Firewall Solution

ccarroll
ccarroll used Ask the Experts™
on
I am looking for many possibilities for a firewall for a client who wants to bring in Web and email and keep the network secure.  However, this must be cost effective.  This is a non-profit who cannot afford a PIX so please don't offer that as a solution.  They are willing to use Software running on Windows NT4, Linux, Sun, or hardware solutions, but it would need to be less than $1,000.00 to implement.  They are on a DSL 3 MB connection and would like to have VPN ability as well.

I have seen the Linksys BEFVP41 and I think that would be a fine residential solution, but what about commercial use?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I would say the best bang for your buck would be sonic wall or netscreen. http://www.sonicguard.com/ It does stateful inspection like checkpoint but is targeted towards smaller networks. The SonicWALL SOHO3 may be best for your situation. Shop around you can get a good deal because of the tough times right now. Here is a link http://www.firewalls.com/sonicwall-soho3-50v.asp for about 750.00. They are easy to set up as well. Netscreen is very good as well, they are up and coming. http://www.tancom.com/netscreen/all_netscreen.asp
I agree with Shotcaller99 on the Netscreen part. The small box can do stateful inspection, has a very clean management interface and is very cost effective. There is also a 10-user version of the smaller appliances that can do VPN, etc. The NS5GT can even be upgraded (netscreen states end this year) to do Trend antivirus scanning at the gateway without loosing much performance.

Commented:
if the only thing this organization needs the internet for is for web sites and email then do this.

run linux (free), install the squid proxy server (free), use iptables for a firewall (free), block all incoming and outgoing tcp and udp packets with the exception of maybe dns queries, and dhcp requests. use linux as either a nat or a router to offer network users access to the internet through, AND ONLY through the squid proxy server. since you said they only need web sites and email, i think squid will support your needs for protocols like http, ftp, pop3, etc. the simple web protocols needed to do basic internet things. this way it doesn't leave the network open to any port scans, or other applications that access the internet on unknown ports. however the downside to all this is that you will have to manually configure all the applications on all the computers that need to access the internet to use the squid proxy server. this can be done lots of times using scripts or domain policies. ie and msn messenger will be the easy ones. same with netscape and mozilla. i don't know about other programs like kazaa or things that don't use http based proxy servers. they will need support for socks4 and 5. and i think squid can make that happen for you two. but basically i'm proposing you lock out internet usage unless the packets go through the proxy server. this way you have a kinda bouncer at the front doors of your network. no one goes in or out unless it goes through the proxy ;-)
Introduction to Web Design

Develop a strong foundation and understanding of web design by learning HTML, CSS, and additional tools to help you develop your own website.

Commented:
Installing linux and setting up iptables is not necessarily for the weak of heart.

Take a look at the symantec 200R. It's under a g-note, offers stateful inspection, VPN, awesome interface and is a piece of cake to setup. Furthermore i can say it's a relatively secure firewall if properly configured.
 
- Delivers comprehensive security and networking in a single, multi-function device for remote locations and small business offices with up to 40 employees
- Provides secure Internet connectivity and protects networks with integrated firewall functionality
- Ensures secure, cost-effective access to networks for remote offices and business partners through an integrated IPSec VPN
- Provides high-speed access, reliable connectivity, ample bandwidth, and easy remote management and monitoring

http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=63&EID=0

Hanno P.S.IT Consultant and Infrastructure Architect

Commented:
You may want to look for "Small Office" aplliances with Check Point firewall inside. I've
been installing several Celestix boxes just recently. They have small solutions (as
little as 5 or 10 users or IPs) and larger ones. These start rougjly around $ 200.

Cheers

Commented:
in the event none of these suggestions have been terribly appetizing, I have used spare parts that a commercial client has had lying about (a 486 with 64 MB RAM two old 3com NICs and OpenBSD -- back then, I think it was version 3.0).

Total cost = $0 + whatever you charge for your time. :)

find out more about OpenBSD at http://www.OpenBSD.org 

Commented:
Ive personally used the Linksys BEFVP41 and have NOT had good things to say about it. (I gave it away)  The Sonicwall Soho3 series is pretty easy to manage and costs around $400.  I was very happy with it.  (I have since sold it)

I just bought a cisco pix 501 for around $500 and so far Im pretty frustrated.  The sonicwall was MUCH easier to set up.  I wish I bought a sonicwall soho3 instead.

If you REALLY want to save money on a good box -
I have a friend who uses the Netgear FVS318 and has very good things to say about it:  Cost: $120
http://www.netgear.com/products/prod_details.asp?prodID=129&view=sb
http://www.pcmall.com/pcmall/shop/detail.asp?dpno=422557&store=pcmall&source=pwbfroogle&adcampaign=email,pwbfroogle

Ive heard good things about netscreen, but when I called them, the sales guy messed me up by giving me false information.  Not the cheapest solution either.

Based on the information you provided, I think spending above $500 is a mistake.  You can get everything you want and have plenty of bandwidth to spare for alot cheaper.  

I also tend to lean away from putting a PC as your firewall.  An appliance is cheaper, faster, no moving parts, less electricity, smaller footprint.  I dont see why a PC makes a good firewall over an appliance, but thats just me. ;)

Commented:
Are you still working on this question?  If not, close it out.

Author

Commented:
How many sessions will the netgear solution and the soho handle?  This is for a small office with about 25 users 5 at a time would be about the max I would think I need...any thoughts?
Commented:
Here is the datasheet on the netgear:
http://www.netgear.com/products/details/FVS318.asp?view=sb
The first paragraph talks about VPN tunnels and regular nodes. (8 and 253 respectively)
If you need more VPN tunnels see this model:
http://www.netgear.com/products/details/FVL328.asp?view=

On the sonicwall side:
http://www.sonicwall.com/products/soho3.html
You have your choice of 10, 25, 50 or unlimited nodes, and 10 VPN tunnels.

So either one will do the trick for your setup.  The netgear has more open slots and is cheaper.

Again, Ive used the sonicwall myself and liked it, and heard good things about the netgear.  I think for a budget conscious decision, Id suggest the netgear.  For so little money, its a safe bet.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial