Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Hardware Firewall Solutions For Newbs?

Posted on 2007-08-11
17
Medium Priority
?
900 Views
Last Modified: 2013-11-05
I own a small web development and hosting company. I have a programming background. We have 5 web servers and the total average bandwidth usage for all 5 is 7 - 10 mbps. I am looking for a hardware firewall solution that is easy to setup and use and will handle the traffic I have with room for some expansion. I know very little about this subject. I can configure my own firewall at home with your usual D-link or Linksys etc. I understand the concepts. Just never messed with anything on this scale.

What I must be able to do.
1. Block C-classes of IPs or single IPs with ease.

What I would like the device to be able to do.
1. Intrusion detection and prevention.

Options I would like to have the ability to use or not use but are available to the device.
1. Spam protection.
2. Virus protection.

What I could care less about.
1. VPN functionality.

I need something that it doesn't take a network engineer to configure. My budget is up to about $1800 but the less I spend the better; we are a small company.

I have asked people in the IT industry about this subject and I keep hearing the names Fortigate, Sonicwall, Firebox and Hotbrick. I go to these sites but there is soo much information Im not sure where to start.

So anybody got any suggestions?
0
Comment
Question by:PegWeb
  • 4
  • 4
  • 2
  • +7
17 Comments
 

Assisted Solution

by:neoice
neoice earned 100 total points
ID: 19677147
HI,

I have used Firebox edge for several years now and in my opinion one of the best firewall/ content filtering and spam system available for such a reasonable price. They are also very easy to set up and have a user friendlu GUI.


http://www.watchguard.com/
0
 
LVL 5

Expert Comment

by:ein_mann_betrieb
ID: 19677191
PegWeb,
  Personally I am very attached to the Cisco ASA series.  Particularly the 5505 would be good for your purpose.  You can find them used fairly cheap... and really the new ones are not that expensive.

-Cheers, Peter.
0
 
LVL 2

Assisted Solution

by:itcok
itcok earned 800 total points
ID: 19677542
Go with the Fortigate... I've used a number of Firewalls (Cisco, Watchgard, Linksys, 3Com, DLink) and none offer the robustness that the Fortigate can provide. I personally like the FortiWifi-60A and the Fortigate-100A models. User interface is consistent and in most cases everything can be managed from the webased GUI.

The Fortigate is what the Cisco ASA should be... to bad for Cisco.

http://www.fortinet.com/doc/FGT50_100DS.pdf


0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 32

Expert Comment

by:rsivanandan
ID: 19678217
For the requirements you've mentioned, Juniper Firewalls would be able to provide you the functionalities.

www.juniper.net

There are different series but I'd suggest going for SSG series.

Cheers,
Rajesh
0
 
LVL 7

Expert Comment

by:Bibliophage
ID: 19678234
My question would be - are you looking for a pure firewall solution, a traffic shaper, or a firewall router.   From the sounds of it, you mostly want a firewall solution with the ability to handle multiple IP addresses, and route them appropriately.

I would suggest trying Smoothwall, at least to see how things work out.  http://www.smoothwall.org .  
It takes one of your own spare PC's (I've used a 400 mhz PC as a heavy proxy server), and turns it into a firewall.   For a commercial solution, there's http://www.smoothwall.net/products/advancedfirewall2/ - which allows multiple external IP addresses, which can be routed to different machines inside the firewall.

I believe that even the commercial solution will be within your budget, and can be installed easily by yourself.   I'm currently installing an additional Smoothwall Express (the free version) at another customer site to enable easy VPN setup between a new office and their primary office.

The best way to find out?  Write down what you want the firewall to do - multiple external IP addresses, each filtering a different 'internal' server, antivirus, antispam, whatever - then pick up the phone and call two or three of the companies and talk with their sales people.  Have them compare their product to the competitor's - then call the competitor and do the same thing :)
0
 
LVL 10

Assisted Solution

by:budchawla
budchawla earned 100 total points
ID: 19678873
My two bits :-)

I use SonicWALLs extensively, and their range of products and services can match pretty much whatever your requirements are.
They provide a great Deep Packet Inspection firewall, with features such as AntiVirus, AntiSpyware, Intrustion Prevention all happening at the gateway.
They also provide an excellent ENFORCED anti-virus service for all clients behind the firewall.
Configuration is pretty straightforward, performance is good & their support is great (my experience).
As long as you keep the support contract alive, you get non-stop advance hardware replacement & phone support - in Europe this is from real techs rather than kids with a script (my experience, I've read other views on this).
They also have a range of devices that provide different levels of performance depending on your budget.
And yes, VPN as well :-)

At a certain price point I find the SonicWALL value proposition pretty unbeatable in terms of features, performance & support.

You've got a lot of choices here, and a lot of them are pretty good ones. I would recommend talking to a few vendors to see how helpful they are and how easy to get hold of... important considerations that you may want to find out first-hand.

0
 

Expert Comment

by:tinroofer
ID: 19679312
In my opinion I would recommend the Cisco ASA 5500 Series Adaptive security firewall. Now this may be a little more money than you were hoping to spend but I believe with your circumstances it would be a worthy investment.

With SSL and IPsec VPN, intrusion prevention (IPS) and content management it sounds like it would fit the bill. Seeing as though you are operating a web hosting service you no doubt need maximum security for clients sites, where downtime or defacement will cost you money.

Now of course with such a large range of features and technical abilities it will be significantly harder to setup initially but once you get used to the IOS maintenance shouldnt be a huge problem. Also with IOS image upgrades you can ensure you stay up to date with all the latest security vulnerabilities and other such things.

This router will last into the future with continued expansion of your infrastructure. Considering you are running web servers and hosting services I would definately take the Cisco route because when your business grows and your infrastructure needs expand further purchases of Cisco equipment will make life a lot easier.
0
 
LVL 2

Accepted Solution

by:
itcok earned 800 total points
ID: 19684346
Fortigate FortiWifi 60A (Bundle) - $1000

The bundle includes 1 YR 8x5 support, Realtime updates to AV, AntiSpam, IPS, WebContent (for filtering)

Wireless - WEP, WPA, WPA / TKIP and AES / Mac Filtering
Router - Static, Policy Based, OSPF, BGP
Authentication - Local, Radius, Active Directory, LDAP
Firewall - Individual profiles per IP or Group, can set schedule on profiles
VPN -IPSec, PPTP, SSL
AntiVirus - File Pattern Match, Grayware Detection, Custom Black and White Lists (can have multiple lists)
IPS - Signature and Anomaly based
WebFilter - Category Base. Can create custom categories and lists which can be applied to various firewall policy profiles. Can setup an override account so that tempory access can be given to a site without having to revise policies.
AntiSpam - Realtime Blacklist and custom Black and White List. Can perform Reverse DNS Checks and HELO DNS lookup
IM/P2P - Allow and Block services such as AIM, MSN, Yahoo, Skype, KaZaa. Block Login, file transfer, audio, and inspect non-stantard port trafic. You can define your own custom IM/P2P settings.
Logging - Can log to memory. If you pick up the fortianalyzer you'll be able to log all traffic and generate reports, view IM/P2P statistics and chat logs. View webpages visited, view emails... this little guy will pull everything you need to do a complete analysis on user activity, etc.

Managment - You can create custom accounts with specific rights, such as give HR the ability to update the WebFiltering lists. Can manage via Telnet, HTTP, HTTPS, SSH, SNMP

Built in DHCP server /per interface so that you could setup Wireless access and permit access to the internet without granting access to your internal networks,

Did I mention it comes with 4 internal interfaces, 1 DMZ and 2 WAN. The 2 WAN interfaces allow you to load balance, provide redundant links and route traffice via policy.

You can assign secondary IP Addresses to interfaces

Hardware appliance means no OS patch managment.

Find a local dealer and ask for a 30 day demo. Be sure to ask for a demo of the Fortianalyzer... I promise you won't give it back.
0
 
LVL 2

Expert Comment

by:itcok
ID: 19684353
Router does all the basic routing as well such as RIP...
0
 
LVL 3

Expert Comment

by:gamegyro
ID: 19684403
Its a little more work than an out of the box solution but I have used it many times with great success.  Grab an old PC, you only need something with specs like 200Mhz and 128 RAM and load a linux install  (I use Fedora) setup for a firewall with the bare minimum running on it.  Then you can use iptables to make a nice easy to manage firewall.  Tons of expandability and very easy to get up and running.
0
 
LVL 7

Expert Comment

by:Bibliophage
ID: 19687282
I'm still curious as to whether or not this needs to use and manipulate multiple IP addresses.  If so, I've found that many of the 'box' solutions don't support it.
0
 
LVL 2

Expert Comment

by:pepejx
ID: 19706669
Try FW1 - is best :] but other HW FWs working good too..
0
 

Author Comment

by:PegWeb
ID: 19780000
Yes I will need the firewall to route multiple IPs through to my servers. 1 C-class
0
 
LVL 7

Expert Comment

by:Bibliophage
ID: 19786532
WOW.  If it's a full class C, I'd suggest starting off with the Smoothwall to route what you need to, at least to start, then consider upgrading to one of the Big Iron type heavy duty firewall routers when you've started to increase. (Cisco or similar)


http://community.smoothwall.org/forum/viewtopic.php?t=11446
http://community.smoothwall.org/forum/viewtopic.php?t=4820

Those are old, and I believe the newest ones do it natively (the 3.* Release Candidate)
 I'm certain that the corporate versions do it.

0
 

Author Comment

by:PegWeb
ID: 19787044
We have a c-class but are only using about 30 of the IPs.
0
 
LVL 2

Assisted Solution

by:itcok
itcok earned 800 total points
ID: 19788090
Hi PegWeb

If you go with the Fortigate that is bundled (includes support and 1 yr updates to AV, AntiSpam, WebFilter, IDS, and new OS releases) you can have Fortinet support help you set it up. Once you get IP set on the WAN and LAN interfaces they can help you through the rest. I set these up all the time and I can usually set one up completely configured to use all the features in about 4 hours. They have one of the best GUI interfaces around and CMD line is also an option if you prefer.

If you go with a software based firewall on a PC be sure to plan for the usual maintenance that comes with such... patch mangement, failed drives, antivirus, licensing... Even if you don't take my recommendation on the Fortigate you should seriously consider using an appliance based solution over the software solutions. Theres just a whole lot less fuss and maintenance with the appliances.



0
 
LVL 7

Expert Comment

by:Bibliophage
ID: 19789131
Just to sort of chime in - considering your budget, I still think I'd start off with the SmoothWall, then take itcok's suggestion, or one of the others, once you've gotten a better handle on what you really need/want/use

0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines why you need to choose a backup solution that protects your entire environment – including your VMware ESXi and Microsoft Hyper-V virtualization hosts – not just your virtual machines.
In this article, WatchGuard's Director of Security Strategy and Research Teri Radichel, takes a look at insider threats, the risk they can pose to your organization, and the best ways to defend against them.
Loops Section Overview
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month21 days, 6 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question