-
February 5th, 2004, 05:14 PM
#1
Member
Corporate Firewall Recommendations
Hey guys,
I come from a Pix/Checkpoint background, and my current client can't swallow the price of these units and associated software annual fees.
So, this puts me in a pickle, whats the best bang for their buck, something I can put in and manage through some sort of GUI, is a hardware based solution, and is cheaper than a PIX/Checkpoint?
I'm hunting in the mid range of hardware firewalls, not personal firewalls or sohos, but firewalls that will let me to content filtering, IPSEC vpn tunnels, sysloging, etc.
I looked on the web for firewall reviews, but with the advent of the personal firewall, it's hard to wade through all the reviews for those to find the middle of the road devices.
Any recommendations on web sites that independently review and rate corporate firewalls? Any personal recommendations?
Thanks,
jeff
-
February 5th, 2004, 05:20 PM
#2
How many users? How many nodes? What kind of throughput are you expecting? What type of circuit do you have? What else do you expect the firewall to do (route, BGP, email, dns, etc)? What price-range?
That is a very vague question...can you clarify?
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
February 5th, 2004, 05:21 PM
#3
Have you tried taking them to CompUSA or Best Buy and having them look at the hardware firewalls they have there? They're pretty cheap, and unless you need a real heavy duty firewall, they should do the trick.
If that's not an option...more details, please?
-
February 5th, 2004, 05:23 PM
#4
If you can't do checkpoint or pix... then why not look into an open source solution?
Are you familiar with linux?
I use iptables and now complete my fw scripts with fwbuilder. The fwbuilder is pretty easy to use and can create the script for many different firewalls. The interface is looks similar to fw1 IMO.
Since the software is free, the only thing you'd be paying for is hardware.
You can even install snort and have an FW/IDS all in one.
Snort also has various GUI interfaces.
For the proxy/filtering... look into squid and squidguard .
If linux isn't your thing... you may have a little trouble getting everything running.
It works great for me though!
Like others said above though... all depends on your needs.
I also just tried out the express version of smoothwall and was pretty impressed by it.
(I installed at home.... but they have a corp solution too.)
Though, the web interface doesn't provide all that I'd like... they have plenty of add ons.
http://www.smoothwall.org/
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
February 5th, 2004, 05:54 PM
#5
Member
I really prefer a hardware solution for the firewall. I can't justify a rack mounted server for just firewall services, and I don't want beige boxes in the server room either. I also hate to admit that while I've gotten red hat to run I had trouble dealing with Squid (I think because the redhat distro came with it, but I wanted the newer version I downloaded). Anyway, linux isn't my strong suit, and while I'd like to learn, I can't justify the time right now (baby will be here in april, going back to school, and working full time already) to pick up another couple OSes.
Sorry for being vague Nebulus, here ya go
Data:
Main Firewall will protect ~75 nodes.
Need Content Filtering Capabilities (similar to websense)
Maybe want virus/java/activex filtering capabilities as well, depending on cost
Data T1 here
Need to manage around 6 IPSEC tunnels to remote offices.
I want the firewall to do SPI, be fairly smart on rejecting 'bad' traffic (SYN, spoofing, etc)
Cost, well, If its a one time cost for the firewall, I can justify a few thousand (2-3). If its a upfront cost and a yearly cost, I could maybe handle 2k on the upfront and 5-600 on the annual.
I'm looking to replace all our watchguard fireboxes/soho6cs with this other solution, with offices in different states, etc.
-
February 5th, 2004, 06:06 PM
#6
To do that kind of stuff, I have to agree with phisphreek, you should really strongly consider looking at Firewall-1 or PIX. Both have several models that vary greatly in price and are capable of everything you are looking for, although I don't know if I would stick all 6 of those tunnels off of your main firewall. One of the things we have done for smaller locations that are coming in off of tunnels are buying smaller 501 or 506E Cisco PIX firewalls to handle the actual tunnel. The 506E I think is limited to 45 nodes or maybe that was the 501, but if it is just handling a subset of your network, that would probably be acceptible.
As far as the price goes, you are in a little bit of a pickle, in that you are going to get what you pay for. You may or may not be able to talk that figure up a little, and of course, you could try calling sales reps for the two vendors, start talking about features and pricing, you could probably whittle some off of the retail price, maybe even enough to afford it.
Other firewall vendors you could look at would maybe be SecureComputing's Sidewinder (they have taken over the old Gauntlet software and merged the two). It is capable of full proxy and has the old Gauntlet technology of being able to scan for viruses and stuff, although since it is a full proxy type firewall, you will notice a performance hit over the psuedo-proxy/application intellgence of the PIX/Firewall-1. In the proxy world, you also have the Raptor firewall...
You probably could get away with using IPtables; however, for the additional stuff you are wanting, I think it would probably leave you wanting a better solution.
/nebulus
There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.
(Merovingian - Matrix Reloaded)
-
February 5th, 2004, 06:07 PM
#7
Member
If u're not going to go with Cisco or Checkpoint, i'd definitely go with netscreen
You can get a netscreen ns 100 for around $2500
You should subscribe to the list 'firewalls@securityfocus.com' and sit on that list and listen for a while.
-
February 5th, 2004, 06:10 PM
#8
Member
Thanks, I'll check out that mailing list. I'll look at the netscreen. The other option I was considering was the Sonicwall product line, but they seem mainly geared towards VPN instead of security, at least thats about all I see on their web site.
-
February 5th, 2004, 06:28 PM
#9
Member
We use all Sonicwall's ( approx 7 ) at my work and have never had a problem ( knocking on wood )
I also use an old 'webramp 700s' at my house that uses the sonicwall os
We dream of pix's and netscreen's!
-
February 5th, 2004, 09:07 PM
#10
WatchGuard has all you want in a pretty red box with all the nice flashing lights that will impress your boss for about $3k.
Been using them for 6 years or so. They will easily handle your client load and will easily handle pptp connections you want.
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|