Any suggestions for firewall/proxy solutions?

[Tels]

Hi there, I work for a small company and soon we will be getting fixed IP addresses for the internet.

Now, at present we have little in the way of security, and I need to find out as much about Firewalls and Proxys as possible. Any suggestions, opinions etc will be gratefully sucked up and added to the melting pot from which I hope to find the ideal solution (for us)

Someone mentioned a Hardware firewall + Software proxy might be a good idea?

We need VPN capability, Virus scanning if poss, and a firewall which allows a seperate iis server to function (this should isolate the most common hackers route in from the main company network, right?)

Thanks to everyone who replies.

 

[jrjuiliano]

Hi,

Sort of depends on your budget at this time. If you're willing to spend the money there are plenty of options out there.

We started looking at Nokia's hardware firewall, which runs a hardened Linux OS with Checkpoint Firewall-1, Symantec's Enterprise Firewall (formerly Raptor, requires it's own computer and OS=more $$) and Velociraptor (also part of Symantec), watchguard SOHO firewal, and Ciso PIX firewalls. As you can see there are plenty of options.

Since we have issues with impending health care rules our current look is with Velociraptor, as it's making inroads to become the first "HIPAA Approved" (Health Insurance Portability and Accountability Act) security system.

In the next six months they plan on offering an option to have the hardware firewall and Anti-virus server on one firewall, at a cost of about $6,000!

Do a search on Google for "enterprise firewall" and you'll get plenty of reviews on the different models.

Hope that helps. J.R. Juiliano
Information Systems Specialist
Tri-City Emergency Medical Group

 

[chiph]

Jrjuiliano -

The Cisco PIX isn't HIPAA approved?
I'm surprised, as HIPAA is a big deal, and CISCO usually never misses a chance to add a few more acronyms to their compliance list.

Chip H.

 

[jrjuiliano]

Hi,

From what I understand, Symantec's Velociraptor will be the first to be "officially" approved. They are actively seeking approval from the Powers That Be.

We talked with Symantec's people for about 45 minutes on the subject, from firewall policies to tunneling protocols, securing file transfer, etc.

Since the actual final rules haven't been actually determined and published, it's actually hard to say just what is needed to get things done.

I'm sure that Cisco's PIX would be a great, stable and secure solution, but I guess as a company, they will have to hunt for the approval rating of the HIPAA boards...

J.R. Juiliano
Information Systems Specialist
Tri-City Emergency Medical Group

 

[ati]

If you don't have money to spent, have a look at Linux statefull packetfiltering, called netfilter, included in Kernel 2.4.
You could combine this with squid as a transparent proxy and inflex (

http://www.pldaniels.com)

as mail content and virus scanner.
Overall it's very reliable and the filter rules are similiar to PIX.

Andreas Tilch
Security Analyst

 

[Tels]

Thanks for responses so far...

ps... Any hardware we get must be compatible with an ethernet tcp-ip network, and ISDN30 for the leased lines..

We are running Win2k Server domain with tcp-ip being the main protocol. I have only very briefly encountered linux and that was a long time ago....

I know more or less what it is, but how easy is it to configure a linux box? I don't speak linux/unix/etc and there isn't anyone about to show me how..... (I ain't scared - no way)

proxy stuff:
Someone told me that NAT can cause problems with VPN, but I understand that NAT helps in hiding network structures from hackers, so is it possible to implement NAT and VPN together, and what kind of kit/software to do it???

If NAT cannot be used, what other protocols could be used to route multiple users over one fixed line?

ps budget around 1000-1500 pounds, roughly 2000-2500 dollars I think but prices in England are scandalous anyway (!)
Cheers
%Tels

 

[brianpaterson]

I think your budget guys have stiffed you. No top level commercial product is going to be available for you with this much money to play with.

You can probably forget most of the big boys including Cisco and Raptor as this much cash will only get you a Sunday Pub League 5 a side solution as opposed to a Premier one.

Do you already have part of your set up in hand ie Hardware, proxy server etc?

From the answers given I think you are gonna need to learn UNIX.

Possible solution is

Filtering router
|
Firewall(Software, loaded on hardened PC)
|
Anti Virus and Squid on server(We handle mail here also)

Not sure what you should use for your VPN capability if money is an issue. Industry quickly realised the market potential and priced accordingly. Sure there is a cheapish UNIX/Linux option out there.

Velociraptor has no problems with NAT by the way.

On that cheery note...

Brian

 

[tjv]

I use Smoothwall for my firewall, Proxy and VPN. It is a linux operating system but you do not need to know linux that much to use it. The install is only 80MB and configuration is done via a browser or SSH.

http://www.smoothwall.org

Tom