Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Hardware firewall - how to buy?

Posted on 2004-10-16
4
Medium Priority
?
235 Views
Last Modified: 2013-11-16
I am looking to buy a firewall, but I have no clue how to choose one. I do not want a software firewall since I plan to have a server. I want a hardware firewall immediatly following by DSL connection so everything is blocked accept what I want. My needs are basic: I do not want VPN, and I do not plan to have VPN ever. I just want a hardware firewall to block everything accept port 80 (for a website on my server), port 1494 (I believe that is the port for a Citrix client - like www.gotomypc.com). Maybe even allow FTP for authorized users only, but that is all. Spam blocking and virus scan a plus, but I already run A-V on my machines, and I never accept e-mails with attachments - period. I am not firewall savy, so please take that into concideration. I have already looked at the Cisco and Watchguard websites, but they all seem like overkill for what I need.

Any suggestions would be helpful. Basically looking to lock down everything comming in accept for what I want to allow while still having a web server (no e-commerse) - and of course still be able to surf the net.

Thanks
0
Comment
Question by:sofsoldier
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12332548
Take a look at some of these firewall appliances. Any one of them would suit you well. I particularly like the Cisco PIX 501, and the Linksys RV082.
-----------------------------------------
Low-end firewall appliances
-----------------------------------------

Linksys RV082:
http://www.linksys.com/products/product.asp?prid=589&scid=29

Fortinet:
http://www.fortinet.com/products/telesoho.html

Adtran Netvanta
https://www.adtran.com/adtranpx/Rooms/DisplayPages/LayoutInitial?Product=com.webridge.entity.Entity%5BOID%5B27100B71B4B3E44D84DCAE487414CD69%5D%5D&Container=com.webridge.entity.Entity%5BOID%5B54C70AA0A26ED711A78500D0B72032D8%5D%5D&ProductCategory=com.webridge.entity.Entity%5BOID%5BCB5C5CB7C4419B4AA04F9CE1AEDD8CE7%5D%5D

Netscreen
http://www.juniper.net/products/integrated/dsheet/ds_5gt_xt.pdf

Watchguard Firebox
http://www.watchguard.com/products/

PIX 501
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2031/index.html

D-LINK w/DMZ port
http://www.dlink.com/products/?pid=66

On the other hand, you might be just as well served with a basic broadband router. Most all of them include stateful packet inspection firewall and let you forward specific ports. Some even help enforce AV use. I personally use Linksys WRV54G because I need the VPN functions and the wireless. $50 will get you something like this: http://www.linksys.com/products/product.asp?grid=34&scid=29&prid=433
Just saw an add that would get you a D-Link for $9.99 (after instant savings, plus mail in rebates)
http://www.dlink.com/products/?sec=0&pid=62
0
 

Author Comment

by:sofsoldier
ID: 12334064
You did sme research - I appreciate it. Is there any reason why Netgear or Symantec was not a part of your list?

Also, the lower end Linksys, Netgear, D-Link all have the packet filtering and DOS protection, and feature some basic VPN and IpSec; what would be the difference between these and say the Cisco Pix 500, or teh Watchguard series?

Forgeting VPN, is AV imbedded in the firewall a good thing to have even though AV is running on all the machines on the network? And is there a dfifference is quality in the SPI or DOS protection between the low cost models and the more expensive ones?

Thanks again,
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 2000 total points
ID: 12335264
I've never had good luck with Netgear, and the Symantec gateway products are good, but they combine anti-virus and firewall, and  I thought it might be more than you need.

The Cisco PIX has very different capabilities and uses a proprietary Adaptive Security Algorithm vs stateful inspection. It also has VPN capabilities (with client) that none of the others can match. It also has built in intrusion detection and DoS protection that most others don't. You can also create multiple public IP to private IP static nat mappings where many others only allow you one single public IP and you must use individual port mapping. Not good if you have two web servers, both needing port 80..

I'm a firm believer in letting individual products do their job. I don't like the idea of putting all your eggs in one basket. It just adds too much complexity to the box and creates more single points of failure..

I don't know enough about all the products to address their SPI capabilities but the higher cost "firewall" products usually have more configuration capabilities than the others. With some it's binary - on or off, no configuration...

You have to balance your budget with your requirements. Don't spend $1000 on something when the value of what you want to protect isn't worth that much.
0
 

Author Comment

by:sofsoldier
ID: 12336139
The Cisco sounds great. Also, since I do have wireless as well, I did find the Watchguard SOHO 6 wireless very interesting.

I will eventually have two websites, and I actually did not think about the NAT capabilities of some of the other products.

Thank you,
0

Featured Post

Looking for the Wi-Fi vendor that's right for you?

We know how difficult it can be to evaluate Wi-Fi vendors, so we created this helpful Wi-Fi Buyer's Guide to help you find the Wi-Fi vendor that's right for your business! Download the guide and get started on our checklist today!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question