Fortinet firewalls provide more bang for the buck than Cisco PIX by  David Davis CCIE, MCSE+I, SCSA  |  More from David Davis CCIE, MCSE+I, SCSA  |  Published: 6/15/04 Category: Network Administration  |  Audience: TechProGuild Rating: Not yet rated Comments:  None

Takeaway: Here's a look at the process that one administrator went through in evaluating whether to build out a site-to-site VPN with Cisco PIX firewalls or Fortinet firewalls.

My company is planning a project to migrate from a traditional frame-relay network to a site-to-site VPN. As part of this project, we must decide on what firewall and VPN devices we will standardize on. Currently, we have two remote site-to-site VPN test locations utilizing Cisco PIX 501 firewalls. These locations are connecting back to a Cisco IOS firewall and working successfully. Having configured the PIX firewalls myself, one of my concerns was the complexity of the configuration and troubleshooting. Once we standardize on a device and roll out the VPN network with these associated firewall/VPN devices, I'll turn this project over to the network administrator and the network support group. I'd like the end solution to be as simple as possible to troubleshoot, monitor, and modify. While I like Cisco products and I like the idea of standardizing on a Cisco solution, I don't consider the PIX firewalls to be easy to configure, troubleshoot, or monitor. Sure, Cisco PIX devices do offer the PIX Device Manager (PDM), a Java Web-based interface for management. However, I still feel that, even with the Web-based interface, the PIX still lacks a great deal of user-friendliness and simplicity. Again, while I like Cisco products, in my capacity as project manager, I don’t want to have to say, "Here is the excellent solution I came up with, but yes, it is a pain to do many of the day-to-day tasks." I was curious if I could find a solution that does the job, but which the network support group would find easy to work with. Enter Fortinet I met with a security consulting firm and, after hearing my requirements, they recommended that I take a look at devices from Fortinet, a company that I had never heard of. The consulting firm told me that, yes, there are a large number of choices available in the VPN/firewall market; however, based on the devices they have looked at, they felt that selecting Fortinet offered "the most bang for the buck" in my case. Some of you reading this may already be very familiar with Fortinet. For those who aren’t, here's a little background on the company. Ken Xie, the former founder and CEO of Netscreen, founded Fortinet in 2000. I heard that he left Netscreen because he believed strongly in the use of ASICs (Application Specific Integrated Circuits) to run devices like firewalls. At the time, Netscreen disagreed and Xie left to form Fortinet. Today, Fortinet’s Web site says that it is "the only provider of ASIC-powered, network-based antivirus firewalls." This idea of using ASICs is interesting. I'm not a firewall architecture expert, but this is what I gathered from my research: Cisco devices use a standard RISC or AMD processor (just like you could find in a small UNIX server), RAM, and operating systems with applications. By using ASICs, Fortinet has dedicated chips that speed the processing of things like firewall filtering, encryption, virus scanning, and traffic shaping. By using these dedicated chips, Fortinet claims that they are the only provider that can screen traffic for viruses at "broadband rates." In other words, other firewall solutions that scan for viruses have higher latency than the Fortinet solutions, according to Fortinet. Author's note I want to take a second to mention that this is not an ad for Fortinet devices. I'm simply doing a firsthand review of these devices. This is a review of only two Fortinet firewalls, not an exhaustive review of all firewall devices available. I can't claim that Fortinet is better than other devices on the market since I haven't reviewed them all. This article does compare Cisco PIX firewalls to Fortinet firewalls (as Cisco PIX firewalls are well known) and also firewalls that I have experience with. Features of Fortinet appliances Besides being interested in more user-friendliness and simplicity, some of the other features that attracted my interest in the Fortinet devices were: The FortiGate product can do the same things that I was doing already with the PIX 501: firewall, VPN tunnels, and intrusion detection. The FortiGate devices come with additional features that the PIX 501 does not support: antivirus functionality, RADIUS/LDAP user-based authentication with Web logging (syslog), intrusion prevention, Web content filtering, e-mail filtering (antispam), traffic prioritization within the VPN tunnel, and a fast, Web-based interface. Fortinet also claims that, because it uses ASICs, the FortiGate firewalls are faster than Cisco PIX firewalls. The FortiGate 50A costs about $500, the same price as the PIX 501 units I have been buying. I really liked the idea of getting more for my money, so I agreed to demo the Fortinet devices (they didn’t know that I would eventually write a review).  View the entire article  Print the entire article

Didn't find what you were looking for? Ask for help  |  Search