Off the subject .. I dont wear a WG T-Shirt .. :-) literally .. ha ha. WG is
just one of the solutions we work on.
Going into the subject - the performance issues - if you face on WG, maybe more
related to the architecture .. i.e. it is a hybrid Proxy / packet filter
firewall, and when you use any application proxy, there is some trade-off in
throughput, considering the RFC compliances and filtering the application proxy
does, compared to a stateful inspection firewall.
With application proxy firewalls, there is a new trend called Zero Day threat
mitigation (or something like that) whereby since the traffic is proxied, the
probability of any of the common attacks passing through is limited. This was
the case when the Code Red virus and similiar worms were prevalent, and none of
the IIS sites protected by a proxy firewall were hit, unless the rulesets were
misconfigured. Nowadays, firewalls with some form of intrusion detection sort
of mitigate such problems, but there is a trade-off again - performance: all
traffic has to be compared with the signature data base.
If anybody in the forum request, I can post a short write-up comparing
application proxy firewalls with packet filters (or stateful inspection
firewalls).
Well, when it comes to a situation where high throughput or large number of
connections are required, then I take WG out of the scene and propose a SPI
firewall, like Sonicwall or Netscreen.
Note my previous comments: for SME solutions - WG is a good fit. There are some
new developments from WG, but let's not make this forum a free for all sales
pitch :-)
My recommendation - evaluate, and if the reseller in your area can get a trial
set, run a trial. Most customers get impressed with the management features and
reporting functions on Watchguard, while few have been overwhelmed and turned
off when they are used to web based management products: Sometimes the best
firewalls in the market may not the best fit for you: eg: Checkpoint or Pix.
I had a few customers who migrated from Checkpoint or Pix to Watchguard,
Sonicwall or Netscreen, simply because of the administration, management,
support or licensing issues. For me it was a sort of downgrade in security,
going from one of the world's best firewalls, to a lower firewall: end of the
day, if you cannot manage it - it is as good as no firewall. Unfortunately for
most SME's the person in charge of IT is not always a IT Security person. If
they prefer web based management like Sonicwall or Netscreen / Fortinet - well,
there is not much choice left there. I would advice the customer to go with a
firewall "THEY" are comfortable with, not always what I like or am comfortable
with. That is the best form of offering "solutions that meet customer needs"
Best regards,
Naren
T. Naren - Dip M, CCDA,
Certified Engineer - Watchguard and Borderware
Certified Sales Expert - Watchguard
Technical Manager - Pactech (http://www.pactech.net)
Blk 211, Henderson Road, Singapore 159552,
Tel: +65-62711123, Fax: +65-62703919
Emaill: naren@pactech.net Mobile: +65-90044249/+65-98325775
# For thought
Briefing - spending a long time saying nothing.
De-briefing - spending a long time saying nothing after you have done it
----- Original Message -----
From: Pablo Hauser
To: Naren ; aolverar@bancoazteca.com.mx ; CJ (Joseph A.) Ondeck
Cc: firewalls@securityfocus.com
Sent: Friday, June 10, 2005 9:05 PM
Subject: Re: Watchguard!
I think you don't agree just because you're with WatchGuard T-Shirt :D
WG appliances (at least the generation we're talking about) is lower than
other vendor simmilar appliances (speaking about performance). That causes the
migration of couple of clients from this platform to any other which could
handle the throughput rightly.
It was a radio station, so the ports opened were not large but maybe the
number of connections were large (I really don't think so, but we can let it in
doubt).
On small clients never had problems, is stable; anyways, I don't want a WG
for my company if that answers the first question :D
Naren <naren@pactech.net> escribió:
Hi all,
my $ 0.02
I dont agree with the 'hang' thing.
I have supported WG products for more than 6 years, and the only reason a
firewall can hang (if at all) is for somebody opening a large number of ports -
or .. a DOS (like a worm ... ), or too much of connections (as one of my
customer faced - he had more than 400 pop3 accesses into his low end box meant
for average of 100 users)
Even when the box faces a DOS, the problem happened only rarely in older
versions. The newer OS releases are very very stable.
I like WG because of the security, in the GUI (168 bit) and the detailed
logging, reporting, and realtime monitoring, things which really help when you
want to isolate a problem and walk out of the customer site. The reporting
which comes free is excellent for management information. (MIS - is management
information .. whats the point of having a firewall that cant give decent
reports for information ... ) And building VPN connections are the most
simplest thing you could ever do .. I could go on and on .. and forgive me - I
do support or have supported other products.
And the average time I spent for training a customer where they were
migrating from CP FW 1 or Netscreen - was less than 2 to 3 hours.
My company is a reseller for WG and above maybe a biased comment, but the
truth is - for SME market - it is an excellent product.
When it comes to large enterprises it is a different ball game, since there
are other concerns like level of certification and x y z.
The comments are my own, with more than 60 Watchguard firewalls of
different sizes under my care, or under my partner company's care.
Naren
(as I said - the above is my personal opinion .. )
T. Naren - Dip M, CCDA,
Certified Engineer - Watchguard and Borderware
Certified Sales Expert - Watchguard
Technical Manager - Pactech (http://www.pactech.net)
Blk 211, Henderson Road, Singapore 159552,
Tel: +65-62711123, Fax: +65-62703919
Emaill: naren@pactech.net Mobile: +65-90044249
# For thought
Briefing - spending a long time saying nothing.
De-briefing - spending a long time saying nothing after you have done it
----- Original Message -----
From: CJ (Joseph A.) Ondeck
To: aolverar@bancoazteca.com.mx
Cc: firewalls@securityfocus.com
Sent: Wednesday, June 08, 2005 3:37 PM
Subject: Re: Watchguard!
The only Watchguard FW I have installed is a SOHO 6 and it hangs once in
a
while. Decent product yet I like the Checkpoint/Nokia combo better.
Netscreen/Juniper is good also.
Regards,
CJ
At 2005-06-07 14:06, aolverar@bancoazteca.com.mx wrote:
>Hi everyone!
>
>I just would like to know if anyone of you have had great experiences
>with watchguard appliances, I've done some projects (VPN, Firewall
routing
>for instance) with them and I'm not convinced at all, opinions about it?
>
>
>
>Andres Olvera R. , CCNA
This mail has been secured by the MXTreme mail security appliance. For
information or a no-obligation trial, please contact Pactech Sales Team @
sales.sg@pactech.net or visit http://www.pactech.net
Pablo D. Hauser
------------------------------------------------------------------------------
1GB gratis, Antivirus y Antispam
Correo Yahoo!, el mejor correo web del mundo
Abrí tu cuenta aquí
This mail has been secured by the MXTreme mail security appliance. For
information or a no-obligation trial, please contact Pactech Sales
Team @ sales.sg@pactech.net or visit http://www.pactech.net
