Why StoneGate

E spent a considerable amount of time evaluating not only the Stonegate firewall, but also Stonesoft as a potential partner. Having elected to trial the equipment and been impressed with the initial outcome, it was clear that this solution was considerably different from the more typical web managed firewalls we tend to see in the field today.

The next nine months were spent working on how we intended to configure and deploy our Stonegate solution. During that time we transitioned it from our test environment to running our live network. That in itself showed how much we were becoming impressed with the platform as our Internet connection is our main communication medium with all of our customer sites. We had a considerable number of VPN links to reconfigure and we immediately became dependent on the Stonegate working to plan.

During this time, we were gaining valuable experience in running Stonegate and the Stonegate Management Console (SMC) in a real-world environment. It also gave us the opportunity to make mistakes and deal with problems which then had to be resolved with the urgency that a live system dictates. With a test only system it is too easy to "leave it until later". By the time we came to deploy our first customer installation, we were extremely comfortable with what we were doing.

Key Functionality

Multiple Internet Links

Being able to provide multiple Internet links for our customers was the key driver. We saw many manufacturers who could do two, but in a fairly simplistic fashion. This was typically a round-robin configuration, a second link that became active once the first link reached a certain utilisation, or a second link that became active when the first failed.

What we were after was the ability to connect literally as many links as we required and a device that was agnostic when it came to the type of link. In other words, a firewall that would happily work with ADSL, SDSL, cable, leased line and any others (metro Ethernet, satellite, 3g etc). We wanted the ability for all of these links to be operational at the same time, with traffic being load balanced across them.

For every Internet request, the Stonegate will determine the fastest interface to use based on the amount of traffic already being utilised on the links and which has the fastest route to the server that will handle the request.

The Stonegate firewall allows us to do exactly that. We have solutions running today that are a mix of ADSL, SDSL, leased line and metro Ethernet.

Mesh VPN

Where we have sites linked by VPN and Stonegate firewalls at each site, we are able to mesh the VPNs across each of the Internet links. The Stonegate allows detailed control of which links we want to participate and then simplifies the configuration effort. Even a scenario where we have a different number of links at each site is allowed. For example, a head office with two ADSL lines and a branch office with three ADSL lines can be meshed so VPN traffic can run between any of the five endpoints.

The same load balancing functionality exists across the mesh VPN, meaning every request will utilise the fastest permutation of links available.

Traffic Shaping

Having faster links is not the final solution to the problem. It is still relatively easy for multiple web downloads to saturate a broadband line. The same goes for large e-mail transmissions and particularly those inbound where there is no visibility within the organisation to even know it is arriving.

Traffic Shaping (or Quality of Service - QoS) is the ability to prioritise the different type of network traffic. Typically we want to make e-mail a lower priority and then grant a higher priority to traffic such as web (if that is appropriate) or more likely traffic such as Citrix or Terminal Services.

The Stonegate takes this a level further and does not force us to permanently allocate bandwidth to each of these categories. If there is no other traffic on the link, then e-mail can have all the bandwidth available. It is only when the higher priority traffic starts being used that the e-mail traffic is slowed down.

Centralised Management Console

Managing a large number of firewalls where we have to individually remote to each device and logon to the web interface quickly becomes unmanageable. The Stonesoft SMC allows us to manage all of these firewalls from a central console and server on our network. Configurations are built using the SMC and then pushed to the appropriate firewall once completed. Rule scenarios can be modelled before deployment. If a configuration stops the firewall from communicating back to the SMC, it will automatically revert to the prior configuration.

Detailed Traffic Logging

Having a detailed insight into the type of traffic passing through the firewall is a necessity both in terms of arriving at a good configuration and also troubleshooting issues. Stonegate allows both a real-time view on traffic plus it keeps a historical database. All of this traffic can be filtered and reported on.

Clustered Firewalls

We can take multiple firewalls and cluster them in an active-active, load balanced configuration. All the firewalls in the cluster manage all the links, so loss of an appliance does not mean loss of any of the links.

Robust Firmware Updates

Firmware updates have always been a difficult element of managing firewalls. If the firmware update fails, we often end up being unable to communicate with the device. With early firewall appliances, this involved a return to the manufacturer. Newer ones allow a factory reset, but this means they then have to be re-loaded with their configuration - which obviously cannot be done remotely as the firewall is no longer operational.

Stonegate firmware updates can be pushed from the management console. If the update fails, the firewall will automatically revert to the prior firmware, prior known good configuration and re-contact the management console.

In a cluster configuration, individual nodes of the cluster can be updated independently of the others. This means in mission critical environments, there is no loss of connectivity at all during firmware updates. For a single firewall environment, the firewall will be offline for a few minutes while it reboots after the update.