We are a medium size company with 120 employees across 3 offices and growing.
We are still debating between a cloud solution such as Zscaler Web Security or iboss and a physical appliance such as Fortigate 201E. Which Web Security Solution do you recommend?
IT really depends on the type of business you had currently. These days almost all security vendors are offering Virtual Appliances so it's a preference based decision. Almost all vendors are offering basic features with some add-ons / additional features with differences among others competitors. Look at 1. FortiGate, 2. Cisco Meraki, 3. SOPHOS Products they all provide you flexibility to have physical and virtual appliances and are the best vendors in market.
Bluecoat and Forcepoint offer credible solutions. Think through where your users are and what they connect to. A mobile workforce may need an agent and a cloud gateway (unless you force them back to base over VPN) but may give problems if connecting to sites that whitelist you by IP. And not all providers have good global breakout points. Be particularly careful if you work in China.
My recommendation is Cisco Meraki MX84 with advanced security license (its have two kind of license Advanced security and Enterprise licenses).
I recommend Fortigate
All FortiGate appliances are powered by the FortiOS™ operating system with the following features and benefits:
Features. Firewall, Virtual Private Networking (VPN), AntiVirus, Intrusion Prevention, Web Filtering, DLP, and anti-spam; AntiVirus /Antispyware
Answer is , it depends... If you do any web based business with Banks or Governments then get a hardware solution like Bluecoat or Fortinet because web based providers can not provide you with a static source IP and you will fail security checks. I've been involved in corporate moves to the "cloud" using Zscaler and both went very wrong, very fast, a year later and they still have monthly outages because of the "cloud" providing random source IP's. If this is for a public internet access outside of your corporate network then you should be fine otherwise I suggest hardware you control.
This is a "how long is a piece of string?" type question. As the other vendors have said it is hard to recommend something fully without knowing all the background. Your background did stipulate that you had multiple sites and you were growing. Having a traditional deployment scenario will mean that you need to have a "box" at each site and add more boxes as you add more sites. Going with a more modern solution like Zscaler will allow more rapid growth opportunities - just add users, no matter where they are - also this allows you to restrict with a single policy in the cloud rather than on each device.
AS others have said, be mindful of the proximity of the Zscaler because of latency, but they do have >100 POPS which you will probably find pretty local.
Overall, there is a lot more research you can do, but I'm leaning towards a cloud offering from the branches. You might consider an SD-WAN device at each branch that also has FW built in. This would give you connectivity resilience at a much lower price, but perhaps this is a debate for another day :-)
Cisco Meraki is an excellent solution in the cloud, has AMP included and can be integrated with Umbrella and Thread Grid.
We use Fortigates for web filtering and security. We are a global company with > 10,000 users.
This protects all users on our internal network. Remote users can use the Fortinet FortiClient for remote AV and web filtering protection.
We used Zscaler several years ago but we were unhappy with latency for complex websites and managing PAC files was difficult.
Since you are going for a web security. Zscalar web security solution will be my recommendation considering its robust features and vast threat intelligence base. It is best you go for the cloud solution since you are working across sites.
If you need just a web security. it depends on platform. If you are start up and built in cloud platform maybe the zscaler it can be the best. But in security world you need clearly mindset to protect not just 1/2 years but forever. You can choose the vendor that you can trust and have a best reputation such as Fortinet or Cisco. Which is the best from zscaler or fortigate 201E. i'm still choose Fortigate 201E. Why?? If there is attack from outside to inside..which part that can protect the insider??? And fortinet also have an advanced features, Not just for single solutions (web protection), you can use DLP, ISFW, DCFW, SDWAN and many more, can help you to built N to N solutions in security.
This depends on so many factors, but if you have the right infrastructure, I would recommend having this on premise and using Cisco WSA, which will provide you with:
1-Protection before, during, and after an attack.
2-Flexible deployment options.
3-Automated traffic analysis, inbound and out.
4-Application visibility and control.
5-Fast identification of zero-day attacks.
And now Cognitive Threat Analytics (CTA) with AMP for WSA is included.
I would recommend an Onsite Appliance but with High Availability included.
Just being partial to a more hands-on approach, and liking to have it all under my fingers.
No Real Pros and Cons just a preference.
If you have to go there:
There are a lot of questions that have to be answered first.
Are you looking to secure only one location or multiple? One aggregation point with VPN to your offices or it's every man(office) for himself scenario?
Sizeability - Cloud can be extended to meet your growing needs as with an appliance you are stuck with what you have and if you miscalculated
the bandwidth you could be in big trouble especially if you have business critical processes going in and out.
Exactly what roles will that security play, and what services it will provide to your network.
Do you have Road warriors?
You have to answer to yourself those questions first and I'm just scratching the surface here.
I almost forgot: A must do is a POC, I found that despite how correct a vendor is with his calculations on the Bandwidth they are always wanting on resources, so I always opt out on a one or two steps HIGHER appliance.
Just for an example:
In a case with multiple offices and an encrypted VPN's throughout the offices with one aggregation point for connecting to the Internet.
Everything is simplified greatly because most of the traffic is internal and only a small portion is going in and out.
In case an appliance is used on all locations then the TOTAL Bandwidth would have been 20-25 times bigger than what it is in reality.
Hope you make the right decision.I know that it wasn't exactly what you asked but hope I had been of some
assistance.
I would recommend Fort iGATE 201E. If 201E is expensive you can look for lower series of FortiGate.
If you’re looking for a Web Application Firewall, then you need to switch to our FortiWeb security appliance. While the FortiGate does consolidate web content filtering and a measure of web application firewalling, it’s not purpose-designed as a WAF-only product. If you’re looking to protect your organization against zero-day malware and other target-specific malware, then integrate FortiWeb with our FortiSandbox product. FD, Sr. Solutions Engineer w/ Fortinet Federal
I highly recommend Fortigate 201E on premise appliance, however depending on your bandwidth and connection reliability cloud web security can be considered because of scalability, availability and extensibility.
If all you are looking for is Web Security Gateway, I would not consider a UTM like FortiGate. I would go for something more specialized like BlueCoat (WSS or on premise), Zscaler, Cisco WSA and the like.
Cloud options are good if you don't want to route all traffic to a central location which might be a problem if you have limited bandwidth. Some of the drawbacks could be latency, privacy and confidentiality (all traffic goes through a third party in the cloud).
If you also need Firewall and VPNs for the different sites then an UTM device (FortiGates are great for this purpose) or perhaps a modern SD-WAN solution might be the way to go.
Although Zscaler is a great product it is probably not right for your situation unless your employees are highly mobile and out of the office often. If you employees are not highly mobile I would recommend using the Fortigate. They are excellent firewalls and a much better value than PaloAlto. Keep in mind this is general advice and without knowing your exact security requirements, applications you use, and habits of employees it is difficult to make a recommendation.
I do recommend Zscaler Cloud over iboss and onsite hardware appliance no matter from which vendor. We are living on mobility world ... Tradiationally, to protect remote users working from remote site, companies are backhaul traffic from remote sites to HQ site then out to the internet to save installing security solutions on every remote site. add to this the cost of MPLS circuits ( even if you are using IPSec VPN to send traffic to HQ site, still you have performance issues ).... This is not the trend any more . Add to this, you need to protect user anytime / anywhere , having then VPN all the time to HQ when working remotely is no longer feasible solution. Zscaler is the best cloud based secure web gateway in the market.
I think Very good choice with Cisco Meraki (MX84). Cloud Managed solution 100% centralized cloud management for security, networking, and application control.
Safety and Fast.
I Suggest Zscalar would be the better option for you.
Puma Locations worldwide use now the Zscaler Cloud Solution for our Internet Security (like Web proxy, and so on…), we had good experience with this solution (very easy handling, and you can configure this solutions on more ways)
like only cloud, or with an Zscaler Application or via TCP IP Ranges and Routes and also you can use it on mobile devices.
In the past we had also a Fortigate Box here in Austria in use, but it was not easy to use it for Web security, Bandwidth and so on for us.
And the worldwide PUMA HQ decision was to use Zscaler in the future for all PUMA IT Landscape.
I can't give you advice on which would be better for securing your environment without knowing more about your firm and what software you're using, clouds you leverage, compliance you are subject to, performance (speed, scalability, availability, integration with SEIM, etc.) you need, mobile, IoT, DLP needs, etc. That said, even though I tend to lean towards Checkpoint, Zscaler, etc. vs Fortigate for robust capabilities especially when it comes to mobile access use cases and clean integration with some of the common MDMs and DLP/SEIM products, Fortinet makes a nice overall product which is easy to implement and could provide you with a great solution if you don't have other specialty security products in your 3 locations.
Try a Palo Alto Networks model 220 for branches and central, it will fit and do a lot more than Web Security
They are all good. I am partial to Palo Alto. I have been working with Palo Alto for 3 years and have had nothing but high customer satisfaction ratings at the end of the deployments. PAN is a little pricey, but you get what you pay for in this market.
FG-201E has integrated WebFilter with AppCtrl but for me, it's not compliance with Zscaler WS.
I would recommend FG-201E or Barracuda WSG if it has to be Web Security standalone appliance.
Zscaler would be a good option to go on with as the management point much less and you can control users across all the places.
FG-201E>I would recommend fortigate appliance
Today Zscaler is leading the Web Security Market as per the leading analysts for the 7th Year in a row. Back to the requirement , Zscaler as a true multi-tenant SaaS Internet Security Platform will grant better security (most comprehensive security platform including (URL Filtering,AV, ATP, APT, DLP, Cloud App Visibility Control, SSL Interception, NGFE, BW Control and more..) better performance (near Zero second latency-backed with SLA) and better costing (No Capex, No HW , No SW) eventually will secure and control your internet users any time , anywhere , using any device. This will fit the customer requirement across multiple locations without the need to deploy HW in each location or back hall your traffic to your HQ and will give you the ability to scale-up with more locations/users as you grow.
I am not sure if I can help you much.
Our organization has got 140 employees and only one main site.
Our ERP and System accessed by more than 20.000 users over web browser is provided by a third party as Cloud service, which minimizes security issues within our local network.
We are in the evaluating process of Fortigate and Palo Alto and believe that both are top solutions available in the market, allowing us to make a final decision based on prices.
Another excellent solution is Checkpoint, which you could consider as well as Palo Alto and Fortinet.
If your users are located in inside of your company network, I recommend using an "on-premise" solution (like Fortinet).
If most of your users are mobile workers it is recommended to use cloud solution (like Zscaler).
In my company, we use a cloud solution for mobile users (Cisco AMP endpoint and Cisco Umbrella) and for local company workers, we use Cisco Web Security Appliance.
I would prefer locally installed appliance (FG-201E)
We recommended Fortinet Firewall
physical appliance such as Fortigate
I would go for the FortiGate.
Hopefully, all branches are equipped with fg60/90.
Fortanalyzer should be combined width Fortinet switches, therefore you could monitor the whole structure with one GUI.
???
If you’re looking for a scalable and robust Web Filter only, I would suggest going with Sophos Central Web Protection. This system is cloud-based and will help you protect and block unnecessary access.
The physical appliance which is also provided by Sophos will give you the exact same result, but having this system in the cloud will help you decrease infrastructure investment.
Sophos Cloud Systems are in AWS with earth's best uptime.
Hope you find this info useful
I always recommend on-prem equipment to implement security.
I agree with Daniel. It depends on how your offices are connected.
zScales is a good approach if you will have in the future more small offices so that it is consolidated into one solution. If already the offices are connected to a central office I would suggest Fortinet.
Hi Mehdi
It seems there is split of recommendations here between cloud and appliance. Here at Cyren we are trying to make cloud-based web security easier for mid-sized businesses. If you want the operational efficiencies you get from SaaS don't look at appliances or even hybrid. If you want to pair this with the best protection, take a look at Cyren Web Security. Here is the Cyren Web Security product page: tinyurl.com
Good luck and by all means message me if you would like to talk further.
Duncan
Hello
I would strongly reccoment on premise solution. If you are looking for advanced web security includint application and content filtering and also reporting functions consider Forcepoint, if you are sattisfied wirth standard UTM solution consider Fortigate
I prefer going with Sophos or Fortinet
Sophos UTM has two Antivirus scanner (Avira and Sophos )
I suggest Firewall appliance on your site , fortigate is very good and great solution and them support is very very good depend on my previous experience ,also i recommend you Sophos XG 135 Firewall its very good appliance also very easy to build and less price than Fortigate ,
We recommend Zscaler. Zscaler will allow the users to be protect when connected to the corporate network and when they are outside the corporate network. It means, 100% of the time from anywhere. This value is unique. In addition to this, the Security and Control policies are great and not performance is impacted when doing SSL scanning for inspection of malware on encrypted traffic. The GUI is easy to configure and reports provides information up to the minimum detail.
There is some challenges during the implementation of Zscaler due to you need to redirect properly the internet traffic to the Cloud to achieve the proper performance and redundancy. Also, it is required to integrate with some Authentication tools like ADFS, Okta,etc; and to deploy a software agent on the PC to protect the user when is outside the corporate network.
After a proper implementation, you can scale at any place of the world (the worldwide coverage is good) and the solution is very low on maintenance.
They key with Zscaler is a good implementation.
Since You have a Fortigate solution in Place you can go for UTM License. With it you can make the web and application security for 120 users. For user lever controls you can integrate the same with Active Directory as well. Off course you can make a price comparison with the cloud solution as well . But considering the internal application access compliance I am not sure about the cloud solution.
It depends on their current network setup and how the users are connected. All type of Web Security Firewall works base on how they are applied.
I just started implementing Zscaler. I would highly recommend it.
I recommend Zscaler. Build it once and scale as you go.
This is really more of a strategic question than a technology one.
Would you rather manage that yourself (physical appliance) or have someone else do it (cloud)?
Will your environment be complicated (lots of power apps, constant bandwidth requirements, security)? How about ongoing configuration needs?
Looking at the previous line, is your provider truly responsive and thorough? If not, do you always plan your projects in advance, so that stakeholders have accurate ETAs? You’ll have to factor the provider service level into that, and into your plan for any immediate issues.
If you have ongoing remote users and are syncing data between offices in real-time I would go cloud because they can address that automatically. Real-time sync between offices is expensive and gets more complicated with remote users. If you go on-prem you also need to plan for HA/failover, essentially doubling your costs.
the best Web Security Gateway tested for us is Barracuda WSG, for this case, im recommended the Barracuda WSG 410, excelent perfomance, very good features, low budget, and the best is each 4 years long Barracuda will change the old equipment with a new equipment
I am looking at Threat X threatx.com They have incredible capabilities and are very next gen (AI). They are based in Denver and I’d suggest talking with Aaron Fosdick or Andrew Useckas.
Fortigate support is horrible because they are divided on the hosted vs an on-prem solution. We have on-prem and have horrendous hold times and difficulty getting someone that has the true expertise to assist when we have an issue.
Zscaler Web Security is our recommendation.
I would recommend a UTM like Check Point, Palo Alto or Fortinet.
Palo Alto has the richest features that will cover all your needs. Check Point is close second but managing a Check Point is a little bit easier. I would go with Palo Alto as their support is more responsive.
Zscaler Web Security is our recommendation.
If you need a Web Application Firewall or ADC (Application Delivery Controller), get a Citrix NetScaler VPX virtual appliance. It's extremely configurable. However, it can be pricey. We've been using one (200Mbps, Platinum license - about $15k) to host web applications we develop as well as 3rd party web apps. We're a 50-person company, but we work with about 1,000 employees of sister companies and do HR, Benefits, Payroll and Accounting for them.
I have a client that I implemented a Fortigate 140D-POE with port forwarding to static IP in my IPV4 policy. I am using Avigilon 3mg POE cameras with ACC appliance for management, recording, and analytics. On users cell phones, there is an app called ACC mobile which they can view the cameras live. The security and credentials are based on what access I give them. It all works beautifully. I do have a public webcam setup the same way. www.pointrobertsmarina.com
I am currently working at Zscaler and used to work at Fortinet. If you want users to be protected no matter where they are located and without the need to VPN [route-all-mode] to protect remote users, then go with Zscaler. All features offered by any physical appliance are available with Zscaler.
Many companies switching to Zscaler because remote users are no longer need to VPN to HQ to enforce web filter policies and no need to install any NGFW / UTM at remote offices to protect users in case no IPSec Tunnel / MPLS back to the HQ. This will save you tons of money every year.
Yes depending on... Making a decision is the hardest part and debating means talking and wasting money... #1 what bussiness do you do? #2 how do you provide it and where? #3 Make your choice based on that.
Web security solution? Zscaler or Symantec Web Security Service, or even on-prem box like a Symantec (Bluecoat) SG300/600. A Fortigate/Palo Alto/Check Point is a firewall, not even by far the same technology branch when you want web security. In SSL interception not 1 firewall can match the cipher support/SSL compatibility as a proxy, so that is not even a discussion in my point of view.
Between those three, Fortigate physical firewall.
I would recommend fortigate appliance
Try a Palo Alto Networks model 220 for branches and central, it will fit and do a lot more than Web Security
In general, I still prefer the on-premise solution, but it also depends on the type of customer and if you have a technician who can manage the Fortigate.
Depending what is your goal and where offices are based.
When you want to protect your users in offices, then you would want to have kind of perimeter firewall (usually appliance) - standard (old) way. Fortinet is affordable and OK. When you wan't better check Palo Alto Networks.
In case your offices are close (in milliseconds) to Zscaler cloud then you could also use this. Ask them to share information of their "cloud" locations and measure RTT from your offices.
Note that all your traffic will go via Zscaler cloud (privacy, confidentiality).
With Fortinet or similar appliance, you have possibilty to have VPN for your users with home office. Not sure when it's feasible with cloud solution from Zscaler. Like said really depends on where you are, what kind of business you are doing.
There are several factors to consider:
· In-house expertise to manage a physical firewall
· Number of locations requiring a firewall
· Current and planned linkage between office locations
· Value of the information you want to protect
I’m personally a fan of on-premise physical firewalls for high $ information to protect. However, if the $ risk is not particularly high, your in-house expertise to manage firewalls is low, and you have multiple locations to protect, I would recommend a security gateway service with VPN connections between your offices and the location of the security provider. I cannot recommend one supplier over another.
If you choose to go with a physical firewall, Fortigate has a good reputation.
Regards,