sub $500-750 CPE firewall for voip-centric application

Tim Raphael raphael.timothy at gmail.com
Fri May 6 01:04:47 UTC 2016


The SIP ALG in the Juniper SRXs is definitely one of the best I’ve come across.

I defaulted to turning it off based on my previous experiences with SIP ALGs and NAT however it became apparent that it actually worked really well and I ended up defaulting it to on.

- Tim


> On 6 May 2016, at 3:37 AM, Andrew Kirch <trelane at trelane.net> wrote:
> 
> Both the Juniper SRX, and the Mikrotik will work.
> 
> The problem isn't firewalling, it's NAT.  NAT is evil.
> 
> Perhaps having enough IP Addresses would be a better solution?
> https://www.youtube.com/watch?v=v26BAlfWBm8
> 
> On Thu, May 5, 2016 at 3:09 PM, Matt Freitag <mlfreita at mtu.edu> wrote:
> 
>> I'm a huge fan of Juniper's SRX line. I use all the features you point out
>> at home on my SRX210, although that product is end-of-life. A refurbished
>> SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
>> support is extra, but I'm not sure how much.
>> 
>> I haven't used it myself but I have seen the packet capture in action.
>> It'll save any traffic you want right out to a pcap file too. I also like
>> "show security flow session" - shows you the source, destination, ports,
>> how long a session has been going, and number of packets and number of
>> bytes transferred.
>> 
>> Matt Freitag
>> Network Engineer I
>> Information Technology
>> Michigan Technological University
>> (906) 487-3696
>> http://www.mtu.edu/
>> http://www.it.mtu.edu/
>> 
>> 
>> -----Original Message-----
>> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Nick Ellermann
>> Sent: Thursday, May 5, 2016 2:51 PM
>> To: Mel Beckman <mel at beckman.org>
>> Cc: nanog at nanog.org
>> Subject: RE: sub $500-750 CPE firewall for voip-centric application
>> 
>> Your exactly right, Mel. Dell has really turned the Sonicwall platform
>> around in the past few year. We dropped it a year or two before Dell took
>> them over. Back then Sonicwall was full of issues and lacked important
>> features that our enterprise customers required. If you have budget, Palo
>> Alto is something to look at as well, but don't overlook Sonicwall and
>> FortiGate.
>> 
>> 
>> Sincerely,
>> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>> 
>> E: nellermann at broadaspect.com
>> P: 703-297-4639
>> F: 703-996-4443
>> 
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail
>> and its attachments from all computers.
>> 
>> 
>> -----Original Message-----
>> From: Mel Beckman [mailto:mel at beckman.org]
>> Sent: Thursday, May 05, 2016 2:49 PM
>> To: Nick Ellermann <nellermann at broadaspect.com>
>> Cc: Ken Chase <math at sizone.org>; nanog at nanog.org
>> Subject: Re: sub $500-750 CPE firewall for voip-centric application
>> 
>> I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto
>> firewalls.  The best SMB devices are definitely SonicWall and Fortigate.
>> SonicWalls are easier to configure, but have fewer features. Fortigate has
>> many knobs and dials and a very powerful virtual router facility that can
>> do amazing things. The two vendors have equivalent support in my opinion,
>> although Fortigate tends to be more personal (Dell is big and you get
>> random techs).
>> 
>> Cisco ASA is overpriced and under-featured. Cisco-only shops like them,
>> but mostly I think because they're Cisco-only. PaloAlto is expensive for
>> what you get. Functionally they are on the same level as Fortigate, with a
>> slightly more elegant GUI. But Fortigate can be configured via a USB
>> cable, which is a huge advantage in the field. Legacy RS-232 serial ports
>> are error-prone and slow.
>> 
>> -mel
>> 
>>> On May 5, 2016, at 11:39 AM, Nick Ellermann <nellermann at broadaspect.com>
>> wrote:
>>> 
>>> We have a lot of luck for smaller VOIP customers having all of their
>> services run through a FortiGate 60D, or higher models. 60D is our go to
>> solution for small enterprise. However, if we are the network carrier for
>> a particular customer and they have a voip deployment of more than about
>> 15 phones, then we deploy a dedicated voice edge gateway, which is more
>> about voice support and handset management than anything.  You do need to
>> disable a couple of things on the FortiGate such as SIP Session Helper and
>> ALG.  We never have voice termination, origination or call quality issues
>> because of the firewall.
>>> FortiGate has a lot of advanced features as well as fine tuning and
>> adjustment capabilities for the network engineering type and is still easy
>> enough for our entry level techs to support. Most of our customers have
>> heavy VPN requirements and FortiGates have great IPsec performance.  We
>> leverage a lot of the network security features and have built a
>> successful managed firewall service with good monitoring and analytics
>> using a third-party monitoring platform and Fortinet's FortiAnaylzer
>> platform.
>>> 
>>> Worth looking at, if you haven't already. If you want to private message
>> me, happy to give more info.
>>> 
>>> 
>>> Sincerely,
>>> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>>> 
>>> E: nellermann at broadaspect.com
>>> P: 703-297-4639
>>> F: 703-996-4443
>>> 
>>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail
>> and its attachments from all computers.
>>> 
>>> 
>>> -----Original Message-----
>>> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ken Chase
>>> Sent: Thursday, May 05, 2016 1:54 PM
>>> To: nanog at nanog.org
>>> Subject: sub $500-750 CPE firewall for voip-centric application
>>> 
>>> Looking around at different SMB firewalls to standardize on so we can
>> start training up our level 2/3 techs instead of dealing with a mess of
>> different vendors at cust premises.
>>> 
>>> I've run into a few firewalls that were not sip or 323 friendly however,
>> wondering what your experiences are. Need something cheap enough
>> (certainly <$1k, <$500-750 better) that we are comfortable telling
>> endpoints to toss current gear/buy additional gear.
>>> 
>>> Basic firewalling of course is covered, but also need port range
>> forwarding (not available until later ASA versions for eg was an issue),
>> QoS (port/flow based as well as possibly actually talking some real QoS
>> protocols) and VPN capabilities (not sure if many do without #seats
>> licensing schemes which get irritating to clients).
>>> 
>>> We'd like a bit of diagnostic capability (say tcpdump or the like, via
>>> shell
>>> preferred) - I realize a PFsense unit would be great, but might not
>>> have enough brand name recognition to make the master client happy
>>> plopping down as a CPE at end client sites. (I know, "there's only one
>>> brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get
>>> irritating for end customers.)
>>> 
>>> /kc
>>> --
>>> Ken Chase - Guelph Canada
>> 



More information about the NANOG mailing list