Hardware firewall Recommedations

[mattKnight]

I am looking for a HW fw to protect Terminal svs network (up to 100 clients). There is no requirement for VPN or any inbound traffic.

Watchguard is a possibilty, but I haven't heard any good things about them

Any other suggestion - I'd even consider arguments for a software based firewall (smoothwall or similar)

thanks for the thoughts

Take Care

Matt
If at first you don't succeed, skydiving is not for you.

 

[BIS]

I can't much help but to start the argument. What exactly is a hardware firewall? Isn't it just a proprietory piece of hardware running a proprietory piece of software. It seems to me that unless you are concerned about huge traffic, both a hardware and a software firewall are the same thing. Is a properly configured linux box running a properly configured iptables script not a hardware firewall then?

 

[mattKnight]

I have to agree with BIS, I am unsure of the difference between HW and SW firewalls. I guess that proprietry is the answer.

My boss is looking for a hardware solution, and I am looking for reasons to investigate a software solution.

Take Care

Matt
If at first you don't succeed, skydiving is not for you.

 

[lgarner]

It's a little like the difference between a hardware and software router. Any computer can act as a router, but a dedicated router is a device dedicated to the task without the overhead and vulnerabilities of a general-purpose operating system.

The answer does depend upon your needs. Performance and reliability are the best reasons to go hardware. HW firewalls typically have far fewer moving parts to fail, run quieter and cooler, take less time to boot, and have simpler OS upgrades. They also often, but not necessarily, cost more than software-based firewalls.

I've used Sonicwall and Pix for hardware; Raptor, BorderManager and Iptables for software. Pix would be my first choice among these.

 

[siberian]

F5 BigIp is a nice multi-function system.

I've migrated to smoothwall though and we are pleased with it.

If you have moderate requirements a firewall is a firewall, it all comes down to manageability options at that stage in my book.

 

[netmanrick]

SECURITY is the watchword ! If you are going to run a software f/w on a pc is the os hardened ? Is the hardware
high availability equipment? Can you afford to expose your
core equipment to the web ? How fast can you or your vendor
fix the pc ?
A hardware f/w is optimized for throughput,security,and reliability.
That's my $.02 worth

Rick Harris
SC Dept of Motor Vehicles
Network Operations

 

[rotech22]

I've used Watchguard devices at two different companies, over 7 years time, and various models (Firebox II, Firebox 1000, SOHO6tc). I think they're great. I find it easy to install and configure, and changes are a snap. I also use their Spamscreen, which is a very basic anti-spam add-on. I've talked to several other users of Watchguard products and haven't heard any complaints. I've only had to use their tech support a few times over the years, and that's been adequate. Otherwise, I always seem to be able to find answers on their user forums or Googleing.

In short - I'd look at Watchguard.

Good luck.
Roger Onken

 

[GlenJohnson]

There is no requirement for VPN or any inbound traffic.

Not now, but always look to the future. You may want to look into something that will allow a vpn at a later date. Good luck.

Glen A. Johnson
If you're from Northern Illinois/Southern Wisconsin/Central Florida feel free to join the Tek-Tips in Chicago, Illinois Forum.
TTinChicago
Johnson Computers

 

[mattKnight]

Thank you all for your views, I am currently awaiting visits form vendors for hardware products!

Not now, but always look to the future. You may want to look into something that will allow a vpn at a later date. Good luck

I quite agree in general, however, in this case I am extremely confident that VPN will never be required.

Take Care

Matt
If at first you don't succeed, skydiving is not for you.

 

[MichealC4]

mattKnight: That may be in your case, but 6 months ago, my boss was saying the same thing. Now he wants a VPN. Something to think about anyway. Obviously we aren't trying to force you to buy the more expensive equipment, especially if your budget can't handle it, but at the same time, we don't want you to make the same mistakes we made. Fortunately our equpiment at work does support VPN and once we finish our research such as impact and downtime, we may or may not implement VPN.

----------------------------
"Security is like an onion" - Unknown

 

[siberian]

Smoothwall has a vpn module that can be added at anytime, its a modular system that is remotely upgradeable via software.

Its also really cheap, I suggest taking a look.

 

[mattKnight]

Whilst I appreciate the responses regarding VPN, the network and business that I administer is such that a VPN is something that would be viewed as a disadvantage, both in terms of security and business operation.

In general, I agree that planning for future expansion in both features and capacity is prudent. In this particular case the firewall technology is likely to expand in either direction...

Take Care

Matt
If at first you don't succeed, skydiving is not for you.

 

[robbym627]

I would look at IPcop, Smoothwall, and Monowall for budget. If the money can be spared I would go with a pix as the first choice.

 

[jaymaechtlen]

http://www.coyotelinux.com/products.php?Product=coyote

 

[SF18C]

http://www.checkpoint.com/

They make a nice Hardware Fire wall that is easy to manage and install.
The 225U model would support 100 users easily and have VPN support if needed. Cost around $1500 or less.
I have been using Firewall-1 which is a much higher end equipment but I have thought of getting a SOHO model for the house.

SF18C
CCNP, MCSE, A+, N+ & HPCC
Tis better to die on your feet than live on your knees!

 

[sysadminguru]

If you want a good software fire wall Symantec is a good place to look....its good enough for the US Military.
take a look.

http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=47

 

[Decryptk33p3r]

I would go w/the Hardware Appliance of PIX (Cisco) I have worked on firewall 1 (checkpoint), Sonic,Netscreen. The PIX I have done so many apps. for customers through, I was doing the VPN setup in beta w/Cisco. Believe it or not I have even passed IPX through a VPN tunnel on a PIX w/other equip.to help.
But either go w/a Netscreen or a PIX.

 

[PSYSMIC]

Agree. Last PEN test by a very reputable security firm on our PIX made us look like a black hole on the net. It's all about the config though. Very worth the money to pay someone who knows what they are doing to set it up.

 

[dput]

The PIX is a great box. We use the Watchguard only due to the fact that we wanted to be able to have a subscription service to block visits to inappropriate websites. It was going to cost a lot of money to do that with the PIX, but it is very cheap with Watchguard. The Watchguard has done a great job for us and we have been very happy with it. We have been using it for 3 years now.

We ran a Raptor (software based) firewall previously. It was very expensive and you had to worry about potential holes that Microsoft might create in the OS.

Dan

 

[bytehd]

I recommend PIX

cheap too:

http://www.pcconnection.com/ProductDetail?sku=256948

George Walkey
Senior Geek in charge

http://www.insyncva.com