•

•
• •
• •
•
•

•
•
•
• Components: Firewall Appliance
• Deployed In-Line between the LAN/Data Center and the Internet
Edge solutions
Layer 2 Firewall
or
Layer 3 Firewall
10.1.1.1 6.7.7.8
10.1.1.1 10.1.1.2
• •
• •
• •
• •

•
•
•
• Fast Ethernet (100Mbps)
• Gigabit Ethernet (1Gbps)
• 10-Gigabit Ethernet (10Gbps)

? ?
• Gigabit Ethernet (GE) between LAN and Edge Router
• Data Path
• Bandwidth Services
• Lowest Bandwidth
Access from the Internet to the LAN

Access from the LAN to the Internet

GE GE GE
• Performance for WAN interface on Edge router component

GE GE GE
• Data Path:
• LAN to the Internet
• USER  ACCESSCOREFIREWALLROUTERINTERNET

• Bandwidth Services:
• USERGEACCESS10GECOREGEFIREWALLGEROUTERGE(100-350Mbps)INTERNET

• Lowest Bandwidth:
• USERGEACCESS10GECOREGEFIREWALLGEROUTERGE(100-350Mbps)INTERNET

• WAN of Edge Router (100-350Mbps)

• Access Policies, Whitelist Access Policies
• RFC 1918 Filtering
• RFC 2827 Filtering
• SMTP Outbound Filtering
• Blacklist Access Policies
• 
• 
•
•
•
•
• 
•
•
•
•
• 
• 
•
• 
•
 X
source: blocked destination
192.168.1.10
 X 4.4.4.0 /24
source: blocked destination:
4.4.4.X 4.4.4.10
 Mail
Server

4.4.4.0 /24
Mail
Server
X
blocked
User
Desktop
• •
• •
• •
• •

•
•
•
•
•  • 
•  •
• • 
• •
• • 
• •
•  •
•
•
•
•
• 
• 
•
• 
•
 SSL tunnel SSL tunnel
Website 4 3 2 User
www.routehub.net Firewall will decrypt and re-encrypt
the session to read all data User wants to reach:
on the website in clear-text
1 https://www.routehub.net
• •
• •
• •
• •

• •

•
•
•
• •
• •
• •
• •

• •

• •

•
•
• •
• •
• •
• •

• •

• •

•
•
• Anti-Virus
• File Blocking
• Intrusion Protection (IPS)
• Endpoint Control
• Web Filtering
• Two Factor Authentication
• DoS Protection
• Virtualization
• •
• •
• •
• •

• •

• •

• •

•
• •
• •
• •
• •

• •

• •

• •

• •
• •
• •
• •
• •

• •

• •

• •

• •

•
• Business Size: Medium
• Gigabit Ethernet for LAN and WAN interfaces
• Firewall Performance: ~100Mbps – 350Mbps
• High Availability: Active/Passive
• Next-Generation Firewall
• Layer 3 Firewall
• Security Features:
• Anti-Virus, IPS, File Blocking, Web Filtering, Two Factor Authentication
• SSL/TLS Decryption
• VPN support
 GOOD BAD
• Medium-sized network • N/A
• NGFW
• Security Features
• Performance
• High Availability
 GOOD BAD
• NGFW • Large
• Security Features
• Performance
• High Availability
 GOOD BAD
• VPN support • Small-sized network
• 1st Generation FW
• Performance
 GOOD BAD
• Medium-sized network • Cost
• NGFW
• Security Features
• Performance
• High Availability
 GOOD BAD
• Medium-sized network • N/A
• NGFW
• Security Features
• Performance
• High Availability
Cisco ASA 5500-X Series

Palo Alto Networks Series

Fortinet: FortiGate Series

 Fortinet: FortiGate Series

• Pricing Model
• Administration
• Security Features: Two Factor Authentication
• Meets our business requirements
• Medium: FortiGate 200 – 800 Series
 Firewall only
3Gbps

Internal External
Interface Interface

VPN only
1.3Gbps

Internal External
Interface Interface
 • Firewall: 3Gbps  ~1Gbps
• IPS: 1.7Gbps  ~850Mbps
FW • VPN: 1.3Gbps  ~500Mbps
• Anti-Virus: 600Mbps/1.1Gbps  ~300-500Mbps

VPN

IPS
AV
Our Firewall Performance: 100 – 350Mbps