Re: small schools - nextgen firewalls

[Kevin Halgren <kevin.halgren () WASHBURN EDU>]

Yes, we're using a number of the features, I'd have to review exactly what all we have turned on, but I know we have 
antivirus turned on and various other inspection features and are using content filtering for a very small portion of 
our network as well.  If we have to start scaling something back it would probably be some of the content inspection 
features, the trouble is determining what has the most impact on performance and what risk we'd be adding in doing so.

Kevin

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kramp, 
William D
Sent: Wednesday, January 14, 2015 2:19 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] small schools - nextgen firewalls

Are using any of the Sonicwall Application control, AV, DPI, or content filtering features while experiencing these 
performance issues?

Bill

Bill Kramp
Sr. Programmer/Analyst (Networking)
Information Technology Exchange Center
Buffalo State College
Twin Rise 200, 1300 Elmwood Ave
Buffalo, NY 14222
Bill.Kramp () itec suny edu<mailto:Bill.Kramp () itec suny edu>
PGP Key ID: 3610345A<http://pgp.mit.edu/pks/lookup?op=get&search=0x604DB8DF3610345A>

From: Kevin Halgren <kevin.halgren () WASHBURN EDU<mailto:kevin.halgren () WASHBURN EDU>>
Reply-To: The EDUCAUSE Security Constituent Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>>
Date: Wednesday, January 14, 2015 at 3:11 PM
To: "SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>" <SECURITY () LISTSERV EDUCAUSE 
EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
Subject: Re: [SECURITY] small schools - nextgen firewalls

We have a 1Gbps pipe which we routinely do 350+Mbps on.  We use a SonicWall E-8500 and it's been OK, but in the last 
year we've started pegging out the CPUs at peak times.  In theory It has plenty of throughput capacity (in Gbps), but 
it starts hitting its limit on the CPU at about 60,000 packets per second (pps).  That seems to be a more critical 
measure of performance, at least in our case.  We're going to have to do something this year or next, so far there are 
no indications of end-user-noticeable performance impact when it's peaked out, but it's only a matter of time before we 
do.

Kevin

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Julie 
Newton
Sent: Tuesday, January 13, 2015 12:30 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: [SECURITY] small schools - nextgen firewalls

Are there any small schools using SonicWall (NSA 220, NSA250 or NSA 2600 models) or PaloAlto (PA-200, PA-500, PA-2020 
or PA-2050) ?

We currently have 20 MB pipe (we *are* small) but expect 1 GB within <2 years as Google Fiber is installed across 
Austin.  We have 2 discrete networks and want an appliance that works across both with unique filter sets.  I am most 
concerned with malware filtering ability, throughput and a good admin interface.

Currently on older Cymphonix (pre-Untangle), which required an appliance for each network and had a clunky UI and 
filtering did not catch ransomware.

Any suggestions or opinions?

Thanks in advance for your help!

-Julie Newton
Director of Information Technology
----------------------------------------------------------------------------
AUSTIN PRESBYTERIAN THEOLOGICAL SEMINARY
100 E. 27th Street, Austin, Texas 78705

austinseminary.edu