Educause Security Discussion mailing list archives

Re: Firewalls

From: Bob Williamson <bob_williamson () AW ORG>
Date: Wed, 10 Jul 2013 16:08:05 -0700

We are a small boarding school of 500 users.  100mps up and down.

I agree whole heatedly regarding the PA.  The mindset of apps vs ports is a tough transition and I would even suggest 
it makes the system more complex.  BUT part of the complexity in our environment is because our students range from 
pre-k to 12th so we have to have crazy rules depending on ages/times/etc.

With a high end Watchguard we could not get the throughput the PA500 is giving us.  When we do hit it hard, the Skype 
users don't even miss a beat.

I have also had good luck with the tech support.
Bob

Sent from my iPad

On Jul 10, 2013, at 2:05 PM, "Chris Golden" <cgolden () LEEUNIVERSITY EDU<mailto:cgolden () LEEUNIVERSITY EDU>> wrote:

We eval'd a Fortinet and used it for URL filtering, IDS/IPS, and Firewall rulesets and the thing ran 80-90% resources 
constantly.  I ended up with a PA-5020 and we have all these things running (and more) and we aren't even in double 
digits in terms of resources.

The PA-5020 is a beast.  For me it was difficult transitioning from a Checkpoint to the Palo Alto.  I was stuck in port 
mode and needed to think application layer.  But once the mindset changed, I'm extremely happy with the PA.

I have a 600MB connection that’s constantly being used.  (mostly for Netflix and Youtube)

-Chris

Chris Golden
Director of IT Operations
Lee University
423.614.8020
cgolden () leeuniversity edu<mailto:cgolden () leeuniversity edu>

From: John Kaftan <jkaftan () UTICA EDU<mailto:jkaftan () UTICA EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Friday, June 28, 2013 2:23 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: [SECURITY] Firewalls

We have been using Fortinet 1000as for the last 6 years.  We are currently in a firewall RFP to replace these boxes and 
wonder if anyone out there can help.

We are planning on having two firewalls in an HA configuration.  We have about 1500 users on campus and about 2500 
distance and commuter students.  We have a 1 Gb internet connection.  We are only looking to protect our edge.

We are looking at the following options.


Fortigate 1000cs
Cisco ASA 5580s
Palo-Alto 5020s

Reading through the literature can be overwhelming with UTM firewalls.  I'd just like to know if anybody is using one 
of these platforms and the pros and cons you see.  Specifically, we are concerned about support and how the boxes 
perform as you turn on features, also usability.

Thanks

--
John Kaftan
IT Infrastructure Manager
Utica College

Current thread:

Re: Firewalls Peter Setlak (Jul 03)
- <Possible follow-ups>
- Re: Firewalls Chris Golden (Jul 10)
  - Re: Firewalls Bob Williamson (Jul 10)
    - Re: Firewalls Nathaniel Hall (Jul 14)
  - Re: Firewalls John Kaftan (Jul 10)
    - Re: Firewalls Nathaniel Hall (Jul 14)
- Re: Firewalls Chris Davis (Jul 11)
  - Re: Firewalls Bradley, Stephen (Jul 11)
- Re: Firewalls Chris Davis (Jul 12)
  - Re: Firewalls randy (Jul 12)
- Re: Firewalls Alan Nord (Jul 17)