Re: Recommendation needed for a firewall appliance

["Christopher L. Everett" <ceverett () ceverett com>]

Mark Tinberg wrote:

> On Fri, 17 Oct 2003, Christopher L. Everett wrote:
>
> > 'm a web programm/system admin  for a small company in the
> > medical advertising space.  We operate on a pretty low budget,
> > but I can get anything I can demonstrate a need for, within
> > reason.  In this case, within reason is $500 or less.
> >    
> I don't know that there's a lot of hardware in this range, except for SOHO 
> stuff.
>  
>
> > Id set up a Linux based Firewall/VPN server, but I just don't
> > have the time to mess with setting up such a box from scratch;
> > the last time I played with FreeSWAN a little over a year ago
> > I was unsuccessful in getting an IPSec VPN going with a Win2K
> > box despite following detailed instructions verbatim.
> >    
> There are several firewall specific linux distros, Astaro, Coyote 
> Linux and Devil Linx appear to be a few examples.  More can assuredly be 
> found in the Freshmeat listing at 
>
>  http://freshmeat.net/browse/151/?topic_id=151
Astaro wants $$$ ... I'll check the others.

> > After looking around and seeing what's happening in the firewall
> > appliance market, and thinking about what I'd like to be able to
> > do, I've come up with these requirements:
> >    
> There are some small firewall units, and there are small Managed Security 
> companies as well.
>
> > ) > 50 Mbps LAN-to-WAN throughput (needs a 10/100 WAN port)
> >    
> ?? Do you have a 50Mbps connection to the internet ??
>  
Actually it's a Fast Ethernet over fiber optic, a municipal network
that a local company strung around town on the phone poles.

Simple, reliable, fast.

Our web servers live in a data center close by on the same
network. The high LAN-to-WAN throughput would help with a
lot of my system administration chores, mostly the upload
and download parts.

> > 1) a 10/100 DMZ port
> >    
> So you need three interfaces, inside, outside, dmz.
Even nicer would be a second WAN port.  Our current phone
company uses DSL to provide us, and it would be nice to
have a backup route to the internet.

> > 2) enough VPN speed for 3 to 5 broadband users, 10Mbps or more
> >    
> ?? You're going to have 30-50Mbps of VPN (IPSec) traffic ??
No, I'm figuring on a total of 10 Mbps for 3 to 5 people.

I live in line of sight, I'm gonna rig a 54 Mbps wireless link over
the VPN.

> ?? do your clients have 10Mbps links to the internet     ??
Not clients.  Employees.  If a snowstom hits our people can
work from home without opening all the Windows boxes in
the office to compromise.  Ideally I want to push the Cisco
VoIP phone system we're about to buy out over the VPN.

> > 4) client to VPN connectivity without needing special software,
> >   for Windows, OSX and Linux.
> >    
> I believe Windows comes with an IPSec stack, although I don't know if its
> functional (it wasn't on W2K last I looked, and clients ended up buying
> SafeNet SoftPK) Linux has FreeSWAN (and USAGI) ahd I believe OSX ships
> with KAME from *BSD.
>  
I've used SSH Sentinel to hook up my bosses Windows XP Home laptop
(I told him to get XP Professional, but does he listen to me?) to our POS
"We-only-support-Windows" Linksys box (I can't even pull up the admin
web interface on a Linux box), and I got the VPN going so that IP traffic
would go, but I never managed to get MS networking to work.  And of
course all that work went out the window the minute I had to reset
the Linksys.

I suppose that's an argument for special VPN software, but I really
love the idea that when we hit the big time we ditch every Windows
installation in the company.

> There is OpenVPN as well, which has generally decent crypto (links against 
> libssl) and also runs on all of the abovementioned platforms.
>  
I found OpenVPN just yesterday.  Looks decent. 

>  http://openvpn.sourceforge.net/
>
> > ) maker has a good record on security & releasing patches
> >    
> Always important, and a too often overlooked requirement.  The other thing 
> to look for is how often they _haven't_ had to release patches, but this 
> is a lot harder to determine.
Worse, they stop releasing patches.

> > 6) The firewall/VPN runs in hardware as much as possible.
> >    
> All software runs on hardware, I doubt this is a sensible requirement for 
> your network setup.  A few of your other requirements don't seem to really 
> make sense either.
I'd just prefer if as much stuff as possible was implemented with FPGA's
and ASIC's is all.  It's more of a "It would be nice if ..." requirement 
I could
use to decide between otherwise equivalent solutions.

> > As far as new, currently manufactured equipment that looks
> > good to my inexperienced eye are:
> >
> > 1) Netgear FVL328
> > 2) Hotbrick 600/2
> >
> > The Symantec 200R and Sonicwall stuff seems to need special VPN
> > software so that's out.
> I'm pretty sure that both support IPSec, in face I think that the Symantec 
> is using Linux and FreeSWAN as their IPSec implementation underneath 
> anyway.  At least judging from all the Symantec hits I received when 
> searching for FreeSWAN error messages.
It must be that crackerjack IPSec implementation MS provides for
Windows.

> > But I've also been checking out used equipment on Ebay hoping
> > toget lucky and stretch our budget into something a little more
> > deluxe such as an older Nokia (IP440?) or Watchguard box.
> >
> > One thing that I don't understand are the licensing issues
> > with used Nokia boxes: do the Checkpoint licenses travel with
> > the box or will I have to buy new licenses?
> >    
> I think this question was answered on the list about Cisco hardware, and 
> in that case the licenses are not transferrable.  You buy the hardware on 
> eBay, and you've still got to buy a maintenance contract to get access to 
> legit firmware and any firmware updates.  If you really want to know, 
> there's no substitute for calling the vendor and asking, I'm sure they'd 
> be happy to talk to you.
Looks like the deal is the same with Watchguard stuff after the license
gets activated.   Firewall-1 & VPN-1 seems like its getting long in the
tooth, and I'm guessing CheckPoint is about to put it out to pasture.

> > Another thing I'd like to know about are the risks involved
> > in running an older, possibly unsupported firewall/VPN box:
> > is it riskier than just running straight NAT access?  Are
> > there some of these older boxes I should stay away from?
> >    
> Well, in that case you're on your own, flapping in the wind with no 
> parachute.  IMHO you want to have either A) a maintenance contract with a 
> very responsive and active vendor or B) the source and at least the will 
> to pay someone to help you when you need helping.
>  
Frankly, spending thousands on a firewall/VPN appliance, then paying
for a support contract every year until at some point they won't support
the damn thing anymore and starting all over again is an unsustainable
business model for everyone but landfills.

Looks like I'm going to check out some Linux firewall distros, hopefully
I can find a Debian-based one.

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards