The "Right" Firewall for small ISP

Posted on 2003-12-11
Last Modified: 2013-11-16

I run a small web building/serving company (300 sites, lightish traffic) off a few XServes and 6 older machines happily off a T1. I just picked up a client who will be flinging me into the 100Mbps fibre arena with business related video streaming.

I use software (ipfw) on the Xserves, and a small SOHO DLink as my current firewall protection for other servers and internal network, and I feel the need to set up an independent gateway firewall to secure the network.

I have about $4000USD to spend, however, I plan to spend half of this on a managed switch (3com 24-port managed gigabit) to make sure my existing clients don't get squeezed out of bandwidth by this new client. If there is a managed GB switch that includes FW protection, I don't know about it though.

I see, from reading questions here, that there are a number of expensive solutions out there (Cisco PIX and Symantec SGS seem to be the winners). Ideally, as I am running Mac only, I would like a web interface for the firewall, not wintel GUIs. I would also like it to just plug in and have it secure the network immediately, although I am willing to do what it takes to get things working (time constraints of a small business and all).

In an ideal world, I would buy another second-hand XServe and have it run some kind of gateway firewall protection. Then I would have all necessary hardware handy in case of failure, and existing infastucture to mount/support them.

I am pretty lost though, and need advice.

a) Can I use an XServe as a stand-alone gateway firewall?
b) Should I buy a Cisco PIX or a Watchguard instead? Their pricing structure is impossible to figure out. What is the most inexpensive firewall solution I can get to service my needs?

Thanks for the info

Question by:seanostephens
LVL 45

Accepted Solution

Kent Olsen earned 250 total points
ID: 9923299
Hi seanostephens,

Picking "the right" firewall can certainly be a challenge, and there are a lot of good options out there.  (There are also some "not so good" ones.)

I'm securing close to 100 systems, from desktop PCs to servers to IBM mainframes.  I've broken our network into 4 "zones" and put each behind its own firewall.  One of the zones is our PeopleSoft ERP system and all of its supporting servers.  We use the Cisco plug in for this.  All of the other zones are protected by 1U Dell servers (costing just over $1,000 each) running iptables under RedHat Linux.  After the initial learning curve involved with iptables, updating these firewalls requires almost no effort.

From a cost and an administrative standpoint, I don't believe that we will ever "buy" another solution.  Linux/iptables on an Intel box is just too cost effective.

Good Luck,
LVL 79

Expert Comment

ID: 9923752
Personal opinion, I like the PIX FW.
For your $2500 remaining budget, you can get a 6-interface PIX 515e Restricted unit
This give you capability to create multiple DMZ zones, lets you VPN in to manage the networks securely from afar, does have a web-based JAVA GUI as well as the command-line from telnet. It takes about 15 minutes to setup out of the box and get it working. everything by default will be blocked inbound, everything permitted outbound. Your users/servers can go out and browse, ftp, get pop mail, etc, but nobody on the outside can come in until you specifically permit services through access-lists.

NetScreen or Watchguard are probably just as good, I just don't have the hands-on experience with them, and I don't have the list prices for them.

Author Comment

ID: 9924029
Does you know if FreeBSD (read: OSX) supports iptables?
Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

LVL 45

Expert Comment

by:Kent Olsen
ID: 9924047
Hi seanostephens,

I don't know if BSD "comes" with iptables, but it should be installable as long as you have a new enough kernel.  2.4 I believe.


Author Comment

ID: 9924167
Hmmm, now I'm even more konfused. :)

"Good" options I see are;

1) Cisco PIX 515E-R = $3000 (easy to install, every says it is great)
2) Symantec 5420 = $3200 (easy to install, has virus filtering/scalability, etc.)
3) Dell RedHat = $1000 (relative to install, useful later on)
4) Apple Xserve = $2700 (difficult to get working - I don't see any literature on including iptables into it, but way more useful in the long run)

Anyone else with good suggestions? So far, I like Kent's Dell suggestion the best, but I'd rather stick to the XServe.

LVL 18

Expert Comment

ID: 9931706
How about a SonicWall Pro 230 at $1700....easy to instal, easy to configure....web interface
or even a SonicWall Tele3 for $500, depending on the number of users you have.

We have been running Sonicwal in 6 sites for over three years.....very satisfied both by cost and utility.

Featured Post

Now Available: Firebox Cloud for AWS and FireboxV

Firebox Cloud brings the protection of WatchGuard’s leading Firebox UTM appliances to public cloud environments. It enables organizations to extend their security perimeter to protect business-critical assets in Amazon Web Services (AWS).

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Netgear WMS5316 Guest SSiD 1 87
How to create one more DMZ subnet? 8 76
Recommendation of Antivirus software for Personal Use 19 221
Palo Alto Networks Global Protect 2 162
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question