A Dedicated Firewall for a Small Town? 75
Germ-X asks: "My city's IT Manager is proposing a dedicated firewall system to protect the IT infrastructure. The solution, that is going to be presented to the City Council, is based on Windows 2003 and Symantec Enterprise firewall. It will be running on an HP DL380 G4, and will cost the city about $13,000. Most of that amount will be going to software licenses. I don't know the features of Symantec Enterprise Firewall, I just think that the city could do much better going for an applicance kind of solution, even if they stay with Windows. What do you guys think? Any other ideas? Keep in mind that this is a small town and I don't think we can count on any big time sysadmins, like most of yourselves, being on staff."
Spend 1/10 that. (Score:2)
Watchguard Fireboxes are good, based on linux (unfortunately requiring windows to manage, or wine perhaps?), and will run $1500. Use the rest to pay someone will a clue to keep it up to date with good rules and security policies.
Re:Spend 1/10 that. (Score:3, Insightful)
what problems (Score:2)
What problems and restrictions do you have with the Watchguard product?
(Other than the obvious... needing Windows... that is)
TIA
Re:what problems (Score:1)
Re:Spend 1/10 that. (Score:2)
Has anybody hacked into one of these things and found out exactly what packages/kernel they are using?
Their specifications page list only fluffy information, no real specs.
I'd like to know what kind of processor is in what model, what VPN package they use, etc.
Re:Spend 1/10 that. (Score:2)
Bunch of morons (Score:3, Informative)
Re:Bunch of morons (Score:5, Funny)
Re:Bunch of morons (Score:2)
Re:Bunch of morons (Score:2)
Re:Bunch of morons (Score:2)
Re:Bunch of morons (Score:2)
Free = You don't pay for it.
There are many (and better) options. (Score:2)
There are many others out there also, but I have had success in
Re:There are many (and better) options. (Score:1)
Sonicwall also makes some comparable products that sell for comparable prices. They're much easi
What city? (Score:2)
Maybe I could make myself president of some company, or heck, be a mayor
Re:What city? (Score:5, Funny)
Troy?
Re:What city? (Score:2)
Yes.
Re:What city? (Score:2)
OpenBSD? (Score:5, Informative)
Re:OpenBSD? (Score:4, Insightful)
Re:OpenBSD? (Score:4, Interesting)
Getting an OpenBSD box up, configuring the routing and firewall can be learned, perhaps even in a week, but that assumes someone with a pretty damn good low level understanding of networks and protocols. You or I might do this, but it's at the opposite end of the spectrum from Windows/Symantec Firewall.
Re:OpenBSD? (Score:2)
Getting an OpenBSD box up, configuring the routing and firewall can be learned, perhaps even in a week, but that assumes someone with a pretty damn good low level understanding of networks and protocols. You or I might do this, but it's at the opposite end of the spectrum from Windows/Symantec Firewall.
True, but honestly noone without a good understanding of network protocols should be let near such a firewall configuration. There seems to be this misconception that with the aid of computers a child can
Re:OpenBSD? (Score:2)
I still think that for many installations something like a Firebox can be learned by the in-house administrator, and will probably meet the security threat/skill/cost equation. I am assuming a fairly straighforward scenario. I
Re:OpenBSD? (Score:2)
Re:OpenBSD? (Score:1)
Re:OpenBSD? (Score:1)
Re:OpenBSD? (Score:3, Insightful)
Re:OpenBSD? (Score:5, Insightful)
Did I mention it's free?
Cheers.
Re:OpenBSD? (Score:1)
Sure, recent versions of OpenBSD does support most of the modern hardwares just fine, but you really should check out the hardware compatibility documentation [openbsd.org] (link is for i386 hardware) thoroughly if you know which hardware to go by.
One thing as wireless card not working on 802.11g but only on 802.11b really puts you off because
Please clarify: "single TCP/IP stack"?!? (Score:2)
Just get two uniprocessor boxes. Dual Dual cores is overkill, and Windows 2003 has a single TCP/IP stack so dual processors are almost pointless.
Correct me if I'm wrong, but I thought the NT "kernel" [or whatever you call it - it's not a monolithic "kernel" per se, but rather a microkernel surrounded by services] had had a multi-threaded TCP/IP stack since at least Windows 2000.
So what do you mean by "a single TCP/IP stack"?
Is this some sort of a "process" -vs- "thread" kinduva thang? Or maybe a Hurd
Re:huh? (Score:1)
Snapgear (Score:2)
The real issue... (Score:3, Insightful)
How small is your town? (Score:3, Informative)
Re:How small is your town? (Score:2)
That's still rather large, or a hugely overstaffed small town :) (Unless you're counting the fire department in the volunteers).
Re:How small is your town? (Score:2)
I am. And the school- in the permanent and part-time employees.
ImageStream (Score:1)
No hard disk, it's flash based for reliability.
With a T3 card it'll be about $7000 so it's not cheap, but if it replaces some overpriced cisco crap along with the firewall, it could be a real money saver.
Uh huh. (Score:1, Informative)
Come on, you need to be far more specific in your question than that if you want a helpful answer. How big is the network? How many workstations and servers and what operating systems are they all. How much internet traffic is going out and how much is coming in? What type of traffic, is it all http or do you run a lot of h.323 video conferences?
Do you need to provide protection for 10 Windows workstations t
Re:Uh huh. (Score:1)
Yes, yes, I know, but I couldn't resist.
And yes, I am from Arkansas. No, I wasn't offended by the post.
re: A Dedicated Firewall for a Small Town (Score:1)
Perhaps I'm missing the point of your question, but why does your network security sysadmin have to be on staff? Or even local? Or even on the same side of the planet as you? It seems to me that you could contract this firewall function out to any network security firm for less than the amount you were quoted.
ipcop and smoothwall (Score:4, Informative)
staff? (Score:4, Insightful)
Keep in mind that this is a small town and I don't think we can count on any big time sysadmins, like most of yourselves, being on staff.
I'm no "big time sysadmin" either but I have some security knowledge. Security is not a "set and forget" operation. You don't need a full-time dedicated person but you do need someone to keep up with fixes, etc. Otherwise, you're throwing money down a hole.
Maintenance policy - first (Score:5, Insightful)
Plan the maintenance policy, first. Even if you have a heavy-duty appliance box, which you'd like to think of as "install and forget", someone's got to keep on top of security alerts and firmware updates. Remember the good old security mantra, "Security is a process, not a product."
Keeping that in mind, it can affect a purchasing decision, too. "Windows 2003 and Symantec Enterprise firewall" is 2 products from 2 companies, and the OS is very complex, needs significant work to lock down to minimal function, and has had a steady feed of monthly updates. On the other hand, "OpenBSD on there" is 1 (Isn't pf part of the base?) product, has a much more proven security track record, a lower update rate, and comes configured more securely out of the box.
Normally, I don't believe the "Just let me put an OSS firewall in there on the cheap," argument. But in this particular case, and keeping in mind that ongoing maintenance should be part of ANY solution, I guess I'd have to side with OpenBSD + pf.
Are You Serious? (Score:1)
I'm a a set-top box software QA guy, and even I know that!
-Peter
Re: (Score:1)
Watchguard Firebox (Score:2)
Comment removed (Score:5, Informative)
Re:appliance (Score:2)
> 1. They run a full OS. The device and software are Turing complete,
[/snip]
First one to implement a TCP/IP stack on hardware that isn't turing complete at some level of abstraction (or can't be configured to be - I'm thinking FGPAs here) wins a virtual cookie.
Re:appliance (Score:2)
Cough, bounded memory.
Just kidding. :-)
What do you think about watchguard? (Score:2)
m0n0wall (Score:1)
Lucent Brick (Score:2)
The bricks are managed using an easy to use GUI that is Java based and runs on Windows or Unix. The management station is separate from the Brick hardware, but can be anything, even just your desktop Win2K Pro box. The managment station is not in the path of traffic
Other options (Score:2)
One software firewall? (Score:4, Informative)
Draw a network diagram, including all possible entry points. Now, where is that single firewall going to sit, to cover all of them?
Personally, I'd go with a mixed router and hardware firewall configuration, probably with some IDS capability, but "small" doesn't tell me much of anything. So in lieu of something that doesn't fit, I'm going to say, if you do go with software instead, you really need coverage on every entry point you can afford to cover. You also should be running host intrusion detection on the most important database and command servers, if at all possible.
Oh, and don't forget, you need to have a written security policy before doing a lot of configuration, to keep things consistent and to save yourself a lot of grief. It also helps when you have to figure out if someone is getting through, and how.
Tell you what, go poke around on Cisco's website for their SAFE blueprint, and you can start with this [cisco.com]. You can learn the basic conceptual stuff for free, and then implement scalable design choices using their stuff or someone else's.
How big do you need? (Score:2)
How many concurrent connections? How many VPN tunnels? How much bandwidth do you have? Most importantly, as others have mentioned, who is your admin? A firewall is only implimenting a set of access rules, the hard part is crafting those rules. Don't buy a Cisco firewall if your security guy only knows checkpoint. If you don't have a security guy, get one.
I'll assume if you have no firewall at all right now, and you're not talking a
You are doing WHAT to your town? (Score:2, Troll)
A few things why this is a terrible idea:
A single firewall like this will really make things slow.
You are playing big brother. Expect to be asked to block P2P and games even.
The performance will be terrible. VoIP will be unusable.
Cost will rise, it will not scale. Dont allow immigrants.
See, if you want to provide an Internet connection, just buy some fat cisco or juniper switches. Divide the bandwidth fairly at level 2 a
Get the right advice (Score:2)
Sounds like the wrong person is driving this. Non-technical people seem to think that a firewall is the Grand Ultimate Answer to Security Problems. When you phrase your requirements in terms of a specific solution (i.e. We need to protect our IT infrastructure with a firewall) then you've got trouble.
Start by getting an IT security expert to review your infrastructure and identify potential threats, and discuss what protection can be used to mitigate various threats.
You will almost certainly find that
monowall (Score:4, Interesting)
Mikrotik (Score:1)
Anybody out there had an significant experience with Mikrotik?
Slackware-current with Project Files rc.firewall (Score:1)
Dedicated Windows and Symantec firewall - eeeeek! (Score:1)
People are the weakest link (Score:1)
ya'll can argue over the best products all day long, but those products won't be as effictive or as efficient as their potential states them to be without someone at the helm who knows what they're doing.
I just thought I'd remind ya'll of the human factor in security, as this section was starting to look like a metaphorical cock fight