Firewall Frustrations -- Recommendations?

[StephenWyker]

We have an Untangle Server for our firewall and I have been unable to get SIP to work properly through it. I've spent literally hundreds of hours trying to make this work between the 5 minute IPO reboots and various configs. Its just not happening.

Can someone give me a SIMPLE decent firewall to literally put between our outside IP and our IPO WAN card that I can protect the IPO without having to make 7000 configuration changes to just make it work? Cisco requires way too much command line knowledge.

 

[pmcook]

I am a big fan of the Meraki appliances (which Cisco owns) as well as SonicWall TZ series. SIP has never been a problem using them.

 

[Gunnaro]

The very cheapest one I would dare to use: Netgear FVS336Gv2
A better one: Cisco ASA 5505 or Juniper SGG 5
Probably the best: WatchGuard firewalls

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[StephenWyker]

Not concerned with price. Concerned with simplicity. It will be a single function appliance to put between my public Fiber and my IPOs WAN interface. No other users will use it, nothing else will touch it. It does however need to be able to take a firewall rule to only allow sip traffic to and from my sip provider as fraud is the issue we are adding a firewall to begin with.

 

[Gunnaro]

Music in my ears
I would chose a watchguard.

Better safe than sorry!

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[Westi]

But the Watchguard is not simple to program (IMHO) even though I love those little red devils.
I have a Netgear FVS336Gv2 on my home system because I wanted to be sure I can recommend it when it works and I have it for almost 3 years now. Aside from 3 or 4 reboots when upgrading the firmware I have not touched it.
It is simple enough to be good to program and complex enough to do all sorts of nifty stuff. Thinking of One-x portal with the IPO.

if you want to add another layer of security make sure you don't have a 0.0.0.0 IP route on the IPO and rather make one for each outside connection required in your case the SIP provider, then even if the firewall gets compromised the IPO doesn't know how to answer.

Joe W.

FHandw, ACSS (SME), ACIS (SME)


ôThis is the end of the world, make sure to buy your T-shirt before it is too late"
Original expression of my daughter

 

[Gunnaro]

You're absolutely right about the Netgear being easy to program, for SIP you don't have to so much more than change the admin pwd and select service you want to open.

But don't fall for the temptation of buying the smaller model, FVS318. It's not suitable for this kind of operation.

Kind regards

Gunnar
______________________________________
Mille viae ducunt homines per saecula Romam

 

[IPGuru]

It does however need to be able to take a firewall rule to only allow sip traffic to and from my sip provider

No it doesn't!
you should be able to connect to your sip provider without needing any port forwarding back to the IPO simple NAT should suffice.

A Maintenance contract is essential, not a Luxury.
Do things on the cheap & it will cost you dear