Okay, I'm about 6 months behind on writting this post so if the world has changed in 6 months, please add comments and I'll update. I'm shocked at how difficult it has been to select a standard firewall for the SMB space. I THINK I've tried them all and and have been surprised and how there just isn't one that has all the features I want. With SBS 2008 removing ISA, the need to have a firewall solution was key. I'll admit, I love ISA and though many partners didn't we deployed it with SBS as often as we could. If you knew how to set it up (and that's why customer' need partners like us!), ISA gave Enterprise security to SMB's like no other product yet. After being disappointed in the change, I know find that I really like not having the firewall and the SBS server on the same box. The ability to reboot the server and keep Internet going has given much more flexibility not to mention a firewall appliance typically restarts much faster than a server reboot. I'm still surprised MS didn't work with a partner to offer a low-end ISA appliance....but I digress.
In my quest for our standard firewall, I of course looked at Cisco's ASA....it's a good firewall but I always struggle with the fact that they come obviously from the network world. I'm a GUI guy (so shoot me) and so many times to get a ASA setup correct, you really need to do it all from the console. Ask for support and they have you go to the console. Tell them you want to use the GUI and you immediately get moved to the moron designation. And dealing with IPSec tunnels with the Cypto Map this and Crypto Map that...it's just not that intuitive. That being said, Cisco support was pretty good when I call and would jump on the device and fix my issues very quickly.
However, based on Scott Cover's blog entry and the fact that they spend time working with the MSP community I jumped all in with Calyptix. Signed up as a partner, ordered a NFR, and even sold one in my first week to a large customer for their lab environment. It's considered a UTM and maybe it is. My question is "is it a firewall?". So what's missing? Well firewall rules for one. I couldn't add rules and move the up and down in priority. Calyptix support says that's coming. So if you're use to ISA or Checkpoint, you just don't have that power right now.
The big shock for me was trying to set up an IPSec tunnel to a Cisco ASA. The phase 1 and phase 2 settings just weren't there. They had some IPSec settings but not all of the industry standard settings. I believe what's going on is the settings are of course in the BSD firewall underneath but just not exposed through their GUI.
So to me, this isn't ready for what we need to do. If you have a very small office and just want to plug in a simple UTM then this may be the way to go. But we wanted a UTM that handled UTM functionality but also gave us Enterprise features when we needed it.
What's positive about Calyptix? The company! I think that's were you get the good reviews on Calyptix. They're based out of Charlotte, NC so that means English speaking support (well, if you speak Southern like I do). The main engineer/developer is Lawrence and he is awesome and will do what ever he can to help you and fix your problem. In my case he wasn't able to meet a core requirement and get the Calyptix to connect to ASA but it wasn't for lack of effort. They've just been focusing in the SMB space and haven't had to add those features yet. In time, I think they will. They may have it all now...I should have wrote this post 6 months ago because I know how frustrating it was for me when I was trying to research firewalls.
In summary, Calyptix is a great company but their product is still young. I'll certainly keep and eye on their product.
Click here to cancel reply.
Remember my details
Notify me of followup comments via e-mail