Solved

Firewall on Budget Help

Posted on 2014-03-19
15
443 Views
Last Modified: 2014-04-28
I need a firewall first that can host multiple IP addresses:

I have 5 static at the moment with Comcast but looking for 10 shortly!

I need the firewall to be listening on the external address and forwarding to the appropriate server at the moment.

Of course, Opening ports for what is necessary.

I am hosting Web: Port 80 / 443

Share Point Team Server, Exchange server, RDP, Lync etc.

NOTE::   VPN is not critical at all!!!

Looking for 200.00 to 600.00...

I NEED:::

A firewall that can have multiple IPS (5 or 10) on one WAN port:

Incoming coming traffic being routed to the correct server based on IP!

All info and in detail / advice is greatly appreciated...
0
Comment
Question by:Clint Jones
15 Comments
 
LVL 15

Expert Comment

by:WalkaboutTigger
ID: 39940602
Grab a Cisco ASA 5505 or ASA 5510 from eBay or a used computer store.
I would not, at all, recommend a consumer-grade firewall.
You can use a PC or laptop with two NICs and one of the Linux distribution firewalls.
0
 
LVL 4

Accepted Solution

by:
Kent Fichtner earned 500 total points
ID: 39940632
I absolutely agree that you don't need to buy a consumer grade firewall, but if you don't feel like setting up the Linux, you can go with a Watchguard XTM 2.  It is their smallest version and as long as you don't need a bunch of Ethernet ports it should do well.  An upgraded version can also do WiFi.  But we have the XTM5 series.  it does all the stuff you said above (routing the IPs to the correct computer, can do many different static IP addresses).
0
 

Author Comment

by:Clint Jones
ID: 39941047
I have Microsoft TMG 2010 which I know is know is no longer supported but I am all for the linux option as I do have a PC with 2 NIC's etc...

But I do want to look at both sides as I agree it seems the biggest functionality for price is watchguard and Cisco.

I am researching it but what linux application firewall are specific thinking about and looking at the above versions of the cisco and watchguard you both mentioned.

I do need a ton of ports but will need a bit if watchgaurd puts a limitation it.

ALSO and may need to open another question for this one.  I was for a few days using my netgear and asus wireless routers as the main guys and internet with wireless drops constantly.  Thinking that was the issue the traffic load.

After taking the traffic off and allowing the wireless to just be the wireless. Which is 2 laptops, 2 ipads, 2 iphones and apple tv at times. It still drops on both routers which are b,g and N. Internet on the comcast router is not dropping... Pain more than anything... I go into the asus and click around on the menus and its up again lol...

Firewall is more important but thought I would as ... Thanks so much for your help =) Clint
0
 
LVL 17

Expert Comment

by:pergr
ID: 39948935
The number of IP addresses is not a parameter to worry about when choosing firewall. Apart from features, you need to look at the bandwidth and the number of concurrent sessions.

If I were you I would chose a Juniper SRX100, which is about $500.
However, I would manage it with the CLI, since I like it and since the GUI does not yet expose all functionality.

If using GUI is a must I would go for the smallest model of FortiGate. It is even cheaper.
0
 
LVL 17

Expert Comment

by:Garry-G
ID: 39948949
+1 for the FortiGate ... probably one of the most easily configurable firewall as far as general functionality goes ...
Also, with the amount of intrusion attempts on web servers nowadays, adding the NGFW/UTM features will definitely reduce or completely block any hacking attempts on your servers with the IDS/IPS.
As an added benefit, you get full VPN functionality, making secured remote access easy ...
Depending on your bandwidth, something like a 30D (for higher requirements 60D) should do nicely ...
0
 
LVL 38

Expert Comment

by:Aaron Tomosky
ID: 39948978
For under $600 depending on licenses for gateway anti virus and such, you can get a sonicwall tz210. Easy to manage but powerful. A big factor I don't see mentioned yet is wan throughput. These lower end devices especially can choke on something over 30 Mbps especially with security features enabled.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 17

Expert Comment

by:Garry-G
ID: 39949008
As a basis for selecting a device:

FG30D does 800M Firewall, 150M IPS, 30/40 M AV (which, assuming you're mainly protecting servers shouldn't be that relevant ...)
FG60D does 1.5G Firewall, 200M IPS, 35/50M AV
0
 
LVL 76

Expert Comment

by:arnold
ID: 39949388
For Linux firewall, fwbuilder might be an option to consider.
You of course could use iptables manually to add the rules.if you decide to do it manually,  consider using custom ip gains that you predefine and place within the appropriate builtin chains, INPUT, forward, PRE/POSTrouting, OUTPUT, MANGKE,DNAT,SNAT as appropriate.

This way you would only need to add rules to your custom chain to achieve ......

There are multi-port nics.  You could/should consider two older workstations as a cluster to provide HA router.
0
 
LVL 21

Expert Comment

by:eeRoot
ID: 39949442
A new Cisco 5505 can be found at that price range.
http://www.newegg.com/Product/Product.aspx?Item=N82E16833120135
0
 
LVL 32

Expert Comment

by:nappy_d
ID: 39954827
pfSense is my goto firewall on a budget.  It's got a great development and support community.  It supports multiple IPs, vLANS, and even a captive portal if you want to authenticate guests in an office.

A computer with a PIII proc is all you need and 2~4GB of RAM.  

https://www.pfsense.org/about-pfsense/features.html
0
 

Author Comment

by:Clint Jones
ID: 39975932
I am going to try the firewalls you can put on PC's but::

If I had too without worrying about VPN's the number of?

Will the Watchguard XTM 2 do:

As I said above where can add 10 External IPs from the Comcast router then route each IP to the correct server so the external matches and routers the correct internal IP???

I am looking at a linux do think the open source or another but if had go buy one so it router 10 external IPs to exch server who would be the choose???

the watchguard seems very budgetary but not at 4000.00 the lower one XTM2 is very budgetary???  

Input please I am reading all the posts and thank you!!!
0
 

Author Comment

by:Clint Jones
ID: 40026664
using spiceworks for help as well...
0
 

Author Comment

by:Clint Jones
ID: 40026672
We have Comcast with the 13 static IP addresses. and we use most of them.

We've had three firewalls during this time.  They all were able to handle any of the static IP addresses coming inbound.

One was a WatchGuard, but I don't remember the model.  Another was a Watchguard XTM 5.

Now we have SonicWall NSA 220.

With NAT and Firewall rules , we're able to direct any of the incoming traffic by external IP Address

** Our incoming traffic comes on HTTP, HTTPS, FTP, FTP SSL Implicit.

I currently use an XTM5 series for our main firewall/router and a few XTM 2 series for remote offices and do this using 1-to-1 nat to route external ip's to internal servers. You can do this easily with the XTM 2 if it's sized properly for your environment if not look at a larger device. If you go the Watchguard route the 25, 26 and up routers have a new feature that enable them to be gateway wireless controllers. Just buy a Watchguard wireless AP (AP100 or AP200) and use your firewall as the controller...rock solid and reliable. It's also nice because since the AP is separate from the router you can place it anywhere you need it to maximize your wireless coverage.

Thinking the same seperate the wireless from the firewall

What is thoughts about xtm3 ??? Xtm 2 enough? I want monitoring and NAT of course. VPN is not as important.

I only need maybe a few. Concurrent connections and unlimited internal users are and allowing exchange, share team and web site and possible lync too work with no issues.

Able to get reporting and alerts on iPhone / iPad be great but but email to txt is fine.

There is just 5 servers, 5 pc's and the. Wireless for 2 iPhones 2 iPads and 2 laptops.

Is the environment.

Wireless drops a lot. The netgear and ASUS not that old and not using both same time just are an issue.

I need solid wireless that can keep up.

And firewall the can handle the 16 ips and NAT to each server by external ip correctly without issues

Right now the the load traffic wise is not that heavy.

But want high bandwidth efficiency. With concurrent connections etc and I'm able monitor the system for any issues from hacking to etc in the security end

So looking at enterprise level wireless and enterprise level firewall

Watch xtm 5 seems very out budget at the but the xtm 2 and xtm 3 seem doable? And then I need a wireless that can be stable. I'm looking at watch guard only because the affordability and sonicwall is more pricey and do not know much about the rest mention at top my original message.

Again all help is very very appreciated as I have to make decisions.

I'm not a big fan of Cisco or Watchguard... Based on past experiences with both these, I would not touch them with a 10ft barge pole

I would recommend either (In no order of preference)

Sonicwall - I have deployed these extensively... Good bang for the buck... Decent support.
Sophos - Never used... However, I am evaluating one of the products, and I seems rather promising.
Juniper -  A tad on the expensive side, but pretty much worth the extra penny.

ME:: Jones
pfsense seems awesome solution
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (https://kb.isc.org/article/AA-01272), affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
This subject  of securing wireless devices conjures up visions of your PC or mobile phone connecting to the Internet through some hotspot at Starbucks. But it is so much more than that. Let’s look at the facts: devices#sthash.eoFY7dic.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
You have products, that come in variants and want to set different prices for them? Watch this micro tutorial that describes how to configure prices for Magento super attributes. Assigning simple products to configurable: We assigned simple products…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now