Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Which Hardware Firewall should I get?

  1. #1
    Junior Member
    Join Date
    Apr 2005
    Posts
    3

    Question Which Hardware Firewall should I get?

    A big hello from a security newbie in the UK!

    I have a question about which hardware firewall to buy - I would appreciate any expert opinions that might help me out.

    The scenario:

    I have a customer in the travel industry who is looking to implement on-line booking to their in-house tour reservations system.

    They have installed a 2MB SDSL line (with Lucent Cellpipe 20H router) to carry traffic in and out.

    Their web site will pass User requests (hotel availability, prices, etc) through to a dedicated Linux system on the internal network, which will then query the Reservations system and pass the results back to the user.

    Now this is a full-time Internet connection that I want to secure from all those people who might try to break in to the on-site systems, so I want to screw access down as tight as possible - only letting recognised traffic through.

    I've been advised that Watchguard's Firebox products are good value (did I mention we're on a very tight budget?)

    I would appreciate any help from anyone who can advise.

    Thanks, and have a nice day!

    RoboScorpion

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    1,130
    Considering that they are already running linux and must therefore have the administration capability to support it, I would recommend a linux based firewall. On a 2MB connection you shouldn't need more then 200~300MHZ boxes to handle peak loads. Signifigantly cheaper than prebuilt hardware firewalls, and one hell of a lot more configurable. Such a firewall is also far more scalable, should the client wish to add capabilities such as IDS or bandwidth monitoring (or whatever) later on.

    The down side, of course, is that such a firewall would be a lot more prone to failures, and would take more time to set up and configure. As for the configuring, a firewall such as Smoothwall or IpCop will basically set the whole thing up for you. A few hacks are needed to get it to work with DSL, but it shouldn't be too much trouble with the Roaring Penguin PPPoE client (assuming you use PPPoE over there).

    Unfortunately, I have no experience with the type of hardware firewalls you speak of, so I cannot offer recommendations. However, I would imagine they are no more or less secure than the alternative I have presented. The savings in hardware expenses may be offset by the increased cost of setup however.
    Government is like fire - a handy servant, but a dangerous master - George Washington
    Government is not reason, it is not eloquence - it is force. - George Washington.

    Join the UnError community!

  3. #3
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Originally posted here by Striek
    Considering that they are already running linux and must therefore have the administration capability to support it, I would recommend a linux based firewall. On a 2MB connection you shouldn't need more then 200~300MHZ boxes to handle peak loads. Signifigantly cheaper than prebuilt hardware firewalls, and one hell of a lot more configurable. Such a firewall is also far more scalable, should the client wish to add capabilities such as IDS or bandwidth monitoring (or whatever) later on.

    The down side, of course, is that such a firewall would be a lot more prone to failures, and would take more time to set up and configure. As for the configuring, a firewall such as Smoothwall or IpCop will basically set the whole thing up for you. A few hacks are needed to get it to work with DSL, but it shouldn't be too much trouble with the Roaring Penguin PPPoE client (assuming you use PPPoE over there).

    Unfortunately, I have no experience with the type of hardware firewalls you speak of, so I cannot offer recommendations. However, I would imagine they are no more or less secure than the alternative I have presented. The savings in hardware expenses may be offset by the increased cost of setup however.
    How would that be more prone to failures? I've had prebuilt stuff go bad on me WAY more than the stuff I built?

    And as far as operating systems go I'd chose FreeBSD to go on that machine. It's FREE!! It's much easier to update/patch, much easier to configure, better IP stack, better security (check out 5.3) and you get pf which is a killer firewall which does everything and more than you'll need, and very easy to configure.

    Sorry, gotta go. I'm setting up a P4 bridge right now to just what you're talking about to further increase security around here (and implement bandwidth management).
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  4. #4
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    Watchguard Firewall X500. It has the bandwidth covered, the user base, and hell it's sexy too. Many online retailers carry the boxed version and you will have to add on the 3 slot expansion to get a DMZ to segment the puplic server from private servers. It also supports VPNs and it controlled via a sleek interface. In many cases you can just drop it in with little effort. Also it does a good job logging information to the PC that is used to control it and comes with nice monitoring feature without having to build anything. Good value when compared to alternative option. Plus when you out grow a feature, you just buy an upgrade and apply it through an update system of software packages. You can also add IDS, SPAM filter, Proxies, Antivirus, Pen Testing etc...

    Average US retail price: $1500.00 give or take plus DO NOT forget the Network upgrade to add 3 ports, avg. $300.00US. Without that upgrade you only get 1 internal port, no DMZ. There are cheaper models but I would recomend that. Wait the X50 may work depending on your desires. Those cheaper models are not as flexible as far as options and upgrades though.

    X500
    X50
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  5. #5
    Senior Member
    Join Date
    May 2004
    Posts
    519
    http://www.cisco.com/en/US/products/...030/index.html

    Cisco offers PIX firewalls, i did a course on them last week but have not really had much time to play around .. we use them at work now tho so they cant be too bad

  6. #6
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Sorry I just realized I didn't answer your original question. How about a pix? Depending on what you're looking for the 501 can do 2MB no problem and you can get them cheap on ebay under $500. Easy to admin and fairly bulletproof.

    peace.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  7. #7
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    I use the Pix as well. In fact I eat Pix for breakfast. However the same scenario say 2 firewalls each with DMZ and failover is significantly different in price. Watchguard 4k. Cisco 11K. (these are new prices) The cheap Pix 506 does not isolate a DMZ.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  8. #8
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Originally posted here by RoadClosed
    I use the Pix as well. In fact I eat Pix for breakfast. However the same scenario say 2 firewalls each with DMZ and failover is significantly different in price. Watchguard 4k. Cisco 11K. (these are new prices) The cheap Pix 506 does not isolate a DMZ.
    The requirements are met. Where did it say failover, 2 firewalls each with their own DMZ? That in and of itself says you'll be spending mucho dinero.

    Anyway, I'm having trouble with my FreeBSD box, seems that if you have too many queues defined pf doesn't work well. Not stable at all. C-ya.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  9. #9
    Junior Member
    Join Date
    Apr 2005
    Posts
    3
    What about products from people like ZyXEL, Fortinet, Sonicwall, NetScreen......?


    (Thanks for all the opinions expressed so far.)

  10. #10
    Senior Member
    Join Date
    Mar 2005
    Posts
    400

    Exclamation

    Although the guys here have given varied and some workable suggestions, here's my suggestion.

    Since you are asking about *other* various names,
    I'd call or email each firewall/router company I'm interested in after perusing their website.

    Get the lowdown direct from the horse's mouth while they teach you a thing or two that you can use on the next call to their competitor.

    Personally I still wouldn't discount the advice here, these guys know a thing or two themselves.
    ZT3000
    Beta tester of "0"s and "1"s"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •