Solved

The "Right" Firewall for small ISP

Posted on 2003-12-11
6
428 Views
Last Modified: 2013-11-16

I run a small web building/serving company (300 sites, lightish traffic) off a few XServes and 6 older machines happily off a T1. I just picked up a client who will be flinging me into the 100Mbps fibre arena with business related video streaming.

I use software (ipfw) on the Xserves, and a small SOHO DLink as my current firewall protection for other servers and internal network, and I feel the need to set up an independent gateway firewall to secure the network.

I have about $4000USD to spend, however, I plan to spend half of this on a managed switch (3com 24-port managed gigabit) to make sure my existing clients don't get squeezed out of bandwidth by this new client. If there is a managed GB switch that includes FW protection, I don't know about it though.

I see, from reading questions here, that there are a number of expensive solutions out there (Cisco PIX and Symantec SGS seem to be the winners). Ideally, as I am running Mac only, I would like a web interface for the firewall, not wintel GUIs. I would also like it to just plug in and have it secure the network immediately, although I am willing to do what it takes to get things working (time constraints of a small business and all).

In an ideal world, I would buy another second-hand XServe and have it run some kind of gateway firewall protection. Then I would have all necessary hardware handy in case of failure, and existing infastucture to mount/support them.

I am pretty lost though, and need advice.

a) Can I use an XServe as a stand-alone gateway firewall?
b) Should I buy a Cisco PIX or a Watchguard instead? Their pricing structure is impossible to figure out. What is the most inexpensive firewall solution I can get to service my needs?

Thanks for the info


0
Comment
Question by:seanostephens
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 45

Accepted Solution

by:
Kent Olsen earned 250 total points
ID: 9923299
Hi seanostephens,

Picking "the right" firewall can certainly be a challenge, and there are a lot of good options out there.  (There are also some "not so good" ones.)

I'm securing close to 100 systems, from desktop PCs to servers to IBM mainframes.  I've broken our network into 4 "zones" and put each behind its own firewall.  One of the zones is our PeopleSoft ERP system and all of its supporting servers.  We use the Cisco plug in for this.  All of the other zones are protected by 1U Dell servers (costing just over $1,000 each) running iptables under RedHat Linux.  After the initial learning curve involved with iptables, updating these firewalls requires almost no effort.

From a cost and an administrative standpoint, I don't believe that we will ever "buy" another solution.  Linux/iptables on an Intel box is just too cost effective.

Good Luck,
Kent
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9923752
Personal opinion, I like the PIX FW.
For your $2500 remaining budget, you can get a 6-interface PIX 515e Restricted unit
This give you capability to create multiple DMZ zones, lets you VPN in to manage the networks securely from afar, does have a web-based JAVA GUI as well as the command-line from telnet. It takes about 15 minutes to setup out of the box and get it working. everything by default will be blocked inbound, everything permitted outbound. Your users/servers can go out and browse, ftp, get pop mail, etc, but nobody on the outside can come in until you specifically permit services through access-lists.

NetScreen or Watchguard are probably just as good, I just don't have the hands-on experience with them, and I don't have the list prices for them.
0
 

Author Comment

by:seanostephens
ID: 9924029
Does you know if FreeBSD (read: OSX) supports iptables?
0
DevOps Toolchain Recommendations

Read this Gartner Research Note and discover how your IT organization can automate and optimize DevOps processes using a toolchain architecture.

 
LVL 45

Expert Comment

by:Kent Olsen
ID: 9924047
Hi seanostephens,

I don't know if BSD "comes" with iptables, but it should be installable as long as you have a new enough kernel.  2.4 I believe.

Kent
0
 

Author Comment

by:seanostephens
ID: 9924167
Hmmm, now I'm even more konfused. :)

"Good" options I see are;

1) Cisco PIX 515E-R = $3000 (easy to install, every says it is great)
2) Symantec 5420 = $3200 (easy to install, has virus filtering/scalability, etc.)
3) Dell RedHat = $1000 (relative to install, useful later on)
4) Apple Xserve = $2700 (difficult to get working - I don't see any literature on including iptables into it, but way more useful in the long run)

Anyone else with good suggestions? So far, I like Kent's Dell suggestion the best, but I'd rather stick to the XServe.

Sean
0
 
LVL 18

Expert Comment

by:JConchie
ID: 9931706
How about a SonicWall Pro 230 at $1700....easy to instal, easy to configure....web interface
or even a SonicWall Tele3 for $500, depending on the number of users you have.

We have been running Sonicwal in 6 sites for over three years.....very satisfied both by cost and utility.
0

Featured Post

The Ultimate Checklist to Optimize Your Website

Websites are getting bigger and complicated by the day. Video, images, custom fonts are all great for showcasing your product/service. But the price to pay in terms of reduced page load times and ultimately, decreased sales, can lead to some difficult decisions about what to cut.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This is a high-level webinar that covers the history of enterprise open source database use. It addresses both the advantages companies see in using open source database technologies, as well as the fears and reservations they might have. In this…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question