I've always liked Checkpoint from an administrative point of view. Its easy to centeraly manage and push policy to a bunch of different firewalls. Its also very easy to administrate and work with. I love troubleshooting Checkpoint firewalls as well, as its logging makes it easy to see WTF is going on. Checkpoint also has some cool add on stuff like thier content vectoring stuff to send mail off to be scanned or redirecting 'bad' web traffic. However, after that last remote root exploit Checkpoint suffered from, I'm not sure how it is as a firewall anymore (I havent used it in over two years, as my current company uses another vendor). PIX are nice and fast, but I have always hated their interface and logging. If nothing else, give Checkpoint's FireWall-1 a looksee to see what they have to offer.

I grew up on Checkpoint and dig 'em, but have used PIX for the last four years and have been very impressed. I would investigate those two (btw, in my opinion the Cisco VPN is better than Checkpoint's, but that is just opinion) and not much else. Avoid the Proxy based shit at all costs.

Follow up Question:

Is the cisco pix decentralized? Can I plug this into the server room as I cannot get into the wiring closet where all the routers and switches are located.

Any particular model what would fit this requirement?

Thanks for the input guys.

IMHO Netscreen firewalls are the best. I've used PIX and Checkpoint's along with most of the others but always have gone back to Netscreen's.

I've worked with NetScreen and CheckPoint.

Even the engineers who designed and built CheckPoint hate it (probably the company more than the technology). It's not so much that it isn't a good firewall, it's like a Micro$oft kind of thing.

I have to agree with audit that Netscreen is pretty good. I know that I was disappointed to find that FW-1 was still vulnerable to a half open scan attack almost a year after the vulnerability was reported to them (2001).

-ndex

The short answer is yes. However, this is going to largely depend on the topology of your network. Remember that firewalls are largely used as chokepoint devices - traffic filters through them and is acted upon at that point based on a set of rules.

What this means is that unless you drop your feed to (presumably) the outside world to the point where you want to install the firewall, you're not going to be able to place it as effectively on the network.

In short: looks like you need to convince the network people to work with you on this, which isn't a bad idea in the first place. After all, architecting from the ground up (or redesigning existing infrastructure) to include a firewall is better practice than simply slapping one on later and hoping it works.

I'd recommend the Cisco Pix series, particularly as the management and integration options with an existing Cisco infrastructure are extremely good. Plus, with the level of VPN support you're looking for, they've got the multiplatform client end of things sewn-up.

One of the things you mention is decentralising the firewall. This can be a good idea, but even if you're installing only one it needs to be done in the context of the network it supports. Be prepared to review - in depth - your existing network infrastructure and configuration, make changes where necessary, and re-tool it to account for future expansion. I can't stress this enough - don't just slap a firewall or two on it and hope it works.

The other things you mention (VLAN support, wireless, etc.) aren't really a function of the firewall - they're things that happen on the network infrastructure. Be careful not to confuse them with 'true' firewalling functions.

This will probably get me flamed, but I am a fan of Sonicwall. They are fairly cheap, easy to set up, and work well.