sub $500-750 CPE firewall for voip-centric application

Andrew Kirch trelane at trelane.net
Thu May 5 19:37:23 UTC 2016


Both the Juniper SRX, and the Mikrotik will work.

The problem isn't firewalling, it's NAT.  NAT is evil.

Perhaps having enough IP Addresses would be a better solution?
https://www.youtube.com/watch?v=v26BAlfWBm8

On Thu, May 5, 2016 at 3:09 PM, Matt Freitag <mlfreita at mtu.edu> wrote:

> I'm a huge fan of Juniper's SRX line. I use all the features you point out
> at home on my SRX210, although that product is end-of-life. A refurbished
> SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
> support is extra, but I'm not sure how much.
>
> I haven't used it myself but I have seen the packet capture in action.
> It'll save any traffic you want right out to a pcap file too. I also like
> "show security flow session" - shows you the source, destination, ports,
> how long a session has been going, and number of packets and number of
> bytes transferred.
>
> Matt Freitag
> Network Engineer I
> Information Technology
> Michigan Technological University
> (906) 487-3696
> http://www.mtu.edu/
> http://www.it.mtu.edu/
>
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Nick Ellermann
> Sent: Thursday, May 5, 2016 2:51 PM
> To: Mel Beckman <mel at beckman.org>
> Cc: nanog at nanog.org
> Subject: RE: sub $500-750 CPE firewall for voip-centric application
>
> Your exactly right, Mel. Dell has really turned the Sonicwall platform
> around in the past few year. We dropped it a year or two before Dell took
> them over. Back then Sonicwall was full of issues and lacked important
> features that our enterprise customers required. If you have budget, Palo
> Alto is something to look at as well, but don't overlook Sonicwall and
> FortiGate.
>
>
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>
> E: nellermann at broadaspect.com
> P: 703-297-4639
> F: 703-996-4443
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
>
> -----Original Message-----
> From: Mel Beckman [mailto:mel at beckman.org]
> Sent: Thursday, May 05, 2016 2:49 PM
> To: Nick Ellermann <nellermann at broadaspect.com>
> Cc: Ken Chase <math at sizone.org>; nanog at nanog.org
> Subject: Re: sub $500-750 CPE firewall for voip-centric application
>
> I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto
> firewalls.  The best SMB devices are definitely SonicWall and Fortigate.
> SonicWalls are easier to configure, but have fewer features. Fortigate has
> many knobs and dials and a very powerful virtual router facility that can
> do amazing things. The two vendors have equivalent support in my opinion,
> although Fortigate tends to be more personal (Dell is big and you get
> random techs).
>
> Cisco ASA is overpriced and under-featured. Cisco-only shops like them,
> but mostly I think because they're Cisco-only. PaloAlto is expensive for
> what you get. Functionally they are on the same level as Fortigate, with a
> slightly more elegant GUI. But Fortigate can be configured via a USB
> cable, which is a huge advantage in the field. Legacy RS-232 serial ports
> are error-prone and slow.
>
>  -mel
>
> > On May 5, 2016, at 11:39 AM, Nick Ellermann <nellermann at broadaspect.com>
> wrote:
> >
> > We have a lot of luck for smaller VOIP customers having all of their
> services run through a FortiGate 60D, or higher models. 60D is our go to
> solution for small enterprise. However, if we are the network carrier for
> a particular customer and they have a voip deployment of more than about
> 15 phones, then we deploy a dedicated voice edge gateway, which is more
> about voice support and handset management than anything.  You do need to
> disable a couple of things on the FortiGate such as SIP Session Helper and
> ALG.  We never have voice termination, origination or call quality issues
> because of the firewall.
> > FortiGate has a lot of advanced features as well as fine tuning and
> adjustment capabilities for the network engineering type and is still easy
> enough for our entry level techs to support. Most of our customers have
> heavy VPN requirements and FortiGates have great IPsec performance.  We
> leverage a lot of the network security features and have built a
> successful managed firewall service with good monitoring and analytics
> using a third-party monitoring platform and Fortinet's FortiAnaylzer
> platform.
> >
> > Worth looking at, if you haven't already. If you want to private message
> me, happy to give more info.
> >
> >
> > Sincerely,
> > Nick Ellermann - CTO & VP Cloud Services BroadAspect
> >
> > E: nellermann at broadaspect.com
> > P: 703-297-4639
> > F: 703-996-4443
> >
> > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
> >
> >
> > -----Original Message-----
> > From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ken Chase
> > Sent: Thursday, May 05, 2016 1:54 PM
> > To: nanog at nanog.org
> > Subject: sub $500-750 CPE firewall for voip-centric application
> >
> > Looking around at different SMB firewalls to standardize on so we can
> start training up our level 2/3 techs instead of dealing with a mess of
> different vendors at cust premises.
> >
> > I've run into a few firewalls that were not sip or 323 friendly however,
> wondering what your experiences are. Need something cheap enough
> (certainly <$1k, <$500-750 better) that we are comfortable telling
> endpoints to toss current gear/buy additional gear.
> >
> > Basic firewalling of course is covered, but also need port range
> forwarding (not available until later ASA versions for eg was an issue),
> QoS (port/flow based as well as possibly actually talking some real QoS
> protocols) and VPN capabilities (not sure if many do without #seats
> licensing schemes which get irritating to clients).
> >
> > We'd like a bit of diagnostic capability (say tcpdump or the like, via
> > shell
> > preferred) - I realize a PFsense unit would be great, but might not
> > have enough brand name recognition to make the master client happy
> > plopping down as a CPE at end client sites. (I know, "there's only one
> > brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get
> > irritating for end customers.)
> >
> > /kc
> > --
> > Ken Chase - Guelph Canada
>



More information about the NANOG mailing list