Hardware Firewall Solutions For Newbs?

I own a small web development and hosting company. I have a programming background. We have 5 web servers and the total average bandwidth usage for all 5 is 7 - 10 mbps. I am looking for a hardware firewall solution that is easy to setup and use and will handle the traffic I have with room for some expansion. I know very little about this subject. I can configure my own firewall at home with your usual D-link or Linksys etc. I understand the concepts. Just never messed with anything on this scale.

What I must be able to do.
1. Block C-classes of IPs or single IPs with ease.

What I would like the device to be able to do.
1. Intrusion detection and prevention.

Options I would like to have the ability to use or not use but are available to the device.
1. Spam protection.
2. Virus protection.

What I could care less about.
1. VPN functionality.

I need something that it doesn't take a network engineer to configure. My budget is up to about $1800 but the less I spend the better; we are a small company.

I have asked people in the IT industry about this subject and I keep hearing the names Fortigate, Sonicwall, Firebox and Hotbrick. I go to these sites but there is soo much information Im not sure where to start.

So anybody got any suggestions?
Who is Participating?
itcokConnect With a Mentor Commented:
Fortigate FortiWifi 60A (Bundle) - $1000

The bundle includes 1 YR 8x5 support, Realtime updates to AV, AntiSpam, IPS, WebContent (for filtering)

Wireless - WEP, WPA, WPA / TKIP and AES / Mac Filtering
Router - Static, Policy Based, OSPF, BGP
Authentication - Local, Radius, Active Directory, LDAP
Firewall - Individual profiles per IP or Group, can set schedule on profiles
AntiVirus - File Pattern Match, Grayware Detection, Custom Black and White Lists (can have multiple lists)
IPS - Signature and Anomaly based
WebFilter - Category Base. Can create custom categories and lists which can be applied to various firewall policy profiles. Can setup an override account so that tempory access can be given to a site without having to revise policies.
AntiSpam - Realtime Blacklist and custom Black and White List. Can perform Reverse DNS Checks and HELO DNS lookup
IM/P2P - Allow and Block services such as AIM, MSN, Yahoo, Skype, KaZaa. Block Login, file transfer, audio, and inspect non-stantard port trafic. You can define your own custom IM/P2P settings.
Logging - Can log to memory. If you pick up the fortianalyzer you'll be able to log all traffic and generate reports, view IM/P2P statistics and chat logs. View webpages visited, view emails... this little guy will pull everything you need to do a complete analysis on user activity, etc.

Managment - You can create custom accounts with specific rights, such as give HR the ability to update the WebFiltering lists. Can manage via Telnet, HTTP, HTTPS, SSH, SNMP

Built in DHCP server /per interface so that you could setup Wireless access and permit access to the internet without granting access to your internal networks,

Did I mention it comes with 4 internal interfaces, 1 DMZ and 2 WAN. The 2 WAN interfaces allow you to load balance, provide redundant links and route traffice via policy.

You can assign secondary IP Addresses to interfaces

Hardware appliance means no OS patch managment.

Find a local dealer and ask for a 30 day demo. Be sure to ask for a demo of the Fortianalyzer... I promise you won't give it back.
neoiceConnect With a Mentor Commented:

I have used Firebox edge for several years now and in my opinion one of the best firewall/ content filtering and spam system available for such a reasonable price. They are also very easy to set up and have a user friendlu GUI.

  Personally I am very attached to the Cisco ASA series.  Particularly the 5505 would be good for your purpose.  You can find them used fairly cheap... and really the new ones are not that expensive.

-Cheers, Peter.
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

itcokConnect With a Mentor Commented:
Go with the Fortigate... I've used a number of Firewalls (Cisco, Watchgard, Linksys, 3Com, DLink) and none offer the robustness that the Fortigate can provide. I personally like the FortiWifi-60A and the Fortigate-100A models. User interface is consistent and in most cases everything can be managed from the webased GUI.

The Fortigate is what the Cisco ASA should be... to bad for Cisco.


For the requirements you've mentioned, Juniper Firewalls would be able to provide you the functionalities.


There are different series but I'd suggest going for SSG series.

My question would be - are you looking for a pure firewall solution, a traffic shaper, or a firewall router.   From the sounds of it, you mostly want a firewall solution with the ability to handle multiple IP addresses, and route them appropriately.

I would suggest trying Smoothwall, at least to see how things work out.  http://www.smoothwall.org .  
It takes one of your own spare PC's (I've used a 400 mhz PC as a heavy proxy server), and turns it into a firewall.   For a commercial solution, there's http://www.smoothwall.net/products/advancedfirewall2/ - which allows multiple external IP addresses, which can be routed to different machines inside the firewall.

I believe that even the commercial solution will be within your budget, and can be installed easily by yourself.   I'm currently installing an additional Smoothwall Express (the free version) at another customer site to enable easy VPN setup between a new office and their primary office.

The best way to find out?  Write down what you want the firewall to do - multiple external IP addresses, each filtering a different 'internal' server, antivirus, antispam, whatever - then pick up the phone and call two or three of the companies and talk with their sales people.  Have them compare their product to the competitor's - then call the competitor and do the same thing :)
budchawlaConnect With a Mentor Commented:
My two bits :-)

I use SonicWALLs extensively, and their range of products and services can match pretty much whatever your requirements are.
They provide a great Deep Packet Inspection firewall, with features such as AntiVirus, AntiSpyware, Intrustion Prevention all happening at the gateway.
They also provide an excellent ENFORCED anti-virus service for all clients behind the firewall.
Configuration is pretty straightforward, performance is good & their support is great (my experience).
As long as you keep the support contract alive, you get non-stop advance hardware replacement & phone support - in Europe this is from real techs rather than kids with a script (my experience, I've read other views on this).
They also have a range of devices that provide different levels of performance depending on your budget.
And yes, VPN as well :-)

At a certain price point I find the SonicWALL value proposition pretty unbeatable in terms of features, performance & support.

You've got a lot of choices here, and a lot of them are pretty good ones. I would recommend talking to a few vendors to see how helpful they are and how easy to get hold of... important considerations that you may want to find out first-hand.

In my opinion I would recommend the Cisco ASA 5500 Series Adaptive security firewall. Now this may be a little more money than you were hoping to spend but I believe with your circumstances it would be a worthy investment.

With SSL and IPsec VPN, intrusion prevention (IPS) and content management it sounds like it would fit the bill. Seeing as though you are operating a web hosting service you no doubt need maximum security for clients sites, where downtime or defacement will cost you money.

Now of course with such a large range of features and technical abilities it will be significantly harder to setup initially but once you get used to the IOS maintenance shouldnt be a huge problem. Also with IOS image upgrades you can ensure you stay up to date with all the latest security vulnerabilities and other such things.

This router will last into the future with continued expansion of your infrastructure. Considering you are running web servers and hosting services I would definately take the Cisco route because when your business grows and your infrastructure needs expand further purchases of Cisco equipment will make life a lot easier.
Router does all the basic routing as well such as RIP...
Its a little more work than an out of the box solution but I have used it many times with great success.  Grab an old PC, you only need something with specs like 200Mhz and 128 RAM and load a linux install  (I use Fedora) setup for a firewall with the bare minimum running on it.  Then you can use iptables to make a nice easy to manage firewall.  Tons of expandability and very easy to get up and running.
I'm still curious as to whether or not this needs to use and manipulate multiple IP addresses.  If so, I've found that many of the 'box' solutions don't support it.
Try FW1 - is best :] but other HW FWs working good too..
PegWebAuthor Commented:
Yes I will need the firewall to route multiple IPs through to my servers. 1 C-class
WOW.  If it's a full class C, I'd suggest starting off with the Smoothwall to route what you need to, at least to start, then consider upgrading to one of the Big Iron type heavy duty firewall routers when you've started to increase. (Cisco or similar)


Those are old, and I believe the newest ones do it natively (the 3.* Release Candidate)
 I'm certain that the corporate versions do it.

PegWebAuthor Commented:
We have a c-class but are only using about 30 of the IPs.
itcokConnect With a Mentor Commented:
Hi PegWeb

If you go with the Fortigate that is bundled (includes support and 1 yr updates to AV, AntiSpam, WebFilter, IDS, and new OS releases) you can have Fortinet support help you set it up. Once you get IP set on the WAN and LAN interfaces they can help you through the rest. I set these up all the time and I can usually set one up completely configured to use all the features in about 4 hours. They have one of the best GUI interfaces around and CMD line is also an option if you prefer.

If you go with a software based firewall on a PC be sure to plan for the usual maintenance that comes with such... patch mangement, failed drives, antivirus, licensing... Even if you don't take my recommendation on the Fortigate you should seriously consider using an appliance based solution over the software solutions. Theres just a whole lot less fuss and maintenance with the appliances.

Just to sort of chime in - considering your budget, I still think I'd start off with the SmoothWall, then take itcok's suggestion, or one of the others, once you've gotten a better handle on what you really need/want/use

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.