Firewall Recommendations? 181
anomalous cohort asks: "The company that I work for is looking at upgrading to a proper firewall (sadly, we use only the MS-ISA server now). Our I.T. guy is ready to recommend Fortigate [45]00a. Ours is a small company with about a dozen employees and about 400 customers. Does anybody have any experiences, good or bad, with these two products or with the Fortinet company? Are there any recommended firewalls (outside of Cisco's) that we should seriously look at?"
Old computer+Linux (Score:4, Interesting)
Re:Know what you need (Score:5, Informative)
The trick to the former (multiple ips, one internet connection) is really managing via subinterfaces. Firewall rules to deal with the packets associated are pretty easy. This lets you DNAT things into the appropriate place via iptables. If you want to actually build a DMZ, you could use a proxy arp setup like this: http://www.sjdjweis.com/linux/proxyarp/ [sjdjweis.com]
As for multiple internet connections, look into multiple routing tables via the ip command. Example:
ip route add default via table 100
Then use ip rule statements to choose when to use the particular route tables:
ip rule add to table 100
ip rule add from table 100
You can also pretty simply setup multiple SNAT rules to SNAT traffic over each link for different purposes. This lets you do things like SNAT to a specific host (read: internet connection) based on protocol, internal source address or destination. Handy for lots of things.
One nice thing to do with multiple internet connections is to have verbs in your firewall script that will allow you to manually failover your internet connection if one goes down. This obviously doesn't help external entities trying to reach hosts that sit in your DMZ on a failed connection, but it can let you continue to work with outgoing traffic while the problem is resolved.
If you're slick, you have your DNS hosted externally and you can then use this to update DNS for the DMZ to an alternate zone which specifies those public facing hosts as existing on the internet connection you just did a failover to. Make sure your A record TTL values are low.
This leads to a reconfiguration of the DMZ unless you have done full SNAT/DNAT mappings for each DMZ host in the firewall. Doing so can be a lot more work, but you can build a set of symmetric (or controlled in a script by a variable) configurations that swap out the DMZ nat rules so that they exist for one specific internet connection or the other.
Re: (Score:2)
Routing protocols (namely BGP) should provide assistance with this. In fact, BGP could also handle the outbound traffic unless you have a specific reason to route to a specific destination; even then, you could specify metrics to do that and let the routing protocol take care of fail-over....
Re: (Score:2, Informative)
Depending on what you mean by "multiple" (Linux should handle a fair-sized network just fine, though I'm sure someone will pipe up about how he has an entire
Re: (Score:2)
Er, eSmith has a firewall, yes, but it also a ton of other stuff up to and including the kitchen sink. Only appropriate if you're a very small company that can only afford one box.
Speaking of M0n0wall though, pfSense [pfsense.org] is M0n0Wall based but supports multiple redundant links with load-balancing and real-time hardware failover including session-state retention. (I.e. you can have not only redundant WAN links but also redundant firewall hardware so if one che
OpenBSD PF (Score:5, Informative)
I just set one up and it was easy. And best of all the PF syntax is very straight forward.
Re:OpenBSD PF (Score:5, Informative)
I highly recommend it over IPTables at least.
Re: (Score:2, Insightful)
Re: (Score:2)
Which brings up a question I've been wanting to get a solid answer to for a long time now: Why hasn't anyone developed a simple-to-use, runs-from-CD, pre-configured, dedicated firewall/router variant of OpenBSD for turning old computers into firewall/routers? After all it is arguably the most secure operating system available and e
Re: (Score:3, Informative)
Re: (Score:2)
Those aren't OpenBSD (Score:3, Informative)
M0n0wall uses iptables and is based on FreeBSD. PfSense at least uses PF from OpenBSD but is also FreeBSD based. Unless there are other options out there I guess really nothing has changed. Everyone talks up OpenBSD as the most secure OS and the best possible choice for a firewall, but nobody wants to take the time to make a usable dedicated f
Re: (Score:2)
It is FreeBSD, but it uses ipf (similar to pf), not iptables. I believe the beta version, being based on FreeBSD 6, uses pf as Pfsense does.
You're right (Score:2)
Re: (Score:2)
http://firewall.dubbele.com/ [dubbele.com]
I haven't tried it, but I did read the instructions, and it looks like it's relatively a no-brainer.
Re: (Score:2)
If you seriously need a diskless firewall you could buy 128Mb CF card for $10 & a cf-ide adapter for $10.
For a bit more cash and a SOHO setup something like the VIA EPIA MII 12000 [mini-itx.com] is the ideal candidate, it's got a CF slot, a PCMCIA slot and a PCI slot for your extra nic. Why people bother with WRTG54s I really don't know.
Re: (Score:2)
Check out pfSense [pfsense.org] for exactly what you're describing.
Re: (Score:2)
Either my reading comprehension sucks or that sentence says that it is running FreeBSD.
Re: (Score:2)
Theo's autocratic rule over OpenBSD typically has let to very effective and quick decisions about what to do with OpenBSD, and his paranoia in the matter lends greatly to the security of OpenBSD.
But just because Cuba has never lost a life to a hurricane since Castro got into power, and Cuba's healthcare is the best in the wor
Re: (Score:2)
But PF isn't really suitable for a firewall that will be moderately complex. Even in my home LAN I feel the strain of PF's simplicity. The syntax truly is elegant and readable, but it's also inflexible.
Re: (Score:2)
Re: (Score:2)
Force10 is working on a firewall solution which implements PF. They claim line-rate for Gig and 10-Gig, and they also include Snort on the device. It sounds absolutely wonderful..the best of both worlds, basically, since most commercial firewall solutions that I've seen are (in my opinion) fairly unwieldy.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Informative)
I've been using OpenBSD since early 2001 (at home and in corporate environments) - the quality is there, just make sure you r
Re: (Score:3, Informative)
pfSense (Score:2)
Re: (Score:2)
3 things to look at (Score:4, Informative)
Also the Juniper/Netscreen models (SSG 5, SSG 20, Netscreen 5 models)
Re: (Score:2)
Re: (Score:2)
Checkpoint is the single most popular longest lasting commercial Firewall product; you don't have to like it, but it's sort of silly to say that it's not a suitable product. It's outlasted many generations of competitors and done just fine for a huge client base.
Re: (Score:2)
I don't care how popular it is. In my end-user experience the software is terrible. It may just be our IT Dept. It's been a long, long series of outages, failures, annoyances, usability issues, limitations, and general dread. It has never worked well.
I've setup systems built out of stuff I knew was just complete junk, and it worked better than our Checkpoint system. But it may just be our IT Dept.
Some people can screw up anything (Score:3, Interesting)
Checkpoint is stable, secure and has an excellent track record. If you actually have to administer the firewall, the Checkpoint GUI is second to none. Simple, intuitive, everything you could want. SecuRemote isn't any more annoying than most other VPN clients. Of course, none of that comes cheap. Checkpoint (especially on Nokia hardware) is the most expensive choice by far.
Juniper seems to make a pretty good device. I've been running a Netscreen 208 and a Netscreen 50 for a w
Re:Some people can screw up anything (Score:4, Informative)
We have problems with the Checkpoint/Nokia combo as well. I'll admit it: It's at least partially because my training with the system has amounted to "I wonder what this button does?". However, it is mostly stable, mostly functional. But, when there is a problem, I get to make the call I dread the most: I call Checkpoint customer support.
Why do I dread this call? I have zero options. I'll get a call back. If I've got a severity 1 issue (my company is down, unable to access the internet, web site sales are shut down because of it, I need help fixing this now!), the best I can hope for is to get a call back within the hour. I've opened up lesser issues, and not even gotten a call back. Found the answer within a day of searching the net, and appended a note to my ticket that I appreciated their lack of response, but that the issue was now fixed, so they could close it. And the whole reply to that was a "heartfelt" apology.
The software may well be great. The devices may well be solid. But the customer support? I've gotten more (and more useful!) answers from Microsoft's web site than I have from the Checkpoint people. Based on that alone, I would never recommend buying their software.
Note: I have no problem with paying for software. I have no problem with paying for support. I have no problem with using software that is unsupported in any official manner (much FOSS stuff, for instance). I do have a problem with paying for software, then paying for support, and not being able to get it when I have to have it.
Re: (Score:3, Insightful)
Is there any way to get it to authenticate VPN to Windows Active Directory in a company with multiple Active Directory domains? Our IT Dept. can't do it.
Also, Secure Remote pops up and asks for a password about 20 times an hour unless Auto Login is enabled. Any ideas?
Not to mention the "if you tell Secure Remote to connect to site A, then you can't access systems at site C" problem. That's too complicated.
Is there any w
Re: (Score:2)
Re: (Score:2)
The Java processes create VPN tunnels that work. Active-X 'W-SAM and Java 'J-SAM' for TCP only applications and 'Network Connect' for true IPSEC like emulation (emulates a point to point tunnel and gives the client
Re: (Score:2)
Re: (Score:2)
I find that Firewall Builder [fwbuilder.org], while having an interface similar to the CheckPoint GUI, is more robust. Plus it gives the added benefit multiple firewall backends including pf, ipf, ipfw, iptables, and Cisco PIX. The new queuing and rule options available with the 2.1.x series alone are worth taking a look at. Plus the file format is an open XML-based format and the output rule files are actually quite readable.
Re: (Score:2)
I have used Checkpoint on Nokia IPSO, under Provider-1.
The good:
The
Re: (Score:2)
The budget is a big factor. Checkpoint is known for their bend-you-over-the-rail annual maintenance costs. Comparable products from other vendors will not consume so much of your budget when it comes time to renew the support contract.
Re: (Score:2)
Er, no, sorry. I won't argue that Fortinet is great (it's about the same level as Checkpoint in my book) but if you've truly never had any problems with Checkpoint then you're the only installation of it I know of that can make that claim. (And I've been consulting for over 15 years for many hundreds of companies of all sizes including some Fortune-100 with really outstanding IT people).
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
checkpoint is ok, but don't flush your time and money down the toilet running it on nokia hardware. The nokia "appliances" are just standard X86 hardware in a different case for 10X the price. They may be in a fancy case, but inside they're just standard multi-year-old CPUs (Intel, AMD or Cyrix on the lowest end ones) with standard intel (or ServerWorks) chipsets and regular non-RAID western digital ATA hard disks. They are even less reliable than PCs from othe
Re: (Score:2)
I've worked with a bunch of different firewalls - Gauntlet, Sonicwall, Cisco PIX and ASA, and Netscreen - and the best one by far, in my opinion, is Ast
Re: (Score:2)
The perfect firewall (Score:5, Informative)
Re: (Score:3, Informative)
The corporate friendly version with everything fully configured/implemented for you is a good decision. This requires some $$, and less time.
Or, you can roll your own with the smoothwall express 2.0. I run it with DanGuardian content filter - gets rid of ads and other pr()n and stuff. Also have several mods on it. Really, visit the homebrew forum and you can do anything with it. This of course, requires no $$, and more time.
Re: (Score:2)
Re: (Score:2)
The product does cost money, but we also have several SonicWALL firewall appliances and the SmoothWall I
Astaro (Score:3, Informative)
Re: (Score:2, Informative)
DISCLAI
Windows Computers (Score:5, Funny)
Oh, and don't forget to apply a generous coat of anti-virus paint every morning!
Re:Windows Computers (Score:5, Funny)
[Cancel] or [Allow]
We use one (Score:5, Informative)
Truly, it the best thing on the market, right now. Much better than a PIX, or Netscreen, or anything else. And cheaper. And it does more.
They really need better marketing, because few people even know they exist, which is too bad.
So yeah, you should get one.
Re: (Score:2)
Re:We use one (Score:4, Informative)
Fortinet was accused of using Linux kernel in FortiOS w/o credit:
FORTINET VIOLATES GENERAL PUBLIC LICENSE IN SECURITY PRODUCTS [gpl-violations.org]
Re: (Score:2)
It might be carcinogenic (Score:3, Funny)
pfsense (Score:2)
Firewall Recomendations (Score:2, Insightful)
IPCOP (Score:2, Informative)
You can find it at http://ipcop.org/ [ipcop.org]
Their mailing list is pretty active and full of helpful people.
If you have a spare PC and some network cards give it a try.
OpenBSD + PF (Score:4, Informative)
We run several PIXes (Cisco) at work and at branches across the country. They handle the VPNs well enough and are simple enough to work with but when you see shit like this (IPs removed): in your logs from units which cost thousands of dollars, you have to scratch your head. Yeah, they charge for how many machines you'll run through it. We have a few "unrestricted" ones but they're thousands of dollars. Thousands of dollars I can better spend on other stuff.
We let our contracts lapse and are working hard at moving everything to OpenBSD, PF and the native IPSEC although OpenVPN is a serious contender as we use that for the road warriors already.
It pisses me off to no fucking end that to get a firewall capable of gigabit (we're a bunch of research labs on CANARIE [canarie.ca]) from Cisco will each a big bite from my budget, just to have the "Cisco" brand on it.
nb: I do love their routers and switches. Their firewalls are overpriced and underwhelming.
Re: (Score:2)
Mar 28 14:45:25 x.x.x.x Mar 28 2007 14:46:16: %PIX-4-407001: Deny traffic for local-host inside:y.y.y.y, license limit of 50 exceeded
in your logs from units which cost thousands of dollars, you have to scratch your head. Yeah, they charge for how many machines you'll run through it. We have a few "unrestricted" on
Re: (Score:2)
Basically, once you start getting into those speed ranges, you need an appliance.
Re: (Score:2)
Also, I assme that is bridging, not routing?
Sonicwall? (Score:2)
Re: (Score:2)
Re: (Score:2)
But what exactly? (Score:2)
According to their description here - http://www.fortinet.com/products/telesoho.html [fortinet.com] - it does lots more than a firewall:
"These [...] systems deliver [...] security se
IPCop again (Score:2)
gentoo linux (Score:2)
what kind of an asshole am i?
you know, squid, openvpn, old emachine with an extra nic
lool
Fortigates (Score:2)
The configuration can be done via web, or command prompt which is nice, and of course fully remote admin
Re: (Score:2)
That sentence caught my eye. Can you provide more details on what you were trying to do with VPN that the PIX could not handle? I do a lot of work with IPSec tunnels and it sounds like you were pushing the VPN feature pretty hard. I don't doubt what you said. I am simply asking for further technical detail into the issue you uncovered with the PI
Well.... (Score:2)
Plenty to check out (Score:2)
When money is involved, I really recommend sticking with commercial solutions, however if you want something cheap, look at
Are you serious? (Score:2)
Are you serious? I inherited a few Netscreen boxes at my new job, and as far as I can tell, they're junk. Unfortunately, I replaced a couple of them with a Cisco ASA... big mistake. I have yet to find a firewall better than the Astaro appliances I had at my old job.
Re: (Score:2)
Here are some good ones you won't have to homegrow (Score:2)
Mikrotik's RouterOS (Score:2, Informative)
It does all the usual linux fw stuff, as well as traffic shaping, connection rate limiting, traffic identification, rip/ospf/bgp, vpns, lots more.
Unique features include a scripting host and cron-jobs. Very cool, indeed.
They also make their own hardware (expandable sbc's, wifi) with their routeros embedded in flash.
http://www.mikrotik.com/ [mikrotik.com]
Re: (Score:3, Informative)
Many choices (Score:2)
Basicaly, you can split firewalls into two camps: Those which are installed onto a computer with multiple network cards, and Those which are a pre-build appliance.
I don't use the pre-built appliances (too expensive) but I can recommend a few of the linux-based installed types:
ClarkConnect.com - This is a very flexible and inexpensive firewall. Can do just about everything. There is a free community
Why not Cisco? (Score:2)
OK, I'll bite: why not Cisco?
Re: (Score:2)
Crappy user interface. (You may as well learn the command line interface, which is what I did.)
Outrageously expensive.
Stupid hardware configuration. (Seperate interface for the IPS.)
That's enough for me.
Meh, firewalls. (Score:2)
Re: (Score:2)
My recommendations (Score:2)
It seems all of the security vendors are moving to the appliance model. I like this model and recommend it. It gives the vendor the ability to properly support the device a
"Me, too!" (Score:2)
I'll vote for a Linux firewall, like many of the other persons here - with one conditional. *If* your administrator is as comfortable administering a Linux firewall as he is the other products. If he's uncomfortable and unwilling to learn, it would be a poor choice.
You haven't mentioned how much traffic you handle, but even a very low-end server-class machine with Linux can handle some very impressive firewalling loads. On my core router, I used a dual-CPU mach
Lucent Brick (Score:2)
In particular, active-standby is brilliant. Need high availability? Just buy a second Brick of the same model and plug it into all the same switches/vlans as the first. The entire configuration of the backup consists of exactly o
Re: (Score:2)
You can also Ghost or dd an image of the CF card to load more systems or as backup.
I partitioned my CF card so I could Ghost the OS partition easily.
The CF card adapter is mounted in an old IDE swap rack. Pull rack, pull card, copy Ghost image using a card reader in another box.
Astaro (Score:2)
We currently have some old Watchguard fireboxes which have mostly worked well, minus a lockup inci
Re: (Score:2)
Re: (Score:2)
Care to enumerate them?
I've seen plenty of small businesses (and 400-plus users is still relatively small) run off a similar setup to what you described. Maybe not a Pentium 2, but maybe some stock Dell (couple gigahertz) is still going to be cheaper than a Cisco box. It also doesn't stop you from buying a Cisco box later, if you really want it, but this would be more flexible, cheaper, potentially easier to admin.
Regarding warranty,
Re: (Score:2)
Appliances are always good because they are simple. Say for example, your network guy goes under a bus. Assuming he's at least documented the passwords for the system, somebody will be able to get in, and work on the system. Plus, in the case of Fortinets, they come with a full manual all about the firewall. A custom system (which I personally also have nothing against) based on OpenBSD or something would be much harder for anybody to administer. In that respect, M0n0wall helps though a
Re: (Score:2)
Pretty interface: You described it yourself (monowall and others).
Mail: Postfix. AV: Clamav + Postfix. Easy to do. URL Filtering: Squid. Probably not as easy.
VPNs can be done with OpenVPN -- you have to install it on the clients, but the
Re: (Score:3, Insightful)
Getting an impression of what works for whom is priceless, even/especially if you are already working with some kind of security consultant (I cannot count the ridiculously insecure, oversized/-priced
Re: (Score:3, Insightful)
Perhaps I formulated it wrong in that you do not necessarily find out what works but rather what not. If enough people say "xyz does not work because blablabla" and not another hundred people come in screaming "wrong ! wrong!" or the other way round you get at least some idea about the merit
Re: (Score:2)
ACK! Secure Computing Sidewinders suck!
Re: (Score:2)
My next firewall will be an Astaro, like I had at my old job.