Wednesday, May 22, 2019

NGFW/UTM/Security Platform recommendations for Distributed SMB

About the company:

I just joined a new company and their security at all layers is... completely missing. I am a one man team for a total of 40 users at 14 offices so this will be a lot for me to take on but I still want the solution to be robust.

12 employees at the corporate office and 1-4 employees at each branch, mostly 1-2 and 1 office has 3 and 1 has 4. Most users are stationary but we do have 5 that travel frequently.

I would like to have a solution that is easy to implement and manage but at the same time still has all the features and capabilities of a enterprise grade solution. I want the learning curve to be minimal as I have only worked with a few of these options minimally before but I am not opposed to learning a new OS if its whats best for me so no comments about sticking to what you know because I barely know.

My plan:

I am moving our server into Azure VMs to host a few applications that are used seldomly and can't be hosted. I also plan to run our active directory, GPOs, DNS, DHCP, etc. through this server. I want to put a physical firewall at corporate, a virtual firewall in Azure, and have each office use a VPN router or VPN client to get to a firewall. The reason I am doing this is because it is cheaper than putting a firewall at each location, and I don't trust the internet/power at my corporate office to be reliable enough that it will always be ON. If I direct all my traffic through the corporate firewall and anything happens at the corporate office, the entire company will lose access to the internet unless I use some sort of rule that allows traffic to flow straight to the internet unprotected if their is no connection back to corporate.

Design:

Corporate > Firewall at HQ > Internet

Branch Offices > Firewall at Azure > Internet

My Needs:

I would like a solution that has everything I need bundled into one service. Being a one man team, I would hate to have to login to 3 or 4 different services to get to what I need.

What I need:

  • URL Filtering
  • SD-WAN for VOIP
  • Reliable VPN tunnel - IPSec
  • Endpoint protection
  • Email protection
  • Web protection
  • IPS/IDS
  • CLI
  • VRF
  • Something easy to manage and understand for 1 person

Ranking each vender according to my use case:

1) Palo Alto

The best to ever do it. Described as the company that "just works". Not many bugs reported, not a lot of hiccups on implementation, they just do it better than everyone else.

Pros - The best, they offer everything on my list except email protection I believe which isn't a huge deal.

Cons - Price tag. They do not offer routers that can create a VPN tunnel so I would have to use their Global Protect client that creates a software VPN but I fear this will not be reliable. There is also the concern that it will not always be on and my employees will forget to sign in unless I can write a script that keeps it always on. Doubtful I will be able to turn it off when they wouldn't need it. TRAPS uses a different method to detect and prevent threats which is a little concerning to me until its fully tested. Also there is no synchronized security in Panorama which concerns me since I will be remote from everyone.

2) Sophos

Middle of the road solution, affordable, all packaged into one clean solution. Has everything on my list except a good CLI according to my research. Their XG firewall is still in its infancy but I hear they are making massive improvements since its inception. XG v. 17 was a massive improvements since the last OS and rivals Forti OS 6 apparently. The Sophos REDs might be the perfect solution for my use case. Sophos boasts synchronized security which in theory seems really cool to me, the endpoint protection, the REDS, and the Firewalls are all talking to each other and it is all managed from Sophos Central.

Pros - Sophos REDS, Synchronized security, Intercept X, XG for Azure

Cons - The XG is not fully developed. OS can be buggy I've heard. CLI is lacking. NSS labs report is concerning. They claim to have ridiculous output on their website but I am not sure if this is marketing.

3) WatchGuard

New to my list and their red fireboxes look sick. Touted as the award winning, enterprise-grade protection for SMBs and distributed enterprises. That alone put them high on my list but I have yet to meet with them yet so I am waiting to get more information.

Pros - A good fit for my use case.

Cons - Not a lot of people talk about them, so I'm assuming not a lot of people use them. Not enough information out there on them for me to make an informed decision.

4) Fortinet

Palo alto without the name or price. Has everything on my list and does it just as good if not better than anyone else.

Pros - FortiOS I've heard is the great thing since sliced bread and has great CLI features.

Cons - They do not have a good solution for a distributed enterprise. I would have to put a firewall at each location which would cost roughly 20K plus services.

5) Barracuda

If you're going all cloud this is the solution for you. They boast the best firewall for Azure and the greatest VPN clients.

Pros - Backup, email archive and protection, Azure Firewall

Cons - OS has big learning curve. Has a lot of features that I would not need. No router and would have to use VPN client. I don't think its good for my use case.

6) SonicWall

Was great back in the day but lost its mojo. Trying to make a come back but keeps falling short. A good choice if you're on a budget, but even then there are better solutions that cost less. Some people still love them, some people hate them.

Pros - Cheap

Cons - Lacking and they know it but don't really care anymore.

7) Cisco

Complete crap according to everyone on the internet which I am shocked about. Only worth mentioning on the list to shame them.

Pros - Umbrella

Cons - Everything else

All that being said, do you agree or disagree with my list for my use case. I would appreciate any feedback/recommendations you may have. I am leaning towards SOPHOS and Watchguard because they are the most tailored towards my needs. I want to go with PA pretty bad but the VPN client is a concern and TRAPS is only offered to businesses with at least 100 licenses. Fortinet is a distant third due to pricing.

I did not bother looking into Juniper, CheckPoint, or Forcepoint for numerous reasons and we can get into why if someone inquires.

For anyone that is made at me:

Ranking each vendor:

  1. Palo Alto
  2. Fortinet
  3. CheckPoint
  4. Barracuda
  5. Sophos
  6. Watchguard
  7. Juniper
  8. Meraki
  9. SonicWall
  10. Cisco

Don't know enough about:

  • Forcepoint
  • PfSense
  • Huawei
  • Untangle


at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)