ccarroll
asked on
Firewall Solution
I am looking for many possibilities for a firewall for a client who wants to bring in Web and email and keep the network secure. However, this must be cost effective. This is a non-profit who cannot afford a PIX so please don't offer that as a solution. They are willing to use Software running on Windows NT4, Linux, Sun, or hardware solutions, but it would need to be less than $1,000.00 to implement. They are on a DSL 3 MB connection and would like to have VPN ability as well.
I have seen the Linksys BEFVP41 and I think that would be a fine residential solution, but what about commercial use?
I have seen the Linksys BEFVP41 and I think that would be a fine residential solution, but what about commercial use?
I would say the best bang for your buck would be sonic wall or netscreen. http://www.sonicguard.com/ It does stateful inspection like checkpoint but is targeted towards smaller networks. The SonicWALL SOHO3 may be best for your situation. Shop around you can get a good deal because of the tough times right now. Here is a link http://www.firewalls.com/sonicwall-soho3-50v.asp for about 750.00. They are easy to set up as well. Netscreen is very good as well, they are up and coming. http://www.tancom.com/netscreen/all_netscreen.asp
I agree with Shotcaller99 on the Netscreen part. The small box can do stateful inspection, has a very clean management interface and is very cost effective. There is also a 10-user version of the smaller appliances that can do VPN, etc. The NS5GT can even be upgraded (netscreen states end this year) to do Trend antivirus scanning at the gateway without loosing much performance.
if the only thing this organization needs the internet for is for web sites and email then do this.
run linux (free), install the squid proxy server (free), use iptables for a firewall (free), block all incoming and outgoing tcp and udp packets with the exception of maybe dns queries, and dhcp requests. use linux as either a nat or a router to offer network users access to the internet through, AND ONLY through the squid proxy server. since you said they only need web sites and email, i think squid will support your needs for protocols like http, ftp, pop3, etc. the simple web protocols needed to do basic internet things. this way it doesn't leave the network open to any port scans, or other applications that access the internet on unknown ports. however the downside to all this is that you will have to manually configure all the applications on all the computers that need to access the internet to use the squid proxy server. this can be done lots of times using scripts or domain policies. ie and msn messenger will be the easy ones. same with netscape and mozilla. i don't know about other programs like kazaa or things that don't use http based proxy servers. they will need support for socks4 and 5. and i think squid can make that happen for you two. but basically i'm proposing you lock out internet usage unless the packets go through the proxy server. this way you have a kinda bouncer at the front doors of your network. no one goes in or out unless it goes through the proxy ;-)
run linux (free), install the squid proxy server (free), use iptables for a firewall (free), block all incoming and outgoing tcp and udp packets with the exception of maybe dns queries, and dhcp requests. use linux as either a nat or a router to offer network users access to the internet through, AND ONLY through the squid proxy server. since you said they only need web sites and email, i think squid will support your needs for protocols like http, ftp, pop3, etc. the simple web protocols needed to do basic internet things. this way it doesn't leave the network open to any port scans, or other applications that access the internet on unknown ports. however the downside to all this is that you will have to manually configure all the applications on all the computers that need to access the internet to use the squid proxy server. this can be done lots of times using scripts or domain policies. ie and msn messenger will be the easy ones. same with netscape and mozilla. i don't know about other programs like kazaa or things that don't use http based proxy servers. they will need support for socks4 and 5. and i think squid can make that happen for you two. but basically i'm proposing you lock out internet usage unless the packets go through the proxy server. this way you have a kinda bouncer at the front doors of your network. no one goes in or out unless it goes through the proxy ;-)
Installing linux and setting up iptables is not necessarily for the weak of heart.
Take a look at the symantec 200R. It's under a g-note, offers stateful inspection, VPN, awesome interface and is a piece of cake to setup. Furthermore i can say it's a relatively secure firewall if properly configured.
- Delivers comprehensive security and networking in a single, multi-function device for remote locations and small business offices with up to 40 employees
- Provides secure Internet connectivity and protects networks with integrated firewall functionality
- Ensures secure, cost-effective access to networks for remote offices and business partners through an integrated IPSec VPN
- Provides high-speed access, reliable connectivity, ample bandwidth, and easy remote management and monitoring
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=63&EID=0
Take a look at the symantec 200R. It's under a g-note, offers stateful inspection, VPN, awesome interface and is a piece of cake to setup. Furthermore i can say it's a relatively secure firewall if properly configured.
- Delivers comprehensive security and networking in a single, multi-function device for remote locations and small business offices with up to 40 employees
- Provides secure Internet connectivity and protects networks with integrated firewall functionality
- Ensures secure, cost-effective access to networks for remote offices and business partners through an integrated IPSec VPN
- Provides high-speed access, reliable connectivity, ample bandwidth, and easy remote management and monitoring
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=63&EID=0
You may want to look for "Small Office" aplliances with Check Point firewall inside. I've
been installing several Celestix boxes just recently. They have small solutions (as
little as 5 or 10 users or IPs) and larger ones. These start rougjly around $ 200.
Cheers
been installing several Celestix boxes just recently. They have small solutions (as
little as 5 or 10 users or IPs) and larger ones. These start rougjly around $ 200.
Cheers
in the event none of these suggestions have been terribly appetizing, I have used spare parts that a commercial client has had lying about (a 486 with 64 MB RAM two old 3com NICs and OpenBSD -- back then, I think it was version 3.0).
Total cost = $0 + whatever you charge for your time. :)
find out more about OpenBSD at http://www.OpenBSD.org
Total cost = $0 + whatever you charge for your time. :)
find out more about OpenBSD at http://www.OpenBSD.org
Ive personally used the Linksys BEFVP41 and have NOT had good things to say about it. (I gave it away) The Sonicwall Soho3 series is pretty easy to manage and costs around $400. I was very happy with it. (I have since sold it)
I just bought a cisco pix 501 for around $500 and so far Im pretty frustrated. The sonicwall was MUCH easier to set up. I wish I bought a sonicwall soho3 instead.
If you REALLY want to save money on a good box -
I have a friend who uses the Netgear FVS318 and has very good things to say about it: Cost: $120
http://www.netgear.com/products/prod_details.asp?prodID=129&view=sb
http://www.pcmall.com/pcmall/shop/detail.asp?dpno=422557&store=pcmall&source=pwbfroogle&adcampaign=email,pwbfroogle
Ive heard good things about netscreen, but when I called them, the sales guy messed me up by giving me false information. Not the cheapest solution either.
Based on the information you provided, I think spending above $500 is a mistake. You can get everything you want and have plenty of bandwidth to spare for alot cheaper.
I also tend to lean away from putting a PC as your firewall. An appliance is cheaper, faster, no moving parts, less electricity, smaller footprint. I dont see why a PC makes a good firewall over an appliance, but thats just me. ;)
I just bought a cisco pix 501 for around $500 and so far Im pretty frustrated. The sonicwall was MUCH easier to set up. I wish I bought a sonicwall soho3 instead.
If you REALLY want to save money on a good box -
I have a friend who uses the Netgear FVS318 and has very good things to say about it: Cost: $120
http://www.netgear.com/products/prod_details.asp?prodID=129&view=sb
http://www.pcmall.com/pcmall/shop/detail.asp?dpno=422557&store=pcmall&source=pwbfroogle&adcampaign=email,pwbfroogle
Ive heard good things about netscreen, but when I called them, the sales guy messed me up by giving me false information. Not the cheapest solution either.
Based on the information you provided, I think spending above $500 is a mistake. You can get everything you want and have plenty of bandwidth to spare for alot cheaper.
I also tend to lean away from putting a PC as your firewall. An appliance is cheaper, faster, no moving parts, less electricity, smaller footprint. I dont see why a PC makes a good firewall over an appliance, but thats just me. ;)
Are you still working on this question? If not, close it out.
ASKER
How many sessions will the netgear solution and the soho handle? This is for a small office with about 25 users 5 at a time would be about the max I would think I need...any thoughts?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.