SoHo/SMB Hardware Firewall (Seeking Recommendations - Accountant)

[silekonn]

I have no formal training in network equipment. A higher level of protection is welcome. I have enthusiast knowledge. Any recommendations are welcome.

The intent is protection of a small accounting firm (six users at peak). With the recent disclosure of multiple Intel ME vulnerabilities and now those in architectures, it would be irresponsible not to seek to improve protection for a business in the financial services industry.

The requirements are slightly different than other recent posts. The connection is 60/5 cable. A paid product with subscription, a low to zero maintenance model is preferred. Cisco equipment has been good to me in the past and I see Meraki are popular. Someone suggested looking at Fortinet. Other viable options may be Juniper, Sophos, Sonicwall, Barracuda, Check Point, Zyxel, Watchguard and others? Please share your experience if available. Thanks in advance.

 

[Mokers]

If low maintenance is preferred, then I would go with a Meraki setup with the enterprise security license. Do you your users need to work from home?

 

[coxhaus]

I have not run Untangle in a few years but it was pretty low maintenance for a UTM. Just remember every time there is a new hack it usually requires software updates. Untangle is pretty good for transparent upgrades. UTM devices are more maintenance than a router but you get more protection.
I had a cousin stay with me one night. His laptop was flagged by Untangle as outputting spam and was shutdown by Untangle for internet access.

 

[silekonn]

If low maintenance is preferred, then I would go with a Meraki setup with the enterprise security license. Do you your users need to work from home?

VPN access would be nice. It is not at this time a requirement. It would be good future-proofing. Zero to low maintenance is critical.

I chatted Cisco, Fortinet and WatchGuard. None of them were helpful. WatchGuard actually said to talk to CDW instead and Fortinet were on their high horse and didn't have the time for small customers. The Fortinet rep. wouldn't say much of anything aside to call a small business and try to receive product information from a reseller.

CDW wanted to schedule a call with one of their network technicians, in two weeks. Yes, two weeks. I told them how utterly ridiculous that was and ultimately the sales rep. did not agree. Speaking with a manager (voicemail) yielded no response. Three or four calls later and I was upgraded to "only one week later" at which point the sales rep. out of the blue sent an email for a teleconference 30 minutes before she wanted to have it. The email did not arrive and it took another two or three days before she pulled the same stunt, giving me an entire hour.

Over two weeks to prepare and they didn't know which models of even the Merakis to recommend based on the bandwidth! It was in the initial message to them, 60/5 to start and 200/10 in the future, five users or less. Ideas?

I always liked CDW. My mistake? The network tech. was only slightly more personable and skillful than sales and his entire agenda was push Meraki. They are great. When asked about WatchGuard, the company that recommended CDW first, the reason I initially contacted them? He didn't know. He heard they were OK.

Hours and the frustration of dealing with clueless pr--fine individuals and I am none the wiser. If I wanted to frivolously spend $400/yearly Meraki are fantastic(!). WatchGuard and Fortinet both, per my understanding, are much lower in cost and the protection is comparable if not better (Cisco is just entering mainstream, or any level[?], with these products, the other two companies appear devoted to principally these product lines.

I would like to add protection. Doing so means having an informed opinion, something CDW would have me believe means believing their 'brand of 'information. I am not looking to throw money at a problem that takes research, nor do I believe big brother Cisco is instantly the best choice. If you can add anything, please, enlighten me. Your assistance is appreciated.

Silekonn

 

[coxhaus]

Five or six users does not require enterprise level equipment. You can quickly get in over your head especially with no network training. There is a limit on what you can do for a 6 person office. Go slow.

 

[silekonn]

The grade of security that provides a complete security solution is seldom available "sub enterprise." Relaying "you can't have great security without more users and a degree" is minimally uninformed. If you know of something consumer grade that offers similar protection, please detail it.
Here is the description of a Fortinet lower-end model:

Firebox T15
Enterprise-grade security in a small package - the T15 is ideal for sites with a few users and simple networking needs, such as remote virtual offices and homes.

Notice the phrase "homes." What is lesser without sacrificing protection? I am hoping the next suggestion won't be to pay someone to do the job for you. Anyone able to share their knowledge please feel free to do so. Thanks in advance.

 

[coxhaus]

My though on the post above was in an enterprise there is usually someone trained in handling network security and this is what they do. At a 6 person shop this is not going to happen. As security issues come up Cisco posts work-arounds until patches can be applied to equipment. Who is going to dynamically change configs on equipment until patches can be applied. And then keep up with the patches and make changes back once the patches becomes available. Who is going to explain to management you can't do this one thing for a few weeks while we are waiting on patches to fix it.

So even if you spend the money for the equipment you will not be at the same level of expertise that an enterprise runs at. You missing a key ingredient the skilled security person.

Security does not stop at just the firewall. It is covers all equipment routers, switches, wireless, workstations, iPhones, email and etc. In an enterprise there are people to cover all this and keep up with security.

 

[silekonn]

Do not purchase a higher grade of security unless you will patch with greater frequency? The patches are complicated or otherwise more difficult than the average consumer-grade equipment? Which of the two do you believe apply? I am having trouble seeing your point.

Everything should be updated. Time should be invested to do regular maintenance. The average consumer Netgear router requires users to apply new firmware. I am looking for recommendations for a high grade of security. You are telling me reasons only professionals should handle expensive equipment.

 

[coxhaus]

I am just telling you there is much more aware of what is going on at an enterprise level than at Netgear level. You chose. There is no line in the sand.

I have worked on a Cisco firewall and it way more complicated than a Netgear router. There is no easy setup. You plan it out on a white board based on your network and then program it using command line. If you want NAT then you program it. I would not recommend it with out Cisco training and network training. You will be lost.

PS
I guess you understand work-arounds are not patches they are temp solutions. They are what you have to do until a patch comes out. Which means you are changing your network a different way. This change may flow all the way down to the workstation or iPhone who knows.

 

[thiggins]

I chatted Cisco, Fortinet and WatchGuard. None of them were helpful. WatchGuard actually said to talk to CDW instead and Fortinet were on their high horse and didn't have the time for small customers. The Fortinet rep. wouldn't say much of anything aside to call a small business and try to receive product information from a reseller.

I would strongly suggest concentrating on finding a good local firm that specializes in small businesses. As you found, trying to deal directly with product company reps is not helpful because you are small fish.

If you PM me ("Start a conversation") with your location, I might be able to put you in touch with someone who can give you better advice.

 

[silekonn]

OK. I asked for assistance with selection. After six posts we have yet to work out how proud you are. This is definitely not something anyone without certification should be doing. I understand your opinion and respect it, sir. I disagree. Please leave it at that.

Anyone have experience and willingness to share it? Please provide it in no small terms. Any assistance is appreciated.

 

[thiggins]

After six posts we have yet to work out how proud you are.

Huh?

 

[coxhaus]

I think he is not techie and he does not get it. There have been a lot of recommendations for and against but he seems to have missed it.

He may need to spend a bunch of money first.

 

[YeOldeStonecat]

Strongly recommend you seek an IT firm to help you set this up, there's a LOT more to look at and consider since you have a business network, especially a high target such as an accounting firm. We have quite a few accounting clients and there's a LOT of regular monthly work we do with them, just on the maintenance and "checking on things" aspect.

"Set and forget" was fine 20 years ago, but not these days. The firewall should be customized and setup for the services you have on your network, ideally configured to work with your servers active directory so as to manage the workstations by usernames, not random IP addresses. Possible port forwarding done, and we do tweaking for priority to certain websites you frequent ..such as remotely working on Thomson Reuters.

Sophos and Untangle are two products I'd recommend you look at, we used to be a Cisco house years ago in the PIX and early ASA days...but Meraki...IMO..overpriced for what it gives you, plenty of alternatives that give you much more for less $.