Expanding network, need better firewall

I have been in the IT field for about 17 years. I do mostly small business networks and rarely have to deal with anything considered "large".
But I have a client who is expanding his network to include IP phones and will need to increase the capacity of the firewall for multiple reasons. I am certified with Sonicwall and am familiar with their products. I like their functionality and safe operation. (blocking capabilities)

I am getting into an area where it's a bit over my head. I need some advice on which device to get. I was told an NSA2600 would be correct. We plan on having a Scaleable fiber connection (20mb up and down) for our main pipe and a backup cable modem (50mb advertised but more like 5-7 when the kiddies come home from school)

So I will need fail over capabilities as well as wireless communication. Anyone in larger IT departments (the real world) who has advice would be wonderful and greatly appreciated.

We have about 60 PC's at each location, will have about 35 phones (IP) at each location. (and about 30 personal phones that also connect to the wireless)

Currently we have a TZ200W at both locations.

Thanks in advance for any advice on this.

a reply to: network dude
That is over my head, so I sent to my housemate who may know.

a reply to: reldra

thanks!

a reply to: network dude

I don't know about sonicwall.

we use cisco routers. and a pix firewall.

Cisco does have a way to fail over to another router.
We use that in case our cable modem goes down and we have to route to a different connection.

sonicwall might provide the same. but you may need to routers. I'd speak with the sonicwall vendor to see if they support that.

I have a serious disdain for all things Sonicwall myself but that's mostly based on experience years ago. Cisco ASAs and Fortinets are always popular. I personally use pfSense but I'm cheap and I don't mind tinkering with packages. You can't beat the bang for your buck with something like pfSense/untangle/ClearOS. I'm running squid+squidguard, snort, pfblockerng and a few other things for the cost of a core i3.

EDIT:

The Avaya phones have their own point to point between locations but I a site to site VPN for failover connectivity if that goes down and the phones are fine at the remote location (obviously no impact on the side with the PRI). We have a crappy electrical grid here in south Jersey and after the battery backups die at the upstream POPs, the fiber goes with it so I installed some Cradlepoint MBR1400s maybe a year and a half ago with a plan from Verizon. The bandwidth is fine with an LTE connection but the latency is a bit high for VOIP. I actually haven't tried it out because our Avaya servers failover to a couple POTS lines at the remote locations.

EDIT 2:

And for wireless APs, I cannot say enough about D-Link really. The DAP-2690 is like $200 and I'd put it up against Cisco AiroNet APs 3-4x as much. All the features you'd expect in a higher end AP software wise, rock solid performance, slick AND useful GUI, nice metal chassis, PoE, plenum rated, etc etc. I've recently moved to these from the discontinued DWL-3200AP which was also quite awesome.

a reply to: theantediluvian

I use PFSense as well. I maintain K-12 school districts. My max node count is about 400 at one location. What hardware do you use? I use decommissioned xeons. I usually try for striping the drives think it helps with squid cache. I also use IPsec for my VPN between sites. I don't really see the need for a hardware device. Carp provides fail-over too. I went to PFsense because building all the functionality with FreeBSD was a pain for many years but I got ok with BSD. If you get the traffic shaping down, its nice.

I like the quick xml backup and restore. No waiting for that RMA to arrive! Just grab the closest PC and an extra NIC.

originally posted by: theantediluvian
I have a serious disdain for all things Sonicwall myself but that's mostly based on experience years ago. Cisco ASAs and Fortinets are always popular. I personally use pfSense but I'm cheap and I don't mind tinkering with packages.

Same here, I work for a smaller company that has about 75 users and many ip phones all in one location. PfSense has worked well for us and also supports failover to another connection. I believe it is viable for larger networks though, but don't quote me on that.

a reply to: ttropia

The best of the bunch right now is a i5-4570 w/6 gigs of RAM and 3 Intel NICs (some model from the HCL). I didn't even bother with RAID (even fakeraid) for the cache and I haven't noticed any issues with about 40 users behind that one.

I'm a big fan of open source solutions in general: I migrated all of our physical servers to VMs on XenServer a couple years back and the iSCSI storage repositories are located on NAS4Free boxes. That's worked out particularly well.

a reply to: network dude

My vendors are pushing this on me hard. I has sit trough some Web Ex and really love the product. I just don't like the cost of ownership.

meraki.cisco.com...

a reply to: ttropia

I installed a meraki once a couple of years ago. It was such a radical departure to network security.

Basically, you connect a PC to the meraki
Configure IP addressing (or PPPoE)
You connect to the meraki portal and do the rest of the configuration in the cloud. This is the opposite to the way I've seen this done for 20+ years. Personally, I didn't like it, and never sold or installed another one.

I'm running a virtuallzed Sopho UTM product at the moment. It's way better than the Sonicwall TZ100W that it replaced.

S

a reply to: theantediluvian

I agree completely. I moved to HyperV and replicate across campus. I use ISCSI initiator and connect to FreeBSD host. ISCSI does not do Dynamic Disk files.

a reply to: saneboy

I asked the rep how would I config the AP if we let our cloud subscription expire (K-12 has budget ups and downs).

Basically, he said "You don't".

If these devices are cloud only, I am out.

I use Dlink DWL8200 and such for wireless and run them in array with out a controller. (Master/Slave) Its time to upgrade to AC but what to use???

What PBX or UC system drives the phones? Firewalls and real time traffic are always fun..what do you mean you are any to any on UDP 5060, your media still drops.

I'm starting a conversion of roughly 30k TDM, legacy Nortel on a mix of a SL100-Opt11-CS1K, phones to IPT running on two different CUCM clusters spread across multiple sites and campuses. Are you going Cisco, Avaya Red, Legacy Nortel, something else?

I'm lucky because our IT department is around 400 total people so as the UC Principal I can focus on Cisco Voice and Video while leaving layer 2 and 3 to the network team.

So with that being said, what's your budget?
Assuming you are a Cisco house have you reached out to your partner or sales team?

I like the sonicwall stuff, myself.

For a while, I was running a server rack hosting about a hundred virtual servers on a 100/100mbit WAN connection behind an HA pair of NSA2600's. At times they were busy, but we never had problems other than when the colo got DDOS'd- that would max out the CPU.

For 50 pc's and 50 phones you could get away with a tz205, but I'd really want to step up to the NSA series at that point to have the horsepower for packet inspection when needed.


For the wireless, look into openmesh. The sonicwall APs kind of suck, and the heavy duty firewalls don't offer built in wireless.
Meraki is neat, but ever since cisco bought them it costs a fortune. Openmesh is cheap, and supposedly you can run your own 'cloud controller' and not use the free web based one.
The old model devices are as low as $10 a pop on fleabay right now, since a new series just came out. Worth picking up a few to play with at home.

a reply to: network dude

Cisco ASA or homebrew based on Untangle would be my recommendations. Trust me a I am a data center admin. I know my firewalls.