The "Right" Firewall for small ISP


I run a small web building/serving company (300 sites, lightish traffic) off a few XServes and 6 older machines happily off a T1. I just picked up a client who will be flinging me into the 100Mbps fibre arena with business related video streaming.

I use software (ipfw) on the Xserves, and a small SOHO DLink as my current firewall protection for other servers and internal network, and I feel the need to set up an independent gateway firewall to secure the network.

I have about $4000USD to spend, however, I plan to spend half of this on a managed switch (3com 24-port managed gigabit) to make sure my existing clients don't get squeezed out of bandwidth by this new client. If there is a managed GB switch that includes FW protection, I don't know about it though.

I see, from reading questions here, that there are a number of expensive solutions out there (Cisco PIX and Symantec SGS seem to be the winners). Ideally, as I am running Mac only, I would like a web interface for the firewall, not wintel GUIs. I would also like it to just plug in and have it secure the network immediately, although I am willing to do what it takes to get things working (time constraints of a small business and all).

In an ideal world, I would buy another second-hand XServe and have it run some kind of gateway firewall protection. Then I would have all necessary hardware handy in case of failure, and existing infastucture to mount/support them.

I am pretty lost though, and need advice.

a) Can I use an XServe as a stand-alone gateway firewall?
b) Should I buy a Cisco PIX or a Watchguard instead? Their pricing structure is impossible to figure out. What is the most inexpensive firewall solution I can get to service my needs?

Thanks for the info


seanostephensAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kent OlsenDBACommented:
Hi seanostephens,

Picking "the right" firewall can certainly be a challenge, and there are a lot of good options out there.  (There are also some "not so good" ones.)

I'm securing close to 100 systems, from desktop PCs to servers to IBM mainframes.  I've broken our network into 4 "zones" and put each behind its own firewall.  One of the zones is our PeopleSoft ERP system and all of its supporting servers.  We use the Cisco plug in for this.  All of the other zones are protected by 1U Dell servers (costing just over $1,000 each) running iptables under RedHat Linux.  After the initial learning curve involved with iptables, updating these firewalls requires almost no effort.

From a cost and an administrative standpoint, I don't believe that we will ever "buy" another solution.  Linux/iptables on an Intel box is just too cost effective.

Good Luck,
Kent

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
lrmooreCommented:
Personal opinion, I like the PIX FW.
For your $2500 remaining budget, you can get a 6-interface PIX 515e Restricted unit
This give you capability to create multiple DMZ zones, lets you VPN in to manage the networks securely from afar, does have a web-based JAVA GUI as well as the command-line from telnet. It takes about 15 minutes to setup out of the box and get it working. everything by default will be blocked inbound, everything permitted outbound. Your users/servers can go out and browse, ftp, get pop mail, etc, but nobody on the outside can come in until you specifically permit services through access-lists.

NetScreen or Watchguard are probably just as good, I just don't have the hands-on experience with them, and I don't have the list prices for them.
seanostephensAuthor Commented:
Does you know if FreeBSD (read: OSX) supports iptables?
Are You Protected from Q3's Internet Threats?

Every quarter, WatchGuard's Threat Lab releases a security report that analyzes the top threat trends impacting companies around the world. For Q3, we saw that 6.8% of the top 100K websites use insecure SSL protocols. Read the full report to start protecting your business today!

Kent OlsenDBACommented:
Hi seanostephens,

I don't know if BSD "comes" with iptables, but it should be installable as long as you have a new enough kernel.  2.4 I believe.

Kent
seanostephensAuthor Commented:
Hmmm, now I'm even more konfused. :)

"Good" options I see are;

1) Cisco PIX 515E-R = $3000 (easy to install, every says it is great)
2) Symantec 5420 = $3200 (easy to install, has virus filtering/scalability, etc.)
3) Dell RedHat = $1000 (relative to install, useful later on)
4) Apple Xserve = $2700 (difficult to get working - I don't see any literature on including iptables into it, but way more useful in the long run)

Anyone else with good suggestions? So far, I like Kent's Dell suggestion the best, but I'd rather stick to the XServe.

Sean
JConchieCommented:
How about a SonicWall Pro 230 at $1700....easy to instal, easy to configure....web interface
or even a SonicWall Tele3 for $500, depending on the number of users you have.

We have been running Sonicwal in 6 sites for over three years.....very satisfied both by cost and utility.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.