2 Replies Latest reply on Dec 2, 2011 11:50 AM by syuroff

    Upgrade from SG570?

      Hello McAfee Firewall Enterprise users!


      Our SMB internet access has been managed by a CyberGuard/Secure Computing SG570 for many years, and it's been the type of gear I'd like all my hardware to be.  Easy to configure with standard networking knowledge and a dose of logic, and very, stable.  I'd be happy to use it for more years, but our recent upgrade in connection speed from one of our ISPs has shown we're hitting the performance top end of the 570, and can't get the full abilities of the connection.


      What I'm wondering from one or more of you fellow old-timers from the Cyberguard/Secure Computing days is if the current implementation of the MacAfee Firewall Enterprise products is of the same quality as the old gear.  Will I appreciate an S1104 for it's good interface, unfailing stability and "never have to fix it" just like the 570 that was part of bringing you this question?




        • 1. Re: Upgrade from SG570?



          I guess much depends on what you mean by "same quality". I come from the other end of the spectrum having been a McAfee Firewall Enterprise (MFE) installer since long before it became a McAfee-owned product. So my own exposure to the SnapGear products came about when Cyberguard were bought by Secure Computing. I have an SG565 sitting at home and I have to agree with you that it is a cracking bit of kit. But when it comes to comparisons, Firewall Enterprise (Sidewinder, as it was previously known) is in a completely different league.


          Without wishing to diminish the memory of the SG's, Sidewinder is a full-on, dead-serious, proxy-based firewall product. SG's out-of-the-box behaviour did change with some of the more recent firmware releases, but MFE's default configuration is to deny everything (in either direction), meaning that you have to consciously think about what you wish to allow. To make life a little easier, the setup wizard does provide you with the means of being able to create a rule to allow standard internet protocols to pass out (DNS, HTTP, HTTPS, FTP, SMTP and so on).


          In it's current guise McAfee have brought Firewall Enterprise into the "Next Generation" Firewall era. Previously it had the ability to perform layer 7 protocol-level inspection without needing a separate IPS option (though one was present for those who needed to have a tick in the appropriate check box), but now with the new AppPrism functionality and a signature database of (as of yesterday) 1350 "applications". So instead of creating rules for HTTP, SMTP, and so on (though you still can), rules can be created for "Facebook", "Skype", and "Twitter". The AppPrism signatures associated with these services provide the firewall with the list of ports it needs to open in order to allow the traffic to pass. It also accounts for the ever increasing list of services now using TCP ports 80 & 443 but do not conform correctly to the associated protocol standards. There's granularity to these application signatures, providing you with means to allow users to access Facebook (the page) and view thier wall, but not allow them to play games, waste bandwith uploading videos, chatting, and so on...


          The McAfee Logon Collector module (a free download) is a Winodws service which allows the MFE to 'see' who is logged into the domain and where. With this infomation it is now possible to create user/group-based Firewall rules without requiring the users to perform any form of secodary authentication.


          On top of that there's integrated URL filtering, Anti-Virus, and IPSec VPN funcitonality. MFE also has an SSL decryption module, allowing previously unscannable traffic to be decrypted on the Firewall, scanned for AV, IPS, etc.. and then re-encrypted before passing it on to the user.


          The one thing MFE doesn't have (with the SGs do) is a PPTP or LT2P VPN element.


          To assure you that I'm not a paid McAfee employee in disguise, if you were to ask me to pick a Firewall which I would consider to be a like-for-like replacement to the SG570, then I wouldn't necessarily go with MFE - though I'd be pleased if you did. In my professional capacity I've also been working with the lower-end SonicWALL appliances for the past 2-years and would say that the upper-end TZ model (TZ210) or the lower-end NSA appliances (NSA220 or 240) would be the closest match. They'll probably match the SG on performance and I would go as far as to say that the management experience is probably a bit better. Again, they lack the PPTP/LT2P side of things, but have an SSL-VPN module running instead.


          Hope that helps.





          Message was edited by: PhilM on 02/12/11 16:49:12 GMT
          • 2. Re: Upgrade from SG570?

            First Phil- my thanks for the amount of time you put into that reply.  Very detailed and useful.


            To elaborate on "same quality", I'm thinking

            • Logical setup: With some reasonable if/then brainwork, a half-decent jack of all trades admin (me) can make it do what it needs to do without taking the classes for a vendor-invented certification
            • Set and forget.  I very rarely fix the 570.  I think I've had to reboot it twice since deployment. 


            I totally get that I'm now seeking a whole different level of gear than my 570- it's not asked to do a half dozen analysis on each packet that modern UTM gear is.   Everything we're looking at has the very detailed application level firewalling of Facebook yes, Farmville no, but we're not seeking to do that.  I $employer is a creative agency, and starting to limit and monitor what people do has HR and work culture reflections that we do not want to introduce.


            I also appreciate you bringing up the flavors of VPN available.  I'm accustomed to doing PPTP and IPSec tunnels- I've never had the gear to do SSL.  Nearly all of the machines I'm responsible for are OS X, so a painless VPN that tunnels ALL traffic (not just published apps) is required.  I need to remote back to my network and get to the admin interface of a printer, RDC to a server without a public interface, and use Apple Remote Desktop to screen share with a user.  My current use of PPTP enables this, but I'm yet to be 100% clear that I get this same functionality with SSL.  I've had other vendors say "sure, our 'tunnel mode' will enable that", but I'm yet to understand exactly how the process of authenticating to a website leads to my entire networking stack seeing a new network.