Firewall Wizards mailing list archives
Re: Recommendation needed for a firewall appliance
From: "Christopher L. Everett" <ceverett () ceverett com>
Date: Mon, 20 Oct 2003 22:32:34 -0500
Mark Tinberg wrote:
On Fri, 17 Oct 2003, Christopher L. Everett wrote:I don't know that there's a lot of hardware in this range, except for SOHO stuff.'m a web programm/system admin for a small company in the medical advertising space. We operate on a pretty low budget, but I can get anything I can demonstrate a need for, within reason. In this case, within reason is $500 or less.There are several firewall specific linux distros, Astaro, Coyote Linux and Devil Linx appear to be a few examples. More can assuredly be found in the Freshmeat listing atId set up a Linux based Firewall/VPN server, but I just don't have the time to mess with setting up such a box from scratch; the last time I played with FreeSWAN a little over a year ago I was unsuccessful in getting an IPSec VPN going with a Win2K box despite following detailed instructions verbatim.http://freshmeat.net/browse/151/?topic_id=151
Astaro wants $$$ ... I'll check the others.
There are some small firewall units, and there are small Managed Security companies as well.After looking around and seeing what's happening in the firewall appliance market, and thinking about what I'd like to be able to do, I've come up with these requirements:) > 50 Mbps LAN-to-WAN throughput (needs a 10/100 WAN port)?? Do you have a 50Mbps connection to the internet ??
Actually it's a Fast Ethernet over fiber optic, a municipal network that a local company strung around town on the phone poles. Simple, reliable, fast. Our web servers live in a data center close by on the same network. The high LAN-to-WAN throughput would help with a lot of my system administration chores, mostly the upload and download parts.
1) a 10/100 DMZ portSo you need three interfaces, inside, outside, dmz.
Even nicer would be a second WAN port. Our current phone company uses DSL to provide us, and it would be nice to have a backup route to the internet.
2) enough VPN speed for 3 to 5 broadband users, 10Mbps or more?? You're going to have 30-50Mbps of VPN (IPSec) traffic ??
No, I'm figuring on a total of 10 Mbps for 3 to 5 people. I live in line of sight, I'm gonna rig a 54 Mbps wireless link over the VPN.
?? do your clients have 10Mbps links to the internet ??
Not clients. Employees. If a snowstom hits our people can work from home without opening all the Windows boxes in the office to compromise. Ideally I want to push the Cisco VoIP phone system we're about to buy out over the VPN.
4) client to VPN connectivity without needing special software, for Windows, OSX and Linux.I believe Windows comes with an IPSec stack, although I don't know if its functional (it wasn't on W2K last I looked, and clients ended up buying SafeNet SoftPK) Linux has FreeSWAN (and USAGI) ahd I believe OSX ships with KAME from *BSD.
I've used SSH Sentinel to hook up my bosses Windows XP Home laptop (I told him to get XP Professional, but does he listen to me?) to our POS "We-only-support-Windows" Linksys box (I can't even pull up the admin web interface on a Linux box), and I got the VPN going so that IP traffic would go, but I never managed to get MS networking to work. And of course all that work went out the window the minute I had to reset the Linksys. I suppose that's an argument for special VPN software, but I really love the idea that when we hit the big time we ditch every Windows installation in the company.
There is OpenVPN as well, which has generally decent crypto (links against libssl) and also runs on all of the abovementioned platforms.I found OpenVPN just yesterday. Looks decent.
http://openvpn.sourceforge.net/Always important, and a too often overlooked requirement. The other thing to look for is how often they _haven't_ had to release patches, but this is a lot harder to determine.) maker has a good record on security & releasing patches
Worse, they stop releasing patches.
All software runs on hardware, I doubt this is a sensible requirement for your network setup. A few of your other requirements don't seem to really make sense either.6) The firewall/VPN runs in hardware as much as possible.
I'd just prefer if as much stuff as possible was implemented with FPGA'sand ASIC's is all. It's more of a "It would be nice if ..." requirement I could
use to decide between otherwise equivalent solutions.
I'm pretty sure that both support IPSec, in face I think that the Symantec is using Linux and FreeSWAN as their IPSec implementation underneath anyway. At least judging from all the Symantec hits I received when searching for FreeSWAN error messages.As far as new, currently manufactured equipment that looks good to my inexperienced eye are: 1) Netgear FVL328 2) Hotbrick 600/2 The Symantec 200R and Sonicwall stuff seems to need special VPN software so that's out.
It must be that crackerjack IPSec implementation MS provides for Windows.
I think this question was answered on the list about Cisco hardware, and in that case the licenses are not transferrable. You buy the hardware on eBay, and you've still got to buy a maintenance contract to get access to legit firmware and any firmware updates. If you really want to know, there's no substitute for calling the vendor and asking, I'm sure they'd be happy to talk to you.But I've also been checking out used equipment on Ebay hoping toget lucky and stretch our budget into something a little more deluxe such as an older Nokia (IP440?) or Watchguard box. One thing that I don't understand are the licensing issues with used Nokia boxes: do the Checkpoint licenses travel with the box or will I have to buy new licenses?
Looks like the deal is the same with Watchguard stuff after the license gets activated. Firewall-1 & VPN-1 seems like its getting long in the tooth, and I'm guessing CheckPoint is about to put it out to pasture.
Well, in that case you're on your own, flapping in the wind with no parachute. IMHO you want to have either A) a maintenance contract with a very responsive and active vendor or B) the source and at least the will to pay someone to help you when you need helping.Another thing I'd like to know about are the risks involved in running an older, possibly unsupported firewall/VPN box: is it riskier than just running straight NAT access? Are there some of these older boxes I should stay away from?
Frankly, spending thousands on a firewall/VPN appliance, then paying for a support contract every year until at some point they won't support the damn thing anymore and starting all over again is an unsustainable business model for everyone but landfills. Looks like I'm going to check out some Linux firewall distros, hopefully I can find a Debian-based one. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Recommendation needed for a firewall appliance Christopher L. Everett (Oct 20)
- Re: Recommendation needed for a firewall appliance Mark Tinberg (Oct 22)
- Re: Recommendation needed for a firewall appliance Christopher L. Everett (Oct 22)
- Re: Recommendation needed for a firewall appliance Julian Gomez (Oct 22)
- Re: Recommendation needed for a firewall appliance Mark Tinberg (Oct 22)