Selection of Firewall and IDS

prashmit
prashmit used Ask the Experts™
on
We are going for a 30 sites networking with our head office via some ISP's VPN. Can all experts pls suggest me what firewall and IDS should I use to protect my network to maximum extent. We have Windows 2000 advanced server with Exchange 2000 as mail server. We will expose our server for ERP and mail access to all our sites as well as for external internet users. (To note we are taking a leased connectivity with ISP for internet exposure). We will be using 3600 series CISCO routers at central location.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Currently we use two sonicwall pro330 in our head office for VPN (they are set for failover to each other) and a sonicwall tele3sp at our remote offices. This works very well for us and sonicwall offers a nice global management software called SGMS. Internally we use Snort 2.0 for IDS running on Red Hat 7.3. It is very effective, but that is hard to tell because you wouldn't necessarily know if it is not logged now would you. The sonicwall devices are affordable as well as licensing, they have great support and even ofered us free training and certification for our entire IT team.
Commented:
While you are thinking about it, get started by minimally installing ZoneAlarm (if only the freebie). Look:

http://www.microsoft.com/security/incident/blast.asp
http://www.microsoft.com/security/protect/default.asp

> and IDS should I use to protect

Oops. IDS does not protect, it detects, like A/V can detect, but is not a real protector. Some random links for reading file (no comment yet on value of any):

http://www.networkintrusion.co.uk/ids.htm
http://www.sentryfirewall.com/
http://eeye.com/html/Products/index.html

> We have Windows 2000 advanced server with Exchange 2000 as mail server. We will expose our server

I think you would be well served to pose a question in the Networking TA that you are considering setting up a DMZ.
Dave HoweSoftware and Hardware Engineer
Commented:
that depends on a few things, not least on how much money you want to spend
I would normally recommend FW-1/VPN-1 for a large multinode network, but we are talking serious expense there.
the sonicwall recommended by chaddpuss is a good middle-to-high choice - supports up to 1000 connections per node and each comes with 200 client licences for dialup users (so by definition you would gain a pool of 6200 licences for any laptop users you need to support if you outfit all your satellites with them, or for the smaller offices you could just equip a single server pc with a client to form a web proxy/vpn-networked storage server)
middle to low comes SSH's Sentinel single-node software for windows - it is reliable, fairly easy to set up, and while far from free is noticably cheaper than the copy of windows you run it on.
low to nonexistant comes down to a linux box (running freeswan kernel) or something userlandish like tinc; windows 2000/xp also has built-in IPSec, but its pretty difficult to configure (check out http://vpn.ebootis.de/)
if you want to go the linux path, you could consider one of the floppy-based mini-firewalls like bering (http://leaf.sourceforge.net/) for the smaller offices - the maintainance on a machine that basically has a network card, modem and either a floppy or cdrom drive (no HD) is very low indeed.
tinc is interesting, (http://tinc.nl.linux.org/) but isn't true IPSec, so won't interop with anything other than another tinc

another thing you can do is talk to your phone company - quite a few run managed vpn over either their native pairs or frame relay - consider it a mini-internet that only has your own sites on it, so it can't be hacked from the internet - and it is often very competitively priced compared to that many individual Internet dedicated connections plus vpn software plus firewalls.....

PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

We are going for a 30 sites networking with our head office via some ISP's VPN. Can all experts pls suggest me what firewall and IDS should I use to protect my network to maximum extent. We have Windows 2000 advanced server with Exchange 2000 as mail server. We will expose our server for ERP and mail access to all our sites as well as for external internet users. (To note we are taking a leased connectivity with ISP for internet exposure). We will be using 3600 series CISCO routers at central location.

As DaveHowe said, it depends greatly on many things such as how much money you want to spend and what the company culture and staff capabilities with regard to rolling your own vs buying stuff vs outsourcing.

Also, you mention IDS, which does _not_ protect your site at all. What it does it tell you if your site has been compromised. Think of it like a burgular alarm. Still important, though.

Finally, for thirty sites, easy of administration is going to be a big deal.


Extreme roll-your-own firewall/VPN solutions:
   o Linux boxes running IPtables (or OpenBSD boxes running pf) with S/WAN for VPN, rsync to synchronize state, SSH for remote management
   o Cisco routers with Firewall Feature Set and VPN accelerator cards, and something like Solsoft's Network Policy Manager for central management

Leading Commercial firewall solutions with some assembly required:
    o CheckPoint FW-1 NG on general-purpose hardware with a centralized management station.
    o Cisco PIX

Leading Commercial firewall all-in-one solutions
    o Sonicwall
    o CheckPoint FW-1 on Nokia appliances
    o Netscreen

Outsourcing firewall solutions:
    Several ISP's and other vendors offer this.

Extreme roll-your own Network IDS, Honeypot, and Tarpit:
   o Linux or OpenBSD boxes running Snort, central management with rdist, SSH, ACID, SnortCenter, and mysql
   o Linux boxes running Honey Net code (see www.honeynet.org) with rdist and SSH for management
   o Linux or OpenBSD boxes running LaBrea with rdist and SSH for management

Leading Commercial Network IDS and Honeypot solutions with some assembly required
    o ISS RealSecure running on Windows
    o Symantec ManTrap Honeypots runnig on Solaris

Leading Commercial Network IDS all-in-one solutions
    o ISS RealSecure appliances
    o SourceFire Snort appliances
    o Cisco Secure Intrusion Detection System

Leading Outsource Network IDS solutions
    o Many big ISP's
    o ISS
    o Counterpane

See also sites like the SANS reading room (www.sans.org/rr)

Author

Commented:
Thanks to all. Let me go through. Will come back very soon.

Author

Commented:
Can all please tell me what features of firewall and IDS should we consider for evaluation.
Like firewall should have deny all port and allow few capability,, etc.
The features you need in your firewall depend on your future setup. Normally one would look at:

-firewall throughput
-vpn throughput
-max number of sessions
-max number of vpn tunnels (both lan2lan and dial-up2lan)
-supported vpn protocols/methods (IPSEC, IKE, 3DES, etc)
-global management for policies
-global management for client vpn software (policy deployment)
-os/software upgrade capability

I totally agree with chris_calabrese that administration is probably going to be a very important issue. We currently manage a vpn network using around 30 Netscreen devices, but we also own 5 Checkpoint boxes. The Netscreens proved to be very efficient and reliable devices, but I consider the Checkpoint boxes easier to manage. Although this is mainly because we did not purchase Netscreen Global Pro, Netscreens global management suite.
So far the Sonicwall Global Management System is the easiest I have seen to configure. The Pro 330 devices support 128,000 simultaneous connections 1000 VPN tunnels. Firewall throughput is 190Mbps and VPN throughput is 45Mbps. They have higher-end products that support up to 10,000 VPN tunnels and 500,000 Simultaneous connections, but they are very pricy and most people do not require that many.
An excellent IDS package is available from www.iss.net  called Real Secure.  I've been using it for years and is the best IDS I've ever used.  If you are using a Checkpoint firewall solution (again its recommended) you can link the two together to provide a very robust and secure solution.

These two products are certainly not the cheapest around but are definitely some of the best.
You could also try Snort 2.0 as it is free and very effective.
Please remember to be realistic here,  prashmit is only connecting 30 sites.
Dave HoweSoftware and Hardware Engineer

Commented:
As a rule of thumb - check out what the free linux firewall and vpn solutions (IPTables and Freeswan) provide - if the commercial packages you look at don't give you at LEAST that, then they are a waste of money.

Author

Commented:
I will get back to u all very soon. Thanks to all for help and co-operation.
Split between all posters.
Yep, good suggestion.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial