• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 439
  • Last Modified:

The "Right" Firewall for small ISP

I run a small web building/serving company (300 sites, lightish traffic) off a few XServes and 6 older machines happily off a T1. I just picked up a client who will be flinging me into the 100Mbps fibre arena with business related video streaming.

I use software (ipfw) on the Xserves, and a small SOHO DLink as my current firewall protection for other servers and internal network, and I feel the need to set up an independent gateway firewall to secure the network.

I have about $4000USD to spend, however, I plan to spend half of this on a managed switch (3com 24-port managed gigabit) to make sure my existing clients don't get squeezed out of bandwidth by this new client. If there is a managed GB switch that includes FW protection, I don't know about it though.

I see, from reading questions here, that there are a number of expensive solutions out there (Cisco PIX and Symantec SGS seem to be the winners). Ideally, as I am running Mac only, I would like a web interface for the firewall, not wintel GUIs. I would also like it to just plug in and have it secure the network immediately, although I am willing to do what it takes to get things working (time constraints of a small business and all).

In an ideal world, I would buy another second-hand XServe and have it run some kind of gateway firewall protection. Then I would have all necessary hardware handy in case of failure, and existing infastucture to mount/support them.

I am pretty lost though, and need advice.

a) Can I use an XServe as a stand-alone gateway firewall?
b) Should I buy a Cisco PIX or a Watchguard instead? Their pricing structure is impossible to figure out. What is the most inexpensive firewall solution I can get to service my needs?

Thanks for the info

1 Solution
Kent OlsenData Warehouse Architect / DBACommented:
Hi seanostephens,

Picking "the right" firewall can certainly be a challenge, and there are a lot of good options out there.  (There are also some "not so good" ones.)

I'm securing close to 100 systems, from desktop PCs to servers to IBM mainframes.  I've broken our network into 4 "zones" and put each behind its own firewall.  One of the zones is our PeopleSoft ERP system and all of its supporting servers.  We use the Cisco plug in for this.  All of the other zones are protected by 1U Dell servers (costing just over $1,000 each) running iptables under RedHat Linux.  After the initial learning curve involved with iptables, updating these firewalls requires almost no effort.

From a cost and an administrative standpoint, I don't believe that we will ever "buy" another solution.  Linux/iptables on an Intel box is just too cost effective.

Good Luck,
Personal opinion, I like the PIX FW.
For your $2500 remaining budget, you can get a 6-interface PIX 515e Restricted unit
This give you capability to create multiple DMZ zones, lets you VPN in to manage the networks securely from afar, does have a web-based JAVA GUI as well as the command-line from telnet. It takes about 15 minutes to setup out of the box and get it working. everything by default will be blocked inbound, everything permitted outbound. Your users/servers can go out and browse, ftp, get pop mail, etc, but nobody on the outside can come in until you specifically permit services through access-lists.

NetScreen or Watchguard are probably just as good, I just don't have the hands-on experience with them, and I don't have the list prices for them.
seanostephensAuthor Commented:
Does you know if FreeBSD (read: OSX) supports iptables?
The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

Kent OlsenData Warehouse Architect / DBACommented:
Hi seanostephens,

I don't know if BSD "comes" with iptables, but it should be installable as long as you have a new enough kernel.  2.4 I believe.

seanostephensAuthor Commented:
Hmmm, now I'm even more konfused. :)

"Good" options I see are;

1) Cisco PIX 515E-R = $3000 (easy to install, every says it is great)
2) Symantec 5420 = $3200 (easy to install, has virus filtering/scalability, etc.)
3) Dell RedHat = $1000 (relative to install, useful later on)
4) Apple Xserve = $2700 (difficult to get working - I don't see any literature on including iptables into it, but way more useful in the long run)

Anyone else with good suggestions? So far, I like Kent's Dell suggestion the best, but I'd rather stick to the XServe.

How about a SonicWall Pro 230 at $1700....easy to instal, easy to configure....web interface
or even a SonicWall Tele3 for $500, depending on the number of users you have.

We have been running Sonicwal in 6 sites for over three years.....very satisfied both by cost and utility.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now