Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


The "Right" Firewall for small ISP

Posted on 2003-12-11
Medium Priority
Last Modified: 2013-11-16

I run a small web building/serving company (300 sites, lightish traffic) off a few XServes and 6 older machines happily off a T1. I just picked up a client who will be flinging me into the 100Mbps fibre arena with business related video streaming.

I use software (ipfw) on the Xserves, and a small SOHO DLink as my current firewall protection for other servers and internal network, and I feel the need to set up an independent gateway firewall to secure the network.

I have about $4000USD to spend, however, I plan to spend half of this on a managed switch (3com 24-port managed gigabit) to make sure my existing clients don't get squeezed out of bandwidth by this new client. If there is a managed GB switch that includes FW protection, I don't know about it though.

I see, from reading questions here, that there are a number of expensive solutions out there (Cisco PIX and Symantec SGS seem to be the winners). Ideally, as I am running Mac only, I would like a web interface for the firewall, not wintel GUIs. I would also like it to just plug in and have it secure the network immediately, although I am willing to do what it takes to get things working (time constraints of a small business and all).

In an ideal world, I would buy another second-hand XServe and have it run some kind of gateway firewall protection. Then I would have all necessary hardware handy in case of failure, and existing infastucture to mount/support them.

I am pretty lost though, and need advice.

a) Can I use an XServe as a stand-alone gateway firewall?
b) Should I buy a Cisco PIX or a Watchguard instead? Their pricing structure is impossible to figure out. What is the most inexpensive firewall solution I can get to service my needs?

Thanks for the info

Question by:seanostephens
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 46

Accepted Solution

Kent Olsen earned 750 total points
ID: 9923299
Hi seanostephens,

Picking "the right" firewall can certainly be a challenge, and there are a lot of good options out there.  (There are also some "not so good" ones.)

I'm securing close to 100 systems, from desktop PCs to servers to IBM mainframes.  I've broken our network into 4 "zones" and put each behind its own firewall.  One of the zones is our PeopleSoft ERP system and all of its supporting servers.  We use the Cisco plug in for this.  All of the other zones are protected by 1U Dell servers (costing just over $1,000 each) running iptables under RedHat Linux.  After the initial learning curve involved with iptables, updating these firewalls requires almost no effort.

From a cost and an administrative standpoint, I don't believe that we will ever "buy" another solution.  Linux/iptables on an Intel box is just too cost effective.

Good Luck,
LVL 79

Expert Comment

ID: 9923752
Personal opinion, I like the PIX FW.
For your $2500 remaining budget, you can get a 6-interface PIX 515e Restricted unit
This give you capability to create multiple DMZ zones, lets you VPN in to manage the networks securely from afar, does have a web-based JAVA GUI as well as the command-line from telnet. It takes about 15 minutes to setup out of the box and get it working. everything by default will be blocked inbound, everything permitted outbound. Your users/servers can go out and browse, ftp, get pop mail, etc, but nobody on the outside can come in until you specifically permit services through access-lists.

NetScreen or Watchguard are probably just as good, I just don't have the hands-on experience with them, and I don't have the list prices for them.

Author Comment

ID: 9924029
Does you know if FreeBSD (read: OSX) supports iptables?
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

LVL 46

Expert Comment

by:Kent Olsen
ID: 9924047
Hi seanostephens,

I don't know if BSD "comes" with iptables, but it should be installable as long as you have a new enough kernel.  2.4 I believe.


Author Comment

ID: 9924167
Hmmm, now I'm even more konfused. :)

"Good" options I see are;

1) Cisco PIX 515E-R = $3000 (easy to install, every says it is great)
2) Symantec 5420 = $3200 (easy to install, has virus filtering/scalability, etc.)
3) Dell RedHat = $1000 (relative to install, useful later on)
4) Apple Xserve = $2700 (difficult to get working - I don't see any literature on including iptables into it, but way more useful in the long run)

Anyone else with good suggestions? So far, I like Kent's Dell suggestion the best, but I'd rather stick to the XServe.

LVL 18

Expert Comment

ID: 9931706
How about a SonicWall Pro 230 at $1700....easy to instal, easy to configure....web interface
or even a SonicWall Tele3 for $500, depending on the number of users you have.

We have been running Sonicwal in 6 sites for over three years.....very satisfied both by cost and utility.

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
This is my first video review of Microsoft Bookings, I will be doing a part two with a bit more information, but wanted to get this out to you folks.
Visualize your data even better in Access queries. Given a date and a value, this lesson shows how to compare that value with the previous value, calculate the difference, and display a circle if the value is the same, an up triangle if it increased…
Suggested Courses

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question