Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security Technology

A Dedicated Firewall for a Small Town? 75

Posted by Cliff from the any-better-ideas dept.
Germ-X asks: "My city's IT Manager is proposing a dedicated firewall system to protect the IT infrastructure. The solution, that is going to be presented to the City Council, is based on Windows 2003 and Symantec Enterprise firewall. It will be running on an HP DL380 G4, and will cost the city about $13,000. Most of that amount will be going to software licenses. I don't know the features of Symantec Enterprise Firewall, I just think that the city could do much better going for an applicance kind of solution, even if they stay with Windows. What do you guys think? Any other ideas? Keep in mind that this is a small town and I don't think we can count on any big time sysadmins, like most of yourselves, being on staff."
This discussion has been archived. No new comments can be posted.

A Dedicated Firewall for a Small Town? More

A Dedicated Firewall for a Small Town?

Comments Filter:
  • Or rather, 1/10 that price on hardware, and the rest on skilled maintenance and installation.

    Watchguard Fireboxes are good, based on linux (unfortunately requiring windows to manage, or wine perhaps?), and will run $1500. Use the rest to pay someone will a clue to keep it up to date with good rules and security policies.

    • Re:Spend 1/10 that. (Score:3, Insightful)

      by numbski ( 515011 ) *
      Caveat. If you have consultants available that are skilled with open source, get a firewall from them so you don't have to deal with Watchguard licensing. A FreeBSD based firewall (m0n0wall or pfsense?) with solid rulesets, and even throw in intrusion detection and stateful inspection...you can get those free of even the Wachguard restrictions. m0n0wall and it's fork, pfsense, have nice web interfaces and I believe you may even be able to use something like fwbuilder to manage them, but the web interface
      • Just wondering (as a Watchguard owner)...

        What problems and restrictions do you have with the Watchguard product?

        (Other than the obvious... needing Windows... that is)

        TIA
        • Personally, I find the X Edge and SOHO fireboxes can be a little annoying with their limitations on maximum LAN users. Buying a "user license" for your network printer can be a little annoying. The X50 and the entire X Core series are far less annoying (unlimited users on each). The mobile and branch office VPN licenses are easier to manage because they're rarely "unintentionally" used, and simply controlling where you install the mobile user VPN software is enough to control the MUVPN licensing.
    • Watchguard Fireboxes are good

      Has anybody hacked into one of these things and found out exactly what packages/kernel they are using?

      Their specifications page list only fluffy information, no real specs.

      I'd like to know what kind of processor is in what model, what VPN package they use, etc.

  • Bunch of morons (Score:3, Informative)

    by Pig Hogger ( 10379 ) <pig.hogger@g[ ]l.com ['mai' in gap]> on Tuesday December 20, 2005 @04:00PM (#14301911) Journal
    Spending money on proprietary closed-source solutions. Get IP cop [ipcop.org]! It's free, costs nothing and works.
  • More details would help a lot (number of systems, incoming connections, type of services provided, etc.), but I do think you can do better. Take a look perhaps at WatchGuard. Nice easy interface, comes with 6 interfaces for various internal & DMZ segments and VPN. You could probably get a pair of X1000's for failover, a couple of years of security service and still be far less than $13,000. Plus I personally think it would be a better setup.

    There are many others out there also, but I have had success in
    • I'd have to agree, although you may not need X1000s. Depending on the requirements, anything from the X Core series (with either the Fireware Pro, or high availability upgrade) would probably be sufficient. The configuration management system takes a little getting used to, but they're powerful firewalls and are pretty easy to manage once you get the hang of it. Disclaimer: I work for a Watchguard reseller.

      Sonicwall also makes some comparable products that sell for comparable prices. They're much easi

  • Hey, I presume that you guys use no firewall now. And you have Windows servers on the netowork! What kind of city is that?

    Maybe I could make myself president of some company, or heck, be a mayor :-P

  • OpenBSD? (Score:5, Informative)

    by m0rph3us0 ( 549631 ) on Tuesday December 20, 2005 @04:03PM (#14301944)
    I'd throw OpenBSD on there. And scale down the hardware a lot. You will run out of bandwidth on your bus before you run out of CPU. Get two boxes and run CARP for fail over. That way when you patch the box your whole network doesn't go down. Just get two uniprocessor boxes. Dual Dual cores is overkill, and Windows 2003 has a single TCP/IP stack so dual processors are almost pointless.

    • Re:OpenBSD? (Score:4, Insightful)

      by Parsec ( 1702 ) on Tuesday December 20, 2005 @04:24PM (#14302238) Homepage Journal
      I second this. You can learn OpenBSD's pf firewall well in about a week. Get started here: http://www.openbsd.org/faq/pf/ [openbsd.org] . A 600 MHz PIII, 256 MB RAM, 4 GB HD, is plenty for 4 to 6 100 Mbit NICs on 32-bit PCI; if you have higher bandwidth needs you might put the money into a machine with 64-bit PCI or PCI-E and Gigabit NICs.

      • Re:OpenBSD? (Score:4, Interesting)

        by major.morgan ( 696734 ) on Tuesday December 20, 2005 @05:35PM (#14303148) Homepage
        While I agree that BSD/pf is potentially one of the best, and with no licensing costs perhaps the cheapest - but did you all read the last sentence of the original question?

        Getting an OpenBSD box up, configuring the routing and firewall can be learned, perhaps even in a week, but that assumes someone with a pretty damn good low level understanding of networks and protocols. You or I might do this, but it's at the opposite end of the spectrum from Windows/Symantec Firewall.

        • Getting an OpenBSD box up, configuring the routing and firewall can be learned, perhaps even in a week, but that assumes someone with a pretty damn good low level understanding of networks and protocols. You or I might do this, but it's at the opposite end of the spectrum from Windows/Symantec Firewall.

          True, but honestly noone without a good understanding of network protocols should be let near such a firewall configuration. There seems to be this misconception that with the aid of computers a child can

          • I agree with your point, though I would argue that not every photographer is Ansel Adams, nor is every company able to justify a "packet pro". I'm not going to hire a nationally known photographer for my wedding, but rather someone who meets my requirements of skill balanced with cost.

            I still think that for many installations something like a Firebox can be learned by the in-house administrator, and will probably meet the security threat/skill/cost equation. I am assuming a fairly straighforward scenario. I
            • Right, but firewall builder [fwbuilder.org] is the tool you're looking for in this case. The question here is wether it's ok to spend thousands of dollars for a set of wizards; that's all the value add there is in the "commercial" solution. An admin that can't grok fwbuilder needs some serious training and even that would be cheaper than throwing all that money in the wind...
      • I'm not trolling because I'd love to put this setup together myself but one thing a lot of people overlook is the power and environmental considerations with setups like this. You've gone from one small dedicated firewall to one or two x86 boxes running 24/7. I'd love to see a report sometimes on whether it's better or not to reuse old hardware in these situations from an environmental perspective. As a slimmed down desktop for surfing yes, for two redundant firewalls...i wonder?

    • Re:OpenBSD? (Score:3, Insightful)

      by Yonder Way ( 603108 )
      I was going to post, but the parent to this is almost exactly what I was going to say. He's right. 2x OpenBSD boxen with CARP will be far more resilient, and less expensive, than the proposed solution.

    • Re:OpenBSD? (Score:5, Insightful)

      by Noodlenose ( 537591 ) on Tuesday December 20, 2005 @05:30PM (#14303099) Homepage Journal
      I can't commend this solution higher. There are 3 main reasons why OpenBSD should be your choice:

      • Excellent hardware support
      • Superb documentation
      • With Carp and pf, you have the best firewall tools out there.

      Did I mention it's free?

      Cheers.

      • Just by experience, but OpenBSD never had 'Excellent' hardware support, neither do the developers put that as the top priority of the os, compared to Linux or moreover for Windows.

        Sure, recent versions of OpenBSD does support most of the modern hardwares just fine, but you really should check out the hardware compatibility documentation [openbsd.org] (link is for i386 hardware) thoroughly if you know which hardware to go by.

        One thing as wireless card not working on 802.11g but only on 802.11b really puts you off because

    • Just get two uniprocessor boxes. Dual Dual cores is overkill, and Windows 2003 has a single TCP/IP stack so dual processors are almost pointless.

      Correct me if I'm wrong, but I thought the NT "kernel" [or whatever you call it - it's not a monolithic "kernel" per se, but rather a microkernel surrounded by services] had had a multi-threaded TCP/IP stack since at least Windows 2000.

      So what do you mean by "a single TCP/IP stack"?

      Is this some sort of a "process" -vs- "thread" kinduva thang? Or maybe a Hurd

  • Snapgear (Score:2)

    by lal ( 29527 ) *
    You need to tell us more about your requirements. That said, if you want a basic firewall, consider Cyberguard's SG [cyberguard.com] family of firewalls, which are essentially little Linux appliances with an easy-to-use web interface. They're far less expensive than $13K.

  • The real issue... (Score:3, Insightful)

    by Incongruity ( 70416 ) on Tuesday December 20, 2005 @04:12PM (#14302065)
    So, I'm betting the real issue will be selling a cheaper or open source solution to people who are not in IT and are used to paying big money for anything "reputable"... I guess the strategy I would use would be to put a chunk of money into a "reputable" consultant who would then sell them on the OSS option. Remember, in business and in politics it's often about making them feel secure, regardless of whether or not they actually are. Somehow Microsoft and Norton branded products provide that sense of security to many outside of the IT field, so they'll continue to get the business unless you can provide them with that same sense of security at a cheaper price.

  • How small is your town? (Score:3, Informative)

    by Marxist Hacker 42 ( 638312 ) * <seebert42@gmail.com> on Tuesday December 20, 2005 @04:14PM (#14302089) Homepage Journal
    Give us a number of workstations and servers currently in operation and we'd give you a better answer. Are you small like Salem, OR? If so the solutions suggested so far are reasonable. But if you're small like Condon, OR (three full time employees, two part time, and about 20 volunteers, all centered in a single building) then I'd suggest something more along the lines of a Linksys or Netgear router is more what you should be looking at; both in terms of stability and ease of remote managment.
    • But if you're small like Condon, OR (three full time employees, two part time, and about 20 volunteers, all centered in a single building)

      That's still rather large, or a hugely overstaffed small town :) (Unless you're counting the fire department in the volunteers).

  • Try an ImageStream rebel router. It can serve as a direct termination point for your T3/T1 with no other equipment, it routes obviously, and it runs linux so you can ssh into it and configure iptables just as any other linux box.

    No hard disk, it's flash based for reliability.

    With a T3 card it'll be about $7000 so it's not cheap, but if it replaces some overpriced cisco crap along with the firewall, it could be a real money saver.

  • Uh huh. (Score:1, Informative)

    by Anonymous Coward
    So it's a small city or town. Like Minneapolis is a small city or are you talking Hickville Arkansas?

    Come on, you need to be far more specific in your question than that if you want a helpful answer. How big is the network? How many workstations and servers and what operating systems are they all. How much internet traffic is going out and how much is coming in? What type of traffic, is it all http or do you run a lot of h.323 video conferences?

    Do you need to provide protection for 10 Windows workstations t
    • So it's a small city or town. Like Minneapolis is a small city or are you talking Hickville [sic] Arkansas?
      Actually, Hicksville [google.com] is in New York.

      Yes, yes, I know, but I couldn't resist.

      And yes, I am from Arkansas. No, I wasn't offended by the post.

  • Keep in mind that this is a small town and I don't think we can count on any big time sysadmins, like most of yourselves, being on staff.

    Perhaps I'm missing the point of your question, but why does your network security sysadmin have to be on staff? Or even local? Or even on the same side of the planet as you? It seems to me that you could contract this firewall function out to any network security firm for less than the amount you were quoted.

  • ipcop and smoothwall (Score:4, Informative)

    by tacocat ( 527354 ) <tallison1@@@twmi...rr...com> on Tuesday December 20, 2005 @04:34PM (#14302400)
    are both free and capable.

  • staff? (Score:4, Insightful)

    by sfjoe ( 470510 ) on Tuesday December 20, 2005 @04:43PM (#14302516)

    Keep in mind that this is a small town and I don't think we can count on any big time sysadmins, like most of yourselves, being on staff.

    I'm no "big time sysadmin" either but I have some security knowledge. Security is not a "set and forget" operation. You don't need a full-time dedicated person but you do need someone to keep up with fixes, etc. Otherwise, you're throwing money down a hole.

  • Maintenance policy - first (Score:5, Insightful)

    by dpilot ( 134227 ) on Tuesday December 20, 2005 @04:47PM (#14302565) Homepage Journal
    Whether you're talking "Windows 2003 and Symantec Enterprise firewall. It will be running on an HP DL380 G4" or "OpenBSD on there. And scale down the hardware a lot" or even a heavy-duty appliance box, the cart is in front of the horse, here. Don't know if that's a reflection of the planning or your thinking.

    Plan the maintenance policy, first. Even if you have a heavy-duty appliance box, which you'd like to think of as "install and forget", someone's got to keep on top of security alerts and firmware updates. Remember the good old security mantra, "Security is a process, not a product."

    Keeping that in mind, it can affect a purchasing decision, too. "Windows 2003 and Symantec Enterprise firewall" is 2 products from 2 companies, and the OS is very complex, needs significant work to lock down to minimal function, and has had a steady feed of monthly updates. On the other hand, "OpenBSD on there" is 1 (Isn't pf part of the base?) product, has a much more proven security track record, a lower update rate, and comes configured more securely out of the box.

    Normally, I don't believe the "Just let me put an OSS firewall in there on the cheap," argument. But in this particular case, and keeping in mind that ongoing maintenance should be part of ANY solution, I guess I'd have to side with OpenBSD + pf.
  • Cisco 2000 (or, for large values of "small" 3000) series Integrated Services Router.

    I'm a a set-top box software QA guy, and even I know that!

    -Peter
  • Comment removed based on user account deletion
  • Take a look at Watchguard Firebox (www.watchguard.com). It's an appliance based on a Linux kernel and support is excellent. I'm not sure on your functional requirements, but something like an x1000 will set you back only about $2800. I've supported at least a 2-3 dozen over the years and they are a joy to work with.

  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Tuesday December 20, 2005 @05:41PM (#14303213)
    Comment removed based on user account deletion
    • [snip]
      > 1. They run a full OS. The device and software are Turing complete,
      [/snip]

      First one to implement a TCP/IP stack on hardware that isn't turing complete at some level of abstraction (or can't be configured to be - I'm thinking FGPAs here) wins a virtual cookie.
    • A few people in this thread have enthusiastically recommended watchguard, and it looked like the clear winner with its appliance like simplicity, at least until I read your post. What do you think about that one, just for comparison's sake?
  • I'll throw out my recommendation for m0n0wall [m0n0.ch]. It's a livecd-based firewall package which is based on FreeBSD. Boot off of the CD, and config is held on a floppy, flash drive, etc. It has all the benefits of the FreeBSD network stack w/ the addition of a very robust web administration page. It's a snap to set up, and given decent hardware (fairly recent PC, Intel NICs, half-gig of RAM, etc), it'll outperform Symantec's offerring by several orders of magnitude, both in terms of feature set and network th
  • Lucent's Brick firewall is a dedicated appliance that's very easy to use and manage. Throughput is terrific and the price is reasonable. The Brick runs Inferno, an operating system which traces its roots back to Bell Labs, the birthplace of Unix.

    The bricks are managed using an easy to use GUI that is Java based and runs on Windows or Unix. The management station is separate from the Brick hardware, but can be anything, even just your desktop Win2K Pro box. The managment station is not in the path of traffic
  • A 500-person company I know uses a Sidewinder firewall for enterprise use, and Checkpoint FW-1 appliances from Nortel for a serverfarm. Both are very stable, capable, and fast. To my understanding, the Sidewinder is used by a lot of DoD installations.

  • One software firewall? (Score:4, Informative)

    by artifex2004 ( 766107 ) on Tuesday December 20, 2005 @11:11PM (#14306013) Journal
    Is there absolutely only one entry point into the network? Or do you have local LAN users, plus remote dialup users, plus maybe a remote building or two, plus an internet gateway?

    Draw a network diagram, including all possible entry points. Now, where is that single firewall going to sit, to cover all of them?

    Personally, I'd go with a mixed router and hardware firewall configuration, probably with some IDS capability, but "small" doesn't tell me much of anything. So in lieu of something that doesn't fit, I'm going to say, if you do go with software instead, you really need coverage on every entry point you can afford to cover. You also should be running host intrusion detection on the most important database and command servers, if at all possible.

    Oh, and don't forget, you need to have a written security policy before doing a lot of configuration, to keep things consistent and to save yourself a lot of grief. It also helps when you have to figure out if someone is getting through, and how.

    Tell you what, go poke around on Cisco's website for their SAFE blueprint, and you can start with this [cisco.com]. You can learn the basic conceptual stuff for free, and then implement scalable design choices using their stuff or someone else's.
  • You mention what you plan on buying, but not what you're buying it for.

    How many concurrent connections? How many VPN tunnels? How much bandwidth do you have? Most importantly, as others have mentioned, who is your admin? A firewall is only implimenting a set of access rules, the hard part is crafting those rules. Don't buy a Cisco firewall if your security guy only knows checkpoint. If you don't have a security guy, get one.
    I'll assume if you have no firewall at all right now, and you're not talking a
  • I'm appalled. You will firewall off an entire town and check every packet for viruses???

    A few things why this is a terrible idea:

    A single firewall like this will really make things slow.
    You are playing big brother. Expect to be asked to block P2P and games even.
    The performance will be terrible. VoIP will be unusable.
    Cost will rise, it will not scale. Dont allow immigrants.

    See, if you want to provide an Internet connection, just buy some fat cisco or juniper switches. Divide the bandwidth fairly at level 2 a

  • Sounds like the wrong person is driving this. Non-technical people seem to think that a firewall is the Grand Ultimate Answer to Security Problems. When you phrase your requirements in terms of a specific solution (i.e. We need to protect our IT infrastructure with a firewall) then you've got trouble.

    Start by getting an IT security expert to review your infrastructure and identify potential threats, and discuss what protection can be used to mitigate various threats.

    You will almost certainly find that

  • monowall (Score:4, Interesting)

    by bats ( 8748 ) on Wednesday December 21, 2005 @12:22PM (#14309671) Homepage
    How can there be no mention yet of monowall [m0n0.ch]? Its an excellent tool for simple reliable firewalling. We're running it off an old P2 class machine. The system software is on CD with our config file on a floppy. Its been completely reliable for going on a year and even this old machine happily keeps our T1 maxed out without blinking an eye. We actually replaced a failing WatchGuard box ($$) with monowall, increasing the feature set at near zero cost. The actaul hardware is a retired desktop (free) and we just added 3 PCI NICs (~$20 each). Eventually, we'll probably buy a rackmount system built for monowall, but even that only runs $500-$800.
  • You might want to take a look at Mikrotik router OS. We are just now taking a look at it. It seems reasonably priced and well supported running on either a special mother board or an old Intel system. www.mikrotik.com

    Anybody out there had an significant experience with Mikrotik?
  • I've got it running on a PIII-1Ghz machine routing 4 different subnets (1/internet 1/production 1/DMZ 1/Wireless). Very easy to setup using out-of-box configuration. Best thing about slack is that Pat doesn't patch the shit out of everything so everything stays very stable. You probablly need more bandwidth than what I've got, but that's just hardware. This will run on just about anything.
  • If you wish to have Windows 2003 and Symantec... you're going to need to employ a dedicated Systems Administrator. Together with this the number of holes and security that Microsoft continually need to patch in the OS would be a real problem and it'd be a rediculous expense you need to fork out every year to 'renew your subscription' to Symantec. A dedicated appliance based box beats a server hands down. Particularly a device such as a Cisco. Why not sign up for a managed Cisco router with a service pro
  • People are the weakest link in security. I'm just a junior workin on dual Bachelor's and then going for my master's and one thing that has remained constant, the human factor.

    ya'll can argue over the best products all day long, but those products won't be as effictive or as efficient as their potential states them to be without someone at the helm who knows what they're doing.

    I just thought I'd remind ya'll of the human factor in security, as this section was starting to look like a metaphorical cock fight

Slashdot Top Deals

Saliva causes cancer, but only if swallowed in small amounts over a long period of time. -- George Carlin

Close