?
Solved

Firewall Recommendation for Budget Hosting

Posted on 2013-06-14
7
Medium Priority
?
369 Views
Last Modified: 2013-06-20
Hi all,

We are helping a client 'test the market' for website hosting (they have identified a niche) and are curious what sort of firewall to invest in as the project is on a shoe string right now (with serious investment coming if this trial works out).

We have a single server, space in a data center with two or three static IP addreses but the ISP is insistent we provide our own firewall.  We're not concerned with VPN connectivity, fibre ports or any high end stuff but it needs to be able to handle the traffic of mail server and a few websites, blocking all ports bar the few standard web hosting services (FTP, HTTP, HTTPS, SMTP, POP, IMAP, etc).

Does anyone have any suggestions for a suitable firewall model?

Thanks for any and all help!

Bob
0
Comment
Question by:Mango-Man
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
7 Comments
 
LVL 14

Accepted Solution

by:
JAN PAKULA earned 1800 total points
ID: 39248946
Sonicwall nsa 250M - its cheap fast and will do it all


http://www.newegg.com/Product/Product.aspx?Item=N82E16833339175
0
 
LVL 1

Author Comment

by:Mango-Man
ID: 39250564
Hi Janpakula,

There seem to be many different sub models of the 250M, do you think this one would do the trick:

http://www.amazon.com/SonicWALL-NSA-250M-High-Availability/dp/B0063REGZ4/ref=sr_1_3?s=electronics&ie=UTF8&qid=1371327497&sr=1-3&keywords=sonicwall+nsa+250m

Thanks!

Bob
0
 
LVL 14

Assisted Solution

by:JAN PAKULA
JAN PAKULA earned 1800 total points
ID: 39251002
no because This item is for a secondary/backup NSA 250M to be added to an existing NSA 250M appliance for use with HA (High Availability). This 2nd unit cannot be deployed in a single device environment and must be paired as a secondary appliance to the existing primary appliance (through the www.myDell SonicWALL.com portal).



this one would do it

http://www.amazon.com/Sonicwall-01-SSC-9755-Nsa-250M/dp/B0063REH5S/ref=sr_1_1?s=electronics&ie=UTF8&qid=1371371011&sr=1-1&keywords=nsa+250m

but you still want a security services on it which is additional charge (you don't have to have it - but it makes everything easier)



http://www.amazon.com/SonicWALL-01-SSC-4606-Cgss-250m-01SSC4606/dp/B00684L862/ref=sr_1_1?s=electronics&ie=UTF8&qid=1371371352&sr=1-1&keywords=nsa+250m+1+CGSS


if you want 2 years - it would be cheaper with newegg one


http://www.newegg.com/Product/Product.aspx?Item=N82E16833339175
0
Simplify Your Workload with One Tool

How do you combat today’s intelligent hacker while managing multiple domains and platforms? By simplifying your workload with one tool. With Lunarpages hosting through Plesk Onyx, you can:

Automate SSL generation and installation with two clicks
Experience total server control

 
LVL 1

Author Comment

by:Mango-Man
ID: 39251320
Hi Janpakula,

Many thanks again for your assistance!  So in the short terms we could buy the unit without the security services and use it as a basic firewall, then when we're ready, simply purchase the service separately?


Bob
0
 
LVL 14

Assisted Solution

by:JAN PAKULA
JAN PAKULA earned 1800 total points
ID: 39251331
yup - you will be missing only few services - like gateway antivirus , anti spamming and content filtering - i think that geo-ip blocking/filterning  will also not work without upgrade.

you will also not have nice graphs of usage with app flow
0
 
LVL 6

Assisted Solution

by:Jelcin
Jelcin earned 200 total points
ID: 39254851
Hello,

basically you might need two things:

1. Packetfilter - that controls network traffic on lower OSI layers based on rules you create.
A packetfilter uses IPs/Ports/Interfaces/States to filter traffic. This filter can be used on the machine to be protected and also on firewall itself.

2. Intrusion Detection System (IDS) - that monitors traffic on higher level OSI layers and can detect network attacks by analysing the payload of network packet and comparing it with a database with attack patterns. As said before IDS just monitors and alarms the administrator it is not blocking the attacker from going on with the attack as Intrusion Prevention (IPS) does.
IDS can be used on the firewall itself. For IDS/IPS you need a lot of networking knowledge to correctly analyse the alerts since there can be false positives... I would be very carefull with protecting such a server with IPS because false positives can lead to blocking normal users from their daily work.

Depending on the budget and knowledge i would conside the following.
Both packet filter and IDS / IPS exist as an open source solutions or commercial solutions like the Sonicwall. The commercial solutions often use open source software and finetune it and give you support in case of problems...


For your project i would also look at virtualisation since you can run several servers on one system and also run a Firewall in a virtual machine that protects all other VMs. In this case you would not need additional hardware running the firewall.

If you would ask me i would go for virtualisation (KVM) and the sophos firewall as virtual appliance. The licencing allows you to get just the features you need.

http://www.sophos.com/en-us/products/unified/utm.aspx  (Firewall)
http://www.proxmox.com/proxmox-ve  (open source virtualisation environment - very easy to administer via web interface)
http://www.snort.org (open source IDS)
0
 
LVL 1

Author Closing Comment

by:Mango-Man
ID: 39263494
Many thanks for your help guys!
0

Featured Post

ATEN's HDBaseT Presentation at InfoComm 2017

Hear ATEN Product Manager YT Liang review HDBaseT technology, highlighting ATEN’s latest solutions as they relate to real-world applications during her presentation at the HDBaseT booth at InfoComm 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
In this article, we’ll look at how to deploy ProxySQL.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question