Good Firewall Option for Small Office

[wisdomwarrior23]

I have 10 users in a small workgroup environment, all running Xp or 2k, I need a good inexpensive firewall solution to protect the network. I don't want to use XP's built in firewall, I've used blackice and zone alarm before but it starts to get annoying and interferes with applications on the PCs. I did want to setup Linux as a firewall for the network but how secure and easy will it be for me to set it up and administer this remotely? I was thinking about just getting a hardware solution and put it on the network, I don't know which products would be good something not too expensive.

 

[Salem]

> I don't know which products would be good something not too expensive.
Well if you want to start out "free" as it were, then all you need is a spare machine and a Linux firewall distribution, eg.

http://www.ipcop.org/

http://www.smoothwall.org/

Typically, all you do is download an ISO image which you burn to a CD. You then boot your firewall machine using this CD where it installs a minimal linux configured to act as a firewall.

Both have a web interface which is accessible from the local LAN which allows you to configure and maintain the firewall itself.

--

http://www.catb.org/~esr/faqs/smart-questions.html

 

[wisdomwarrior23]

So let me make sure I'm clear, I either ipcop or smoothwall has software available that will work on the linux os. I have Suse Linux 8.2 pro installed on a spare machine already, so is it just installing one of these products next?

 

[danielhozac]

Those products are distros, not programs. The installation should remove any previous installation of any OS on your harddrive, if you were to install it.

//Daniel

 

[dilettante]

Even the cheapest home/SOHO "cable/DSL router" device ought to put you way ahead of sitting naked behind a switch or hub. I can't think of any that I have seen that couldn't handle at least 20 clients too.

I've put SMC 7004BR and 7008BRs into quite a few places in the past, but this product family isn't available anymore and people describe some awful woes with some of the newer SMC routers. Today I typically use "commercial" products, since the price has come down so far on even Cisco's offerings from several years ago.

I think you'll find such "appliances" a lot less of a headache than sticking Linux on a box and trying to make it go. If I were to go that route I'd probably have to recommend OpenBSD anyway, it is a much more secure product than Linux - though a custom Linux distribution designed for use in such a home-brew appliance should be nearly as secure and offer an easier administrative interface.

What are you plugging into at the remote site? DSL or something with an ethernet port, or do you need a T1 port on your firewall device?

 

[jimbizserv]

You can pick WebRamp 700's on eBay for under $150.00. They were made by Sonicwall and work great for a small office

 

[wisdomwarrior23]

Their using DSL at the site, I have it shared out via a netgear hub. I do have FreeBSD but their support isn't up to par, and I had trouble installing it. That was one of my concerns too, this site is far away from me and I don't want to keep running back and forth to do little stuff, thats why I was hesistant about using a Linux box, I know there is going to be a good deal of administration involved which is good but I need something right out the box which is good and can be configured and maintained remotely over the net. I'll check out the webramp 700 but also what do you guys think about Netgear firewall products, are they worth a look or should I try something else? The people I'm working for are willing to spend a couple hundred bucks.

 

[ChicagoJim]

I've set up a Netgear FVS318 VPN Firewall at a client’s site. I can't say I'm thrilled with it. It will block unwanted incoming traffic, provide some BASIC logging, and has some nice DHCP/DNS features.

However, the software based VPN is slow, the HTTP interface seems a little buggy, and the custom firewall rules are poorly implemented.

Not to mention, a scan of the device from the outside will show all 65K ports as open instead of just dropping the packets. Based on their logs, this seems to attract a lot of curiosity from the script kiddies. Between the dang thing shouting “I’M HERE! I’M HERE!” to anyone with a port scanner and the script kiddies poking at it in wild fascination, I’m sure a lot of their bandwidth is being wasted.

Linux firewalls are great when you’re on a budget, and they can be very secure when configured correctly. I’ve used SuSE’s SuSEFirewall2 on a few networks, and am very happy with it. The learning curve can be a bit steep if you’re not familiar with Linux or iptables. However, the low cost and high functionality of Linux makes it worth learning in my opinion.

 

[wisdomwarrior23]

I'm a amateur at Linux I'm running Suse Linux currently, well tell me what are some good resources for learning and being able to configure a Linux Firewall using Iptables. Also can you provide just another alternative for a firewall hardward device, only because it may take me a couple weeks to really get this Linux Firewall thing together and they would like to have a solution very soon.

 

[wisdomwarrior23]

This is good stuff I would like to thank everybody for the excellent feedback on this project I'm working on!!! I think I'll go the Linux way, it's seems to be the future its state of the art and unless you have a bunch of money to spend it seems like the wisest choice. I don't to just throw a hardward device out there that I can't reconfigure at time goes on make changes and improve the security of it. With a lot of the less expensive hardware devices it seems like what you get is what you get, later one when hackers and others figure out a way to crack it then what do you do, go and buy another firewall!!! No way not me.

 

[jrjuiliano]

Try out Astaro Security Linux (

http://www.astaro.com).

They have either black box solutions, or you can download the distribution (works the same as IPCop or Smootwall, but with better controls IMHO).

Astaro is free for home use, and for commercial use it's relatively inexpensive. I think we paid about $500 for 10 users, and 2 years of upgrades / support for one our groups.

J.R.