Pardonek, Jim (Apr 19)
- Re: NGFW Usage Information Curtis, Bruce (Apr 20)
- Re: NGFW Usage Information Ed Gibson (Apr 19)
- Re: NGFW Usage Information Hall, Rand (Apr 19)
- Re: NGFW Usage Information Brian Epstein (Apr 19)
- Re: NGFW Usage Information Miller, Richard H (Apr 19)
- Re: NGFW Usage Information Ferguson, Michael (Apr 19)
- Re: NGFW Usage Information Miller, Richard H (Apr 19)
- Re: NGFW Usage Information Adam T Ferrero (Apr 19)
- Re: NGFW Usage Information Pifer, Michael (Apr 19)
- Re: NGFW Usage Information Barros, Jacob (Apr 19)
- Re: NGFW Usage Information Miguel Hernandez (Apr 19)
- Re: NGFW Usage Information Rick DeCaro (Apr 19)
- Re: NGFW Usage Information Miller, Richard H (Apr 19)
- Re: NGFW Usage Information Lovaas,Steven (Apr 19)
- Re: NGFW Usage Information Barton, Robert W. (Apr 19)
- Re: NGFW Usage Information Scott Stoops (Apr 19)
- Re: NGFW Usage Information Lovaas,Steven (Apr 19)