Solved

Firewall Recommendation for Budget Hosting

Posted on 2013-06-14
7
363 Views
Last Modified: 2013-06-20
Hi all,

We are helping a client 'test the market' for website hosting (they have identified a niche) and are curious what sort of firewall to invest in as the project is on a shoe string right now (with serious investment coming if this trial works out).

We have a single server, space in a data center with two or three static IP addreses but the ISP is insistent we provide our own firewall.  We're not concerned with VPN connectivity, fibre ports or any high end stuff but it needs to be able to handle the traffic of mail server and a few websites, blocking all ports bar the few standard web hosting services (FTP, HTTP, HTTPS, SMTP, POP, IMAP, etc).

Does anyone have any suggestions for a suitable firewall model?

Thanks for any and all help!

Bob
0
Comment
Question by:Mango-Man
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 14

Accepted Solution

by:
JAN PAKULA earned 450 total points
ID: 39248946
Sonicwall nsa 250M - its cheap fast and will do it all


http://www.newegg.com/Product/Product.aspx?Item=N82E16833339175
0
 
LVL 1

Author Comment

by:Mango-Man
ID: 39250564
Hi Janpakula,

There seem to be many different sub models of the 250M, do you think this one would do the trick:

http://www.amazon.com/SonicWALL-NSA-250M-High-Availability/dp/B0063REGZ4/ref=sr_1_3?s=electronics&ie=UTF8&qid=1371327497&sr=1-3&keywords=sonicwall+nsa+250m

Thanks!

Bob
0
 
LVL 14

Assisted Solution

by:JAN PAKULA
JAN PAKULA earned 450 total points
ID: 39251002
no because This item is for a secondary/backup NSA 250M to be added to an existing NSA 250M appliance for use with HA (High Availability). This 2nd unit cannot be deployed in a single device environment and must be paired as a secondary appliance to the existing primary appliance (through the www.myDell SonicWALL.com portal).



this one would do it

http://www.amazon.com/Sonicwall-01-SSC-9755-Nsa-250M/dp/B0063REH5S/ref=sr_1_1?s=electronics&ie=UTF8&qid=1371371011&sr=1-1&keywords=nsa+250m

but you still want a security services on it which is additional charge (you don't have to have it - but it makes everything easier)



http://www.amazon.com/SonicWALL-01-SSC-4606-Cgss-250m-01SSC4606/dp/B00684L862/ref=sr_1_1?s=electronics&ie=UTF8&qid=1371371352&sr=1-1&keywords=nsa+250m+1+CGSS


if you want 2 years - it would be cheaper with newegg one


http://www.newegg.com/Product/Product.aspx?Item=N82E16833339175
0
Forrester Webinar: xMatters Delivers 261% ROI

Guest speaker Dean Davison, Forrester Principal Consultant, explains how a Fortune 500 communication company using xMatters found these results: Achieved a 261% ROI, Experienced $753,280 in net present value benefits over 3 years and Reduced MTTR by 91% for tier 1 incidents.

 
LVL 1

Author Comment

by:Mango-Man
ID: 39251320
Hi Janpakula,

Many thanks again for your assistance!  So in the short terms we could buy the unit without the security services and use it as a basic firewall, then when we're ready, simply purchase the service separately?


Bob
0
 
LVL 14

Assisted Solution

by:JAN PAKULA
JAN PAKULA earned 450 total points
ID: 39251331
yup - you will be missing only few services - like gateway antivirus , anti spamming and content filtering - i think that geo-ip blocking/filterning  will also not work without upgrade.

you will also not have nice graphs of usage with app flow
0
 
LVL 6

Assisted Solution

by:Jelcin
Jelcin earned 50 total points
ID: 39254851
Hello,

basically you might need two things:

1. Packetfilter - that controls network traffic on lower OSI layers based on rules you create.
A packetfilter uses IPs/Ports/Interfaces/States to filter traffic. This filter can be used on the machine to be protected and also on firewall itself.

2. Intrusion Detection System (IDS) - that monitors traffic on higher level OSI layers and can detect network attacks by analysing the payload of network packet and comparing it with a database with attack patterns. As said before IDS just monitors and alarms the administrator it is not blocking the attacker from going on with the attack as Intrusion Prevention (IPS) does.
IDS can be used on the firewall itself. For IDS/IPS you need a lot of networking knowledge to correctly analyse the alerts since there can be false positives... I would be very carefull with protecting such a server with IPS because false positives can lead to blocking normal users from their daily work.

Depending on the budget and knowledge i would conside the following.
Both packet filter and IDS / IPS exist as an open source solutions or commercial solutions like the Sonicwall. The commercial solutions often use open source software and finetune it and give you support in case of problems...


For your project i would also look at virtualisation since you can run several servers on one system and also run a Firewall in a virtual machine that protects all other VMs. In this case you would not need additional hardware running the firewall.

If you would ask me i would go for virtualisation (KVM) and the sophos firewall as virtual appliance. The licencing allows you to get just the features you need.

http://www.sophos.com/en-us/products/unified/utm.aspx  (Firewall)
http://www.proxmox.com/proxmox-ve  (open source virtualisation environment - very easy to administer via web interface)
http://www.snort.org (open source IDS)
0
 
LVL 1

Author Closing Comment

by:Mango-Man
ID: 39263494
Many thanks for your help guys!
0

Featured Post

Are You Ransomware's Next Victim?

Worried about ransomware attacks hitting your organization?  The good news is that these attacks are predicable and therefore preventable. Learn more about how you can  stop a ransomware attacks before encryption takes place with WatchGuard Total Security!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Concerto Cloud Services, a provider of fully managed private, public and hybrid cloud solutions, announced today it was named to the 20 Coolest Cloud Infrastructure Vendors Of The 2017 Cloud  (http://www.concertocloud.com/about/in-the-news/2017/02/0…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question