apertyx
asked on
firewall
Good Day,
I work in a large private residence hall at a major university. Our network is part of the larger network, but we control only the subnets attached to the university router. They control the router.
At present, our network and the university's is pretty wide open. We all have public IPs.
Our administrative staff comprise an organizational unit within a campus wide windows domain.
We will be soon installing a residence hall management system that will contain personal data of our residents, and we have to come up with a security solution.
The simplest approach I've considered is to put our servers behind a router and limit traffic with ACLs. I am not very familiar with ways this might be defeated, such as spoofing an IP.
Additionally, more and more of our staff are requesting to work from home. Presently, they connect to their windows machine using remote desktop. We have no real control over their home machines.
We have a small staff and not much bidget this year so a state of the art firewall/vpn concentrator is not going to happen soon.
Any thought appreciated
Thanks
I work in a large private residence hall at a major university. Our network is part of the larger network, but we control only the subnets attached to the university router. They control the router.
At present, our network and the university's is pretty wide open. We all have public IPs.
Our administrative staff comprise an organizational unit within a campus wide windows domain.
We will be soon installing a residence hall management system that will contain personal data of our residents, and we have to come up with a security solution.
The simplest approach I've considered is to put our servers behind a router and limit traffic with ACLs. I am not very familiar with ways this might be defeated, such as spoofing an IP.
Additionally, more and more of our staff are requesting to work from home. Presently, they connect to their windows machine using remote desktop. We have no real control over their home machines.
We have a small staff and not much bidget this year so a state of the art firewall/vpn concentrator is not going to happen soon.
Any thought appreciated
Thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
At work, we had evaluated the Symantec box, too. On average, you can get 2 Fortigate boxes for 1 Symantec box of a similar specs. As for performance, the fortigate performs better (in the in-house test we conducted).
Agreed with WerewolfTA on his last comment, the last paragraph, though. ...;-)
Agreed with WerewolfTA on his last comment, the last paragraph, though. ...;-)
As a sidenote, remember that an open source solution like IPCop mentionned
earlier is perfect in terms of scalability. You want to add one or more DMZs later ?
no problem, just add one or more ethernet cards. You have more traffic, find a "less old"
PC. You have more than one connection ? use BGP, HSRP, load balancing, whatever. For
not a single buck more.
In all other cases, more traffic or more interfaces or more clients means more licenses
usually, and again, the performances are not better in a relatively small environment like
yours.
The issue with security is that you always have to pay for it when you don't need it, and
you always wonder "do I really need this, I never had a security problem before". But it's
exactly like backups. You don't need them until you lost everything.
Cheers
Clipper
earlier is perfect in terms of scalability. You want to add one or more DMZs later ?
no problem, just add one or more ethernet cards. You have more traffic, find a "less old"
PC. You have more than one connection ? use BGP, HSRP, load balancing, whatever. For
not a single buck more.
In all other cases, more traffic or more interfaces or more clients means more licenses
usually, and again, the performances are not better in a relatively small environment like
yours.
The issue with security is that you always have to pay for it when you don't need it, and
you always wonder "do I really need this, I never had a security problem before". But it's
exactly like backups. You don't need them until you lost everything.
Cheers
Clipper
For home users i would reccomend providing with them with instructions in getting personal security such as a simple firewall (www.zonelabs.com) and antivirus software. If they have full access to the system the users will be the weak spot to a compromise within the main part of the system. It is best to prevent the weakness in their system aswell as strengthening the main system.
Regards,
Hypoviax
Regards,
Hypoviax
Hi,
You can also try using Safe@Office which is a checkpoint appliance for small business, it support all your needs and very easy to install and operate.
regards
houber
You can also try using Safe@Office which is a checkpoint appliance for small business, it support all your needs and very easy to install and operate.
regards
houber
Any update on this, were our answers useful ?
Thanks
Clipper
Thanks
Clipper
Hi apertyx,
did you find one of our suggestions helpful ?
Thanks
Clipper
did you find one of our suggestions helpful ?
Thanks
Clipper
apertyx,
Are you able to close this question ?
Cheers
Clipper
Are you able to close this question ?
Cheers
Clipper
I have mixed emotions about appliances. They're simple to use and set up, but limited on upgrading/customizing potential and seem to be pricey. As an example, we have a Symantec 200R here in our office. It's been ok, but you can't set it to drop "ping" packets. WTF? Even my little $40 linksys at the house will drop icmp packets. Yet this at-the-time several hundred dollar business-grade appliance doesn't have that option. On the other hand, the 200R will do load-balancing/failover between 2 WAN connections and failover-only to a serial modem. That's kind of cool.
Anyway, that's my $.02, something to keep in mind when you do get that money coming in and can get an enterprise-grade solution and you're trying to decide between an appliance and a regular server solution. What you gain in ease of setup and use you may sacrifice in flexibility and upgradeability.