• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 765
  • Last Modified:

Should I replace my linksys router/firewall with a different firewall since I am changing from rr to a T1 connection?

I work with small businesses and one of my client's is dumping rr and getting a T1 for his phone system and internet connectivity.  The vender will install an adtran device and part of the T1 will be split off for the phones leaving the rest for the internet.  I am told that this adtran is also a router.  My firewall, which is currently the linksys router/firewall, would attach to the adtran.  Will this even work with linksys?  Should I replace the linksys with something like a PIX?  What are the pros and cons?  The new vender told me that my client would be getting 4 public ip addresses.  What sould I do with these extra ips?  The linksys is only using 1 public ip and PAT for internet connectivity.  I work with rr and dsl.  This is my first T1 so please keep this in mind when responding to my question.

Thanks Dale
0
DaleFrazier
Asked:
DaleFrazier
  • 4
  • 4
  • 3
  • +3
8 Solutions
 
Lee W, MVPTechnology and Business Process AdvisorCommented:
The linksys can continue to work but will only make one IP available. A PIX is a potentially more appropriate solution.  PIX firewalls offer much more in capabilities and configuration.

As for your IPs, you can use them - or not.  If they wanted to host their own e-mail and/or web site you could do that by splitting up one IP for E-mail, one IP for web services, one IP for internet access and one IP for VPN.  Or not.  You can do whatever you want - those services I just mentioned can all be run off a single IP, or off seperate - with NAT, one is fine and you can still use seperate servers... or you can use one server.  For reliability, it's best to use one server per service, but there's no RULE that says you must.
0
 
Keith AlabasterCommented:
1. the four IP addresses (I expect only two of these will be useable) can be used to seperate different types of traffic if you want to use them. for example, you could have web traffic sent to one IP and email sent to another IP when viewed from the Internet.

The linksys will likely continue to do fine. Cisco is, of course, superior to the linksys but if it did what you wanted before, it will carry on doing so.
0
 
lrmooreCommented:
With a T1 service, unless the ISP provides the router, you will need a "real" router that is T1 capable. T1 needs a CSU/DSU to terminate. Some are external and connect to a serial interface of the router, some are onboard cards with integraged CSU/DSU. None of the soho Linksys or others have that capability. Cisco is obviously the market leader, but Adtran has a more cost-effective solution.
>The vender will install an adtran device and part of the T1 will be split off for the phones leaving the rest for the internet.  I am told that this adtran is also a router.
If this is the case, then the ISP will actually be handing you an Ethernet feed and 4 IP addresses.
In this case, since the actual feed is Ethernet, you can simply use your existing router/firewall hardware.
However, my recommended solution would be a Cisco PIX or other "real" firewall that is designed for business instead of a SOHO low-end router designed for consumer use. A T1 is considered a "business grade" service and reading between the lines the service reliability is more important than bandwidth. I'd be looking for the high-reliability of business class firewall, too.
Depending on the number of users at this business, I use the following basic rule of thumb to size the PIX:
10 or fewer users - PIX 501
10-50 users - PIX 506e
50-100 users - PIX 515e

Of course other feature requirements (and budget) may justify the 515e or even the newest ASA5500
0
What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

 
jabiiiCommented:
Lrmoore said it all, I'd only add Juniper NetScreen Firewall over PIX. But if you go that route you should compare them and see which will suite your needs/budget best.
Jim
0
 
DaleFrazierAuthor Commented:
My client does not want to spend money on a new firewall.  I  think I can change his mind if I can give him a good reason to do so.  What are the reasons I should give him for making this investment?  What are the weaknesses of the Linksys "firewall"?  I really want to get away from this linksys and get a real firewall but I need to be able to show the benefits to my client.  I am looking at 3 firewalls; Pix, SonicWall, and Firebox.  Pros, cons, opinions on these solutions?

If I can't convince my client to buy the firewall I have a cisco 1720 router.  Can I use this as a firewall?  Should I?  I want a good design that will be secure.  I find that most of the time I have to protect my clients from themselves.  

Thanks Dale
0
 
jabiiiCommented:
I would go with Juniper if you can.
https://www.juniper.net/products/integrated/

Juniper and Cisco are both solid.

Netscreen's have modem's, and are cabable of routing. reference the  below links.
http://www.experts-exchange.com/Security/Firewalls/Q_21811815.html
http://www.experts-exchange.com/Networking/Broadband/VPN/Q_21704713.html

Check this out too to help you make your decisions
http://searchsecurity.techtarget.com/generic/0,295582,sid14_gci1093527,00.html?track=NL-422&ad=548051USCA

This one is Junipers help to figure out which is better for you, it might be a little slited but gives you a good idea.
https://www.juniper.net/solutions/literature/buyer_guide/710008.pdf

Both have 10 vpn limit. Dimensions and weight are similar. But look at your performance.

CIsco 501 Security Applicance
 firewall throughput,                   60 Mbps
 3DES VPN throughput,               3 Mbps
 Concurrent connections:             7,500 (Cisco wins this one vs the 5series)
Dimensions (H x W x D): 1.0 x 6.25 x 5.5 in. (2.54 x 15.875 x 13.97 cm)
Weight: 0.75 lb (0.34 kg)

NS 5GT
Firewall performance                   75 Mbps
3DES VPN performance                20 Mbps
Deep Inspection (DI) performance 75 Mbps
Concurrent sessions                    2000
New sessions/second                  2000
Dimensions (H/W/L) 1/8.25/5 inches
1.5 lbs

C 501
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b18.html

NS 5
https://www.juniper.net/products/integrated/dsheet/110034.pdf
0
 
DaleFrazierAuthor Commented:
I still need to know the pros and cons of the linksys firewall.  Can it do stateful packet inspection?  Other limitations?  This is a key selling point for a new firewall for my client.  Thanks Dale
0
 
lrmooreCommented:
I had several paragraphs written then lost my connection just long enough to lose everything.

>I find that most of the time I have to protect my clients from themselves.  
LOL! Isn't that the way it usually is?

My $0.02 for what it is worth. . . . .

>I still need to know the pros and cons of the linksys firewall.  
You never stated exactly which one you are using, so this will be in general terms.

Bottom line up front: You get what you pay for. Period.

A T1 is generally required when uptime/reliability is paramount over bandwidth.
Linksys routers were designed as a commodity consumer connection to broadband modems. A Stateful Packet Inspection firewall was added late in the development phase.
PIX FW was designed from ground up to be one thing - a world class firewall. Period.
PIX FW can be a (very secure) VPN endpoint for remote users. Some Linksys products support the QuickVPN client - sort of. Works sometimes, doesn't most of the time.
PIX FW comes with world-class 24x7 TAC support (buy the SmartNet, too). Good luck getting any support person from Linksys with IQ higher than 70 to help you.
Linksys is so low cost, if it quits working, toss it in the garbage and buy a new one (consider it disposable).

>my client would be getting 4 public ip addresses.
You'll never be able to use them with most Linksys routers. You can only use one public IP. If you ever want to use those extras, for example, your client has 2 web servers. You can't port forward www port 80 from the same public IP to 2 different private IP's. With a PIX, you are virtually unlimited in how you use those extra IP addresses.
If you want flexibility and ease of use with a web-based GUI, the PIX is an easy answer.

Unfortunately, I do not have any hands on experience with Sonicwall or Watchguard, so I can't compare/contrast them.

>If I can't convince my client to buy the firewall I have a cisco 1720 router.
You're willing to "give" it to them? Yes, the 1720 can run IOS Firewall feature set and would be better than the Linksys, but not as good as a real firewall. Cisco's routers were designed from ground up to pass packets from one interface to the other as fast and efficiently as possible. Adding stateful packet and firewall inspect rules can't be anything more than a kludge, but it is still better than nothing. The firewall feature set will require a licen$e cost and memory upgrade that may end up costing you as much as a new PIX.
0
 
bltztechCommented:
I guess I'll chime in for a vote in the direction of Sonicwall. I have quite a few Sonicwall TZ170W (Wireless) devices deployed with my clients and I must say, I am very pleased with the way it performs and the bang for the buck so to speak. You can get it in 10 user, 25 user or unlimited and you can start small (lets say the 10 user) and upgrade more users without paying more after the fact (The upgrade is the same price now or later). It Does DPI (Deep packet inspection), Basically SPI (Stateful Packet Inspection) is like when you go to the airport and get to security. SPI says do you have a boarding pass (ok your for port 80 - web) go ahead. DPI asks the same questions, Do you have a boarding pass... Sure I see you are for port 80, but let's see 3 additional pieces of Idenity and while you are at it, take off your shoes, empty your pockets... (basically a cavity search). Below is the specs for the Sonicwall

The SonicWALL TZ 170 Wireless is a total security platform delivering enterprise-class wired and wireless security to small networks. It integrates secure 802.11b/g wireless, deep packet inspection firewall and VPN technologies in an effective, easy-to-use solution. It features an integrated 5-port auto-MDIX switch with a designated 802.3 PoE port and a user-defined optional port that can be configured as a second LAN, a second WAN or DMZ for added network configuration flexibility. The TZ 170 Wireless can be easily managed remotely or globally using SonicWALL’s Global Management System. Utilizing SonicWALL’s feature-rich SonicOS operating system, this device provides total security solution for simple, reliable and flexible networks. SonicOS Standard allows rapid deployment in basic networks with a user-friendly Web interface and powerful wizards. Network administrators can create multiple zones of access - for wired and wireless workers as well as guest wireless users - offering a high level of control without compromising network security.

Product Highlights
•      Combines secure 802.11b/g wireless, deep packet inspection firewall and VPN technologies – all in one device
•      Integrated 5-Port MDIX Switch allows multiple home or office computers to be networked together
•      Global Management System provides tools for simplified configuration, enforcement and management of global security policies, VPN and services — from a central location
•      Delivers excellent performance with 90 Mbps Stateful Packet Inspection Firewall and 30+ Mbps 3DES and AES VPN throughput


Z
0
 
DaleFrazierAuthor Commented:
Ok, thanks for all your input so far.  I am looking at several firewalls on ebay.  I need to purchase this item once, configure it and have it work.  I want to avoid any additional charges like maintenance fees, activation, or any other hidden charges.  My client will most likely not pay yearly fees (depending on the amount).  My clients network is small, 2 servers and 15 ws.  The firewalls that I am looking at are:

1.  Firebox II Model 1200HW
2.  CISCO PIX 506E
3.  FIREBOX 700 F2064N VPN FIREWALL
4.  Netscreen-5GT Firewall

Will these firewalls do the job straight out of the box with nothing else to buy?  Opinions on the firebox?  
0
 
jabiiiCommented:
Well pretty much with any vendor, for updates/patches etc you will probably have to pay support.
0
 
lrmooreCommented:
The PIX 506e will certainly do the job well. Annual maintenance of ~ $130 is a good bargain and highly recommended, but absolutely an option only. There are absolutely no other hidden charges. Even the VPN client is free and a CD comes with the PIX. However, you will not get updates to this software or any other upgrades to the PIX OS unless you have the SmartNet maintenance.
I am very skeptical of buying anything from ebay. For new product, I like cdw.com prices and service.
0
 
DaleFrazierAuthor Commented:
So is it safe to say that any of these firewalls will work?  I just will not be able to get updates w/o putting out some money?

And how bout that firebox?  Good product?  Easy to configure?
0
 
bltztechCommented:
I would like to chime in one more time about the sonicwall TZ170W, while it has a yearly maintenance you are getting a bang for the buck. You are looking at approx $60 per seat ($1500/yr for 25 seats) but this also gets you not only support, but it gets you Anti-virus and Anti-spyware protection. The Anti-virus is both network and gateway and the unit does AV enforcement meaning, if a user does not have the correct DAT file, they are redirected to download the right one before access to the internet is granted.

You may think that $1500 is steep, but remember, your client is already paying for Anti-virus renewal yearly, so what is the difference in cost

Again, just my 2 cents

Z
0
 
jabiiiCommented:
the 5GT was chosen as FW of the year for a reason I would think ..00..but it's all about what your comfortable with.

2006 Products of the year
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1160468_tax299825,00.html?track=NL-20&ad=543466&adg=299807

2005
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci1041739,00.html
0
 
Keith AlabasterCommented:
Thanks :)
0

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

  • 4
  • 4
  • 3
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now