Couldn't resist sticking my oar in.
For an office with 10 people in it I'm really not sure I see the point of a fancy enterprise firewall. The actual firewall part of such a firewall isn't really any more effective than what you get on good domestic routers... a stealthed port is still just a stealthed port and an open port still gives access to what's inside.
Most of the extra stuff those enterprise firewall devices do is aimed at... enterprises. Fancy routing configs between multiple internal networks, multiple public IP NAT setups, hardware DMZs, site-to-site VPNs etc. None of which you need in an office with 10 users (in most cases, and given that you've been working without them you're probably in that majority).
So what does that leave you with? IDS, IPS, AV scanning and content control / site blocking.
- The content control and site blocking might be handy if you've got staff who like to surf for porn or visit facebook on company time so that's potentially useful (though it's not something you've said your interested in)
- AV scanning sounds great but it's often a pain as it means your internet traffic is going via a proxy. That's fine but it is another thing to go wrong and getting https going through it is more configuration.
- IDS / IPS (intrusion detection/prevention system) sounds like a great idea but as I understand it there is a school of thought that they are just tick box items that The Boss can parade in front of the board at meetings. Seriously though they probably do have a role to play in big enterprise where someone who knows what he's doing can keep an eye on traffic for thousands of users but I'm not convinced they have a place in a 10 user office.
Also keep in mind that to some degree all three of these things will require subscriptions to work so factor that into your costs.
Finally consider that stuff like Cisco ASAs or even Zywalls are MUCH more complicated to configure properly than the kinds of routers you've been using and a badly configured firewall can be worthless.
Sorry to have been so negative (it come easily to me), here are my constructive suggestions:
Security is all about adding layers (hence a nice new firewall is attractive) however you've got to make sure those layers are doing something meaningful. Starting with what you've already got:
Any firewall will block incoming connections to blocked ports, if you've opened ports so that services you need can be used then there isn't that much you can do about it. So one big question is: what exactly have you got in your office? I'm going to assume it's SBS handling you windows domain, exchange and remote web workplace.
If the system has to receive email then you're probably going to need port 25 open no matter what (there are ways round that and I'll go into them if you want) though you can disable smtp logins anyway (IIRC it's off by default in sbs these days) which stops anyone brute forcing your server this way.
- Only allow services you need through the firewall. All the other ports SBS opens on your router (web, rdp, rww, IMAP, POP3) can be closed off entirely or accessed through a VPN. Of course that's a pain but it is doable. If you go down this road then you really need something certificate based rather than username/password. You should be able to use your server for this task. If you don't like the built in VPN stuff (I'd avoid PPTP and use IPSec) then I'll second Flatland's openVPN suggestion. It's great for computer connections (though you do have to install client software) but usually isn't supported on mobiles.
- Make sure you're keeping all your internet facing services up to date.
- Make sure you've got a decent password policy in place (even if you're not exposing username/password logins directly to the internet by requiring VPN connection first). Have a talk with your users to make sure they know how to make a good password. It's no use requiring at least one capital letter, number or symbol and 9 chars if everyone uses "Password1". I recently had a talk with a woman who's hotmail account had been hacked 5 times in 6 months. Turns out she though a person's name was a good password and that no one else could possible think of replacing "l" with "!" or "o" with "0"
- Make sure you've got some kind of script in place to block IPs that try to brute force your passwords. X failures in an hour and the IP gets blocked for a month, that kind of thing. There should be plenty of powershell scripts floating around for doing that.
- Consider getting proper ssl certificates for your server rather than using self signed ones.
- Only give users who need remote access such access.
- Consider requiring external access comes only from specific IPs or subnets. It's a bit old skool but if your users only need access from their home connections and those home connections can have static IPs or are all on the same ISP you can lock them down that way. Most domestic routers allow this though an enterprise firewall would give you more options.
Brute force attacks on passwords happen all the time and there are lots of things to do before dumping time and money into a new firewall.
Just to clarify, there's nothing magic about having your VPN on the firewall rather than the server. As I see it the main reason for having a firewall with a VPN server on it is to support site-to-site VPNs so your offices stay connected while your servers get rebooted (handy for keeping VOIP systems etc running). Road warrior VPNs (that's connections from individual remote users) might as well be handled by your server as it keeps all your user management in one place and chances are that if your server is down there won't be anything for the remote users to connect to anyway.
Sorry for the mega post but there really is lots to do before spending money on a fancy firewall