Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

1 firewall vs. 2 firewall 1

Status
Not open for further replies.
ITrusto

ITrusto

IS-IT--Management
Aug 19, 2002
4
0
0
US
I'm installing an enterprise grade firewall for the first time on a small network that has a T1 line, DSL line, and a webserver.

I've researched a lot and know that I want to get a firewall that has both packet filtering and proxy filter built in. What I can't figure out is if it's better to get 1 firewall or 2.

I want both internet lines to remain separate and up at all times, and the webserver to be put out on a DMZ.

I use 2 lines because it allows me to remain connected 99.9% of the time, and I can choose which PCs to put on the T1 and which ones to put on the DSL to maximize traffic. I also have 2 separate FTP servers on the lines with their own IP addresses. I like having the ability to tweak everything manually.

If I could get 1 firewall that could handle 2 internet connections and still keep my FTP servers separate it would be ideal. The only brands that seem to have the ability to do this are Cisco, Cyberguard, and Secure Computing's Sidewinder because they can be scaled by adding more NIC cards. Symantec also has an entry-level model that can handle 2 connections, but it doesn't have the DMZ or proxy features.

I've talked to Cyberguard and Secure Computing's technical support to ask them if 1 of their firewalls will fit my needs and their answers were "maybe". They both said that normally you only use 1 connection with the firewall.

My networking knowledge consists of everything I've learned from trial and error, so I'm no pro. I thought I'd ask you all if 1 firewall can do the job of 2 or if I should forget it and just get 2. You'd think a $7000 firewall would be able to handle 2 connections...

Thanks in advance
 
Sort by date Sort by votes
It would help to know how many nodes are on your internal network, but in general I would normally go with a single firewall. The problem here is that if you want to be able to tweak things at will, you probably should just go with two smaller firewalls. The benefit here is that a box failure won't take down everything. The problem is that you're now maintaining two separate boxes, two separate rule sets, two maintenance agreements, two software subscriptions, etc.
 
Upvote 0 Downvote
thanks oldmanmike. i agree that it would be easier to manage one box. but do you know of any boxes that cost less than $10,000 that have both packet filtering and proxy, and can support two separate internet lines?
 
Upvote 0 Downvote
ITrusto,

You could definitely do it for less than $10K by using one of the Linux based (open-source) firewalls. You could get an Astaro, which will support all of the features that you are looking for at less than $500 plus the cost of the hardware.


Of course, I understand the desire/need to use a closed-source product. Especially if you will attempt to integrate with an IDS at some time in the future. Managing disparate products can be a real time consuming job.

pansophic
 
Upvote 0 Downvote
ITrusto,
How many nodes are you protecting inside? Many times the licensing is the big ticket item.

 
Upvote 0 Downvote
i just got an e-mail back from sidewinder support stating that i can plug both my WAN connections into my switches instead of into the firewall directly to allow the firewall to accept two incoming internet connections. you guys know if that would work and allow me to still keep the FTP servers separate?

oldmanmike,

i have about 20 nodes. the good thing about secure computing's sidewinder is i can get the 25 node licensed software product for about 2500, and run it on any hardware i wish (as long as the kernel likes it, they claim it will run fine on most dell servers, some of which you can get new for $1600).

pansophic,

thanks for your tips on the open source products. i will check them out now. one reason i wanted a nice and easy package is i am the only person at my company who manages the network, and i can only really do it on the weekends. that's one reason the watchguard looks attractive - i just don't have the time to learn something that isn't user friendly. i do have some very limitted unix/linux experience, but not enough to be considered a real user.


.
.
.thanks for all your help
 
Upvote 0 Downvote
Since you have two separate lines to maintain up-time I would hesitate to put both on the same firewall because that gives you a SINGLE point of failure. It seems you've gone to alot of trouble to avoid a single point of failure.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
71
hairlessupportmonkey
hairlessupportmonkey
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
127
nnaarrnn
nnaarrnn
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
50
hall5942
hall5942
hall5942
  • Locked
  • Question
open firewall port on 881
Replies
0
Views
45
hall5942
hall5942
RodneyMcSnow
  • Locked
  • Question
Hardware firewall bypassed access to the lan network. Please Help! No it's not a root kit or virus
Replies
1
Views
42
ChrisHirst
ChrisHirst

Part and Inventory Search

Sponsor

Back
Top