Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Corporate Firewall Recommendations

  1. #1

    Corporate Firewall Recommendations

    Hey guys,

    I come from a Pix/Checkpoint background, and my current client can't swallow the price of these units and associated software annual fees.

    So, this puts me in a pickle, whats the best bang for their buck, something I can put in and manage through some sort of GUI, is a hardware based solution, and is cheaper than a PIX/Checkpoint?

    I'm hunting in the mid range of hardware firewalls, not personal firewalls or sohos, but firewalls that will let me to content filtering, IPSEC vpn tunnels, sysloging, etc.

    I looked on the web for firewall reviews, but with the advent of the personal firewall, it's hard to wade through all the reviews for those to find the middle of the road devices.

    Any recommendations on web sites that independently review and rate corporate firewalls? Any personal recommendations?

    Thanks,
    jeff

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    How many users? How many nodes? What kind of throughput are you expecting? What type of circuit do you have? What else do you expect the firewall to do (route, BGP, email, dns, etc)? What price-range?

    That is a very vague question...can you clarify?

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Senior Member
    Join Date
    Nov 2003
    Posts
    247
    Have you tried taking them to CompUSA or Best Buy and having them look at the hardware firewalls they have there? They're pretty cheap, and unless you need a real heavy duty firewall, they should do the trick.

    If that's not an option...more details, please?
    www.ADigitalPimp.com
    There is a ghost in the machine, and he is my friend.

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    If you can't do checkpoint or pix... then why not look into an open source solution?

    Are you familiar with linux?

    I use iptables and now complete my fw scripts with fwbuilder. The fwbuilder is pretty easy to use and can create the script for many different firewalls. The interface is looks similar to fw1 IMO.

    Since the software is free, the only thing you'd be paying for is hardware.

    You can even install snort and have an FW/IDS all in one.

    Snort also has various GUI interfaces.

    For the proxy/filtering... look into squid and squidguard .

    If linux isn't your thing... you may have a little trouble getting everything running.

    It works great for me though!

    Like others said above though... all depends on your needs.

    I also just tried out the express version of smoothwall and was pretty impressed by it.
    (I installed at home.... but they have a corp solution too.)

    Though, the web interface doesn't provide all that I'd like... they have plenty of add ons.

    http://www.smoothwall.org/
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    I really prefer a hardware solution for the firewall. I can't justify a rack mounted server for just firewall services, and I don't want beige boxes in the server room either. I also hate to admit that while I've gotten red hat to run I had trouble dealing with Squid (I think because the redhat distro came with it, but I wanted the newer version I downloaded). Anyway, linux isn't my strong suit, and while I'd like to learn, I can't justify the time right now (baby will be here in april, going back to school, and working full time already) to pick up another couple OSes.

    Sorry for being vague Nebulus, here ya go

    Data:

    Main Firewall will protect ~75 nodes.
    Need Content Filtering Capabilities (similar to websense)
    Maybe want virus/java/activex filtering capabilities as well, depending on cost
    Data T1 here
    Need to manage around 6 IPSEC tunnels to remote offices.
    I want the firewall to do SPI, be fairly smart on rejecting 'bad' traffic (SYN, spoofing, etc)

    Cost, well, If its a one time cost for the firewall, I can justify a few thousand (2-3). If its a upfront cost and a yearly cost, I could maybe handle 2k on the upfront and 5-600 on the annual.

    I'm looking to replace all our watchguard fireboxes/soho6cs with this other solution, with offices in different states, etc.

  6. #6
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    To do that kind of stuff, I have to agree with phisphreek, you should really strongly consider looking at Firewall-1 or PIX. Both have several models that vary greatly in price and are capable of everything you are looking for, although I don't know if I would stick all 6 of those tunnels off of your main firewall. One of the things we have done for smaller locations that are coming in off of tunnels are buying smaller 501 or 506E Cisco PIX firewalls to handle the actual tunnel. The 506E I think is limited to 45 nodes or maybe that was the 501, but if it is just handling a subset of your network, that would probably be acceptible.

    As far as the price goes, you are in a little bit of a pickle, in that you are going to get what you pay for. You may or may not be able to talk that figure up a little, and of course, you could try calling sales reps for the two vendors, start talking about features and pricing, you could probably whittle some off of the retail price, maybe even enough to afford it.

    Other firewall vendors you could look at would maybe be SecureComputing's Sidewinder (they have taken over the old Gauntlet software and merged the two). It is capable of full proxy and has the old Gauntlet technology of being able to scan for viruses and stuff, although since it is a full proxy type firewall, you will notice a performance hit over the psuedo-proxy/application intellgence of the PIX/Firewall-1. In the proxy world, you also have the Raptor firewall...

    You probably could get away with using IPtables; however, for the additional stuff you are wanting, I think it would probably leave you wanting a better solution.

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  7. #7
    Member
    Join Date
    Dec 2003
    Posts
    59
    If u're not going to go with Cisco or Checkpoint, i'd definitely go with netscreen
    You can get a netscreen ns 100 for around $2500
    You should subscribe to the list 'firewalls@securityfocus.com' and sit on that list and listen for a while.

  8. #8
    Thanks, I'll check out that mailing list. I'll look at the netscreen. The other option I was considering was the Sonicwall product line, but they seem mainly geared towards VPN instead of security, at least thats about all I see on their web site.

  9. #9
    Member
    Join Date
    Dec 2003
    Posts
    59
    We use all Sonicwall's ( approx 7 ) at my work and have never had a problem ( knocking on wood )
    I also use an old 'webramp 700s' at my house that uses the sonicwall os
    We dream of pix's and netscreen's!

  10. #10
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    WatchGuard has all you want in a pretty red box with all the nice flashing lights that will impress your boss for about $3k.

    Been using them for 6 years or so. They will easily handle your client load and will easily handle pptp connections you want.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •