Firewall recommendations...
Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Firewall recommendations...

  1. #1
    Junior Member
    Join Date
    May 2003
    Posts
    3

    Question Firewall recommendations...

    I have 4 rack mounted (web,backup,data,email) servers...i wanted to implement a appliance firewall...i have reasonable amount of traffic and a dedicated 2.5 mb/s.....possibly compared to the traffic that hits this website....i am curerntly looking at servgate, cisco pix, sonicwall and maybe checkpoint firewall-1...anyone have any recommendations on these or have used these before....

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    I've used Cisco Pix, Checkpoint, SunScreen. I've messed around with Winroute, and various other software firewalls and my conclusion is all of them have their good and bad points. You really need to look at what each specifically gives you and what each falls short on.

    My personal favorite is Sunscreen, however, at $15000 it's quite an investment. You just can't beat not having a TCP/IP stack. No TCP/IP, nothing to attack. On the other hand, no one ever got fired for buying Cisco.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    The first thing I'd decide is whether you want a packet filtering or proxy based firewall. Cisco PIX is well known and I use it. The problem in recent days is that their support has become equivelant to that of a fast food drive through.

    If you are looking at CheckPoint, they have *much* improved their product from a few years back. Don't forget to look at CheckPoint while you are researching solutions.

    If you need a monster proxy based firewall take a look at guantlet. It has enough features to keep you busy for eons.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Junior Member
    Join Date
    May 2003
    Posts
    3
    i was also considering netscreen 25, i can get netscreen products for cheaper because i know someone who works there... does anyone a have any opinions or comments on netscreen?

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    I've used their IPSec site-to-site tunneling feature that comes with their firewall. It was *excellent*. The firewall itself was very easy to setup via a web management interface. The only reason we didn't go with them was because of some political crap with preferred vendors at that time.

    Also, the Netscreen salesman stopped by (now that we can buy from a preferred reseller) and told me that they are coming out with an appliance that does VPN, Firewall, IDS/IPS and Spam filtering. I believe he mentioned AV too. I can't wait to see it.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Senior Member
    Join Date
    Mar 2003
    Posts
    217
    i've heard that watchguard has some nice, fairly inexpensive firewalls, www.watchguard.com
    i've also heard good things about the checkpoint.
    i\'m starting to think that i\'m bound to always be the first guy on the second page of the thread.

  7. #7
    Now, RFC Compliant! Noia's Avatar
    Join Date
    Jan 2002
    Posts
    1,210
    Hmmm...you could take an Old machine, and put Linux Smoothwall on it...thats very cheap...and you could customize it totaly
    With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!:.
    Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.

  8. #8
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Noia bud,

    Yeah, you could do that or just use IPTABLES but this dude seems to want an appliance solution, not an open-source solution.

    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  9. #9
    Junior Member
    Join Date
    May 2003
    Posts
    3
    thats right i want an appliance ...primarily because an appliance can stay on for along time and not require any maintaince or resets...my site at one point had close to 5,000 concurrent sessions so i need something that very stable and reliable...

  10. #10
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    We have been looking at it right now (and you have to remember we have very large enterprise so we are looking at that kind of solution) and a clear leader right now is Checkpoint's Firewall-1 running on a Nokia Epliance. You get support from Nokia and support for clustering just for buying product and it has as far as we can tell some of the best performance around. Firewall-1 also has some pretty interesting capabilities with NAT, content filtering, and a few other things that are pretty nice. It is the only firewall we looked at that had a competent enterprise management solution.

    We also use Cisco PIX on a much smaller scale, and it works pretty well and was easy for people to pick up because of similarities to Cisco's router IOS. We also found it did some very interesting things to protocols using the fixup options (like for SMTP it deletes all the server information and severly limits commands that can be run). I consider it to be a good firewall with good performance, but don't consider it to scale to well, even with Cisco's management solution. I consider PIX to be a very good firewall but we went towards Nokia over the enterprise management capabilities of firewall-1 versus the stuff with PIX. It NAT's by default and is very secure by default, but a little harder to configure.

    I have messed around with SunScreen before (about 2 years ago) and was appalled with it. Clunky interface and relatively difficult to configure versus the other products we were looking at. I personally would avoid it.

    I have also messed around with TSI/NAI/Secure Computing's Gauntlet. It is the only true proxy firewall out of the group, but your performance will suffer, it is not as easy to configure, and it is being merged with Secure Computing's Sidewinder firewall.

    SecureComputing makes a new firewall that is based off supposidly the best of Sidewinder mixed with the couple of good things in Gauntlet (like anti-virus) and it continues to be run on a specialized platform like sidewinder. I haven't messed around with this, but considered sidewinder to be a pretty good product for the little that I have seen it.

    There was someone that made an appliance that ran IP tables but I don't remember the name. I will ask a friend of mine that was running it and post again when I find it.

    It just depends on your needs, versus performance, versus cost. Have a look at the ones I mentioned (minus gauntlet, it was a leadin for Secure Computing's product). Good luck and happy hunting.

    /nebulus

    EDIT: The IPtables firewall was Astaro.
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •