Firewall Recommendations?

anomalous cohort asks: "The company that I work for is looking at upgrading to a proper firewall (sadly, we use only the MS-ISA server now). Our I.T. guy is ready to recommend Fortigate [45]00a. Ours is a small company with about a dozen employees and about 400 customers. Does anybody have any experiences, good or bad, with these two products or with the Fortinet company? Are there any recommended firewalls (outside of Cisco's) that we should seriously look at?"

Old computer+Linux

[Shawn is an Asshole]

Then run Debian, Firehol, and Squid (transparent).

Re:Know what you need

[HeelToe]

How do multiple external ip addresses cause an issue? I've been able to successfully have plenty of external ip addresses, and more particularly, multiple internet connections each with its own WAN and or CIDR block.

The trick to the former (multiple ips, one internet connection) is really managing via subinterfaces. Firewall rules to deal with the packets associated are pretty easy. This lets you DNAT things into the appropriate place via iptables. If you want to actually build a DMZ, you could use a proxy arp setup like this: http://www.sjdjweis.com/linux/proxyarp/ [sjdjweis.com]

As for multiple internet connections, look into multiple routing tables via the ip command. Example:
ip route add default via table 100

Then use ip rule statements to choose when to use the particular route tables:
ip rule add to table 100
ip rule add from table 100

You can also pretty simply setup multiple SNAT rules to SNAT traffic over each link for different purposes. This lets you do things like SNAT to a specific host (read: internet connection) based on protocol, internal source address or destination. Handy for lots of things.

One nice thing to do with multiple internet connections is to have verbs in your firewall script that will allow you to manually failover your internet connection if one goes down. This obviously doesn't help external entities trying to reach hosts that sit in your DMZ on a failed connection, but it can let you continue to work with outgoing traffic while the problem is resolved.

If you're slick, you have your DNS hosted externally and you can then use this to update DNS for the DMZ to an alternate zone which specifies those public facing hosts as existing on the internet connection you just did a failover to. Make sure your A record TTL values are low.

This leads to a reconfiguration of the DMZ unless you have done full SNAT/DNAT mappings for each DMZ host in the firewall. Doing so can be a lot more work, but you can build a set of symmetric (or controlled in a script by a variable) configurations that swap out the DMZ nat rules so that they exist for one specific internet connection or the other.

Re:

[karnal]

This obviously doesn't help external entities trying to reach hosts that sit in your DMZ on a failed connection,

Routing protocols (namely BGP) should provide assistance with this. In fact, BGP could also handle the outbound traffic unless you have a specific reason to route to a specific destination; even then, you could specify metrics to do that and let the routing protocol take care of fail-over....

Re:

[Anonymous Coward]

The big wall we hit was multiple external IP addresses.

Depending on what you mean by "multiple" (Linux should handle a fair-sized network just fine, though I'm sure someone will pipe up about how he has an entire /8 running through a single box running FooOS and how Linux would have crashed and taken their billion dollar account with it and driven their company into bankruptcy, etc. etc.) and what you intend to do with all those IPs once you have them (load balancing/redundant connections over multiple serv

Re:

[itwerx]

SME with Monowall. AKA esmith.

Er, eSmith has a firewall, yes, but it also a ton of other stuff up to and including the kitchen sink. Only appropriate if you're a very small company that can only afford one box.
Speaking of M0n0wall though, pfSense [pfsense.org] is M0n0Wall based but supports multiple redundant links with load-balancing and real-time hardware failover including session-state retention. (I.e. you can have not only redundant WAN links but also redundant firewall hardware so if one che

OpenBSD PF

[akpoff]

OpenBSD makes for an awesome Firewall. Get whatever size machine you need, install OpenBSD, enable PF, follow the *very* well written configuration docs online [openbsd.org] and you'll have one or more firewalls up in no time.

I just set one up and it was easy. And best of all the PF syntax is very straight forward.

Re:OpenBSD PF

[snowgirl]

I have to lend my support towards OpenBSD's PF. It is by far the clearest yet most powerful firewalling configuration setup I've seen.

I highly recommend it over IPTables at least.

Re:

[Anonymous Coward]

There have been two remote exploits in the default configuration of OpenBSD in the last *TEN* years, that should say a lot. I've been using OpenBSD for nearly 10 years, and while I may not like, or agree with all of Theo's actions, I must say it is an excellent OS. Besides it's been a few years since Theo has ripped out the firewall software in a fit of rage and they released the a version of OpenBSD for the DEC Alpha without any Firewall software included. Yes, I'm still bitter, and any other product I

Re:

[RedBear]

I have to lend my support towards OpenBSD's PF. It is by far the clearest yet most powerful firewalling configuration setup I've seen.

I highly recommend it over IPTables at least.

Which brings up a question I've been wanting to get a solid answer to for a long time now: Why hasn't anyone developed a simple-to-use, runs-from-CD, pre-configured, dedicated firewall/router variant of OpenBSD for turning old computers into firewall/routers? After all it is arguably the most secure operating system available and e

Re:

[pnutjam]

I recommend you look at Monowall [m0n0.ch] for a boots from CD OpenBSD firewall router, or I prefer pfsense because it allows you to install to a hardrive and has more features. [pfsense.com]

Re:

[Sancho]

Actually, both of those firewall solutions are based off of FreeBSD (which ported pf from OpenBSD some time ago). FreeBSD is, in my opinion, an easier to manage and slightly more robust OS, though it isn't audited for security quite as much as OpenBSD is.

Those aren't OpenBSD

[RedBear]

I recommend you look at Monowall for a boots from CD OpenBSD firewall router, or I prefer pfsense because it allows you to install to a hardrive and has more features.

M0n0wall uses iptables and is based on FreeBSD. PfSense at least uses PF from OpenBSD but is also FreeBSD based. Unless there are other options out there I guess really nothing has changed. Everyone talks up OpenBSD as the most secure OS and the best possible choice for a firewall, but nobody wants to take the time to make a usable dedicated f

Re:

[lactose99]

M0n0wall uses iptables and is based on FreeBSD.

It is FreeBSD, but it uses ipf (similar to pf), not iptables. I believe the beta version, being based on FreeBSD 6, uses pf as Pfsense does.

You're right

[RedBear]

My mistake. I dyslexically misread "ipfilter" on the website as "iptables". It's nice that the next version will use pf, but I'm still wondering why everyone is basing these important security-focused products on FreeBSD instead of OpenBSD. It's just odd.

Re:

[Reziac]

Dunno about that, but here's one based on NetBSD:

http://firewall.dubbele.com/ [dubbele.com]

I haven't tried it, but I did read the instructions, and it looks like it's relatively a no-brainer.

Re:

[DrSkwid]

I don't know why no-one's done a bootable CD version.

If you seriously need a diskless firewall you could buy 128Mb CF card for $10 & a cf-ide adapter for $10.

For a bit more cash and a SOHO setup something like the VIA EPIA MII 12000 [mini-itx.com] is the ideal candidate, it's got a CF slot, a PCMCIA slot and a PCI slot for your extra nic. Why people bother with WRTG54s I really don't know.

Re:

[itwerx]

I don't know why no-one's done a bootable CD version.

Check out pfSense [pfsense.org] for exactly what you're describing.

Re:

[DrSkwid]

And yet there in the first paragraph is "pfSense is a open source firewall derived from the m0n0wall operating system platform with radically different goals such as using OpenBSD's ported Packet Filter, FreeBSD 6.1 ALTQ (HFSC)".

Either my reading comprehension sucks or that sentence says that it is running FreeBSD.

Re:

[snowgirl]

If you read the first response to my post, you find out why. Theo causes a lot of headaches for many people. Often times working with him can get very very bothersome. (So I've heard)

Theo's autocratic rule over OpenBSD typically has let to very effective and quick decisions about what to do with OpenBSD, and his paranoia in the matter lends greatly to the security of OpenBSD.

But just because Cuba has never lost a life to a hurricane since Castro got into power, and Cuba's healthcare is the best in the wor

Re:

[kestasjk]

I've written an article [kuliukas.com] on configuring PF, so I'm not speaking out of ignorance, and I really like PF and use it for my home firewall, so I don't speak out of spite..

But PF isn't really suitable for a firewall that will be moderately complex. Even in my home LAN I feel the strain of PF's simplicity. The syntax truly is elegant and readable, but it's also inflexible.

• You can't queue outgoing packets. This means to do outbound traffic shaping you need to queue upload speed on the incoming interface, which

Re:

[Blackknight]

Add CARP and you'll never even lose a packet if one of the systems dies.

Re:

[Sancho]

I agree 100%. PF is an excellent firewall. Running on commodity PC hardware, however, may not be the way to go (BUS issues).

Force10 is working on a firewall solution which implements PF. They claim line-rate for Gig and 10-Gig, and they also include Snort on the device. It sounds absolutely wonderful..the best of both worlds, basically, since most commercial firewall solutions that I've seen are (in my opinion) fairly unwieldy.

Re:

[jd]

OpenBSD is good, SonicWall is a *BSD derivative and therefore (assuming they didn't break anything) very likely good. NetBSD is supposed to have the fastest stack on the planet, which is important as a firewall is a significant bottleneck, but hasn't anything like the attention to external security. (Efforts to make a "Trusted" *BSD exist, but I know of none that have got much beyond the earliest stages. This is important even in a firewall - firewalls run proxies and a proxy is a potential point of attack.

Re:

[scottv67]

If you can find one, the best machine to use as a firewall would be an old DEC VAX. Why? Because nobody has (yet) broken the security of a correctly-configured VMS system. making it two exploits better than even OpenBSD. It makes no difference that porting to VMS is a nightmare, because you wouldn't want to do so. Nor does it matter that VMS kernel developers are about as common as honest lawyers - whatever holes exist are far beyond the capabilities of a sizable percentage of experts in the field. Unless y

Re:

[Anonymous Coward]

And thirded! (?) OpenBSD is a superb firewall solution. CARP and pfsync give you a high availability firewall solution that you would otherwise pay thousands for with commercial vendors. The O/S is clean, stable and the pf syntax is intuitive. Rule tables can be updated on the fly, which means that blocking naughty IM clients becomes a snap with some signatures in IDS->pf updating.

I've been using OpenBSD since early 2001 (at home and in corporate environments) - the quality is there, just make sure you r

Re:

[Anonymous Coward]

I third this. I've been deploying OpenBSD firewalls for a few years now and I have zero complaints. I can't even recall the last software problem I had. Hardware has died, but as the parent poster pointed out, there's pfsync and carp for redundancy. Works flawlessly. Even at home I have a little Soekris 4801 running OpenBSD which has never let me down. Don't bother with the $$$ crap.

pfSense

[BKX]

Been using it for quite sometime now. Works great, never had any problems. I'm running it in front of two dedicated game servers (CS:Source, viewable on the public server browser), two other servers, a front desk comp, and twenty gaming machines. It has a 600MHz Celeron and handles all that traffic perfectly.

Re:

[rmm4pi8]

Second the pfsense vote. I am the IT Manager for nTAG Interactive [ntag.com] and I ended up moving from our previous combinations of Firebox and Juniper Netscreen systems (depending on location) to pfsense. I'm handling 5 LAN networks and 3 WAN networks on a redundant pair of Dell PE1950's (about as low-end as you can get with a 1950, just one Core 2 Duo, but I chose the 1950 for the hot-swap HDDs and hot-swap power supplies for reliability's sake). Anyway, I'm also running squid transparently which works beautiful

3 things to look at

[georgewilliamherbert]

Cisco ASA 5505 (it's less than a thousand dollars), and the Nokia Checkpoint appliances (i350, etc).

Also the Juniper/Netscreen models (SSG 5, SSG 20, Netscreen 5 models)

Re:

[Kohath]

I wouldn't go with anything from Checkpoint. Maybe it's just our IT Dept, but we have never-ending problems. I think our total number of days in the last 2 years without firewall/VPN problems has been zero.

Re:

[georgewilliamherbert]

The Nokia boxes are appliances (1/2U rackmount) running the Checkpoint firewall software on top of an embedded OS.

Checkpoint is the single most popular longest lasting commercial Firewall product; you don't have to like it, but it's sort of silly to say that it's not a suitable product. It's outlasted many generations of competitors and done just fine for a huge client base.

Re:

[Kohath]

I'm not complaining about the hardware.

I don't care how popular it is. In my end-user experience the software is terrible. It may just be our IT Dept. It's been a long, long series of outages, failures, annoyances, usability issues, limitations, and general dread. It has never worked well.

I've setup systems built out of stuff I knew was just complete junk, and it worked better than our Checkpoint system. But it may just be our IT Dept.

Some people can screw up anything

[mungtor]

It's your IT department.

Checkpoint is stable, secure and has an excellent track record. If you actually have to administer the firewall, the Checkpoint GUI is second to none. Simple, intuitive, everything you could want. SecuRemote isn't any more annoying than most other VPN clients. Of course, none of that comes cheap. Checkpoint (especially on Nokia hardware) is the most expensive choice by far.

Juniper seems to make a pretty good device. I've been running a Netscreen 208 and a Netscreen 50 for a w

Re:Some people can screw up anything

[Pedersen]

It's your IT department.

Checkpoint is stable, secure and has an excellent track record.

We have problems with the Checkpoint/Nokia combo as well. I'll admit it: It's at least partially because my training with the system has amounted to "I wonder what this button does?". However, it is mostly stable, mostly functional. But, when there is a problem, I get to make the call I dread the most: I call Checkpoint customer support.

Why do I dread this call? I have zero options. I'll get a call back. If I've got a severity 1 issue (my company is down, unable to access the internet, web site sales are shut down because of it, I need help fixing this now!), the best I can hope for is to get a call back within the hour. I've opened up lesser issues, and not even gotten a call back. Found the answer within a day of searching the net, and appended a note to my ticket that I appreciated their lack of response, but that the issue was now fixed, so they could close it. And the whole reply to that was a "heartfelt" apology.

The software may well be great. The devices may well be solid. But the customer support? I've gotten more (and more useful!) answers from Microsoft's web site than I have from the Checkpoint people. Based on that alone, I would never recommend buying their software.

Note: I have no problem with paying for software. I have no problem with paying for support. I have no problem with using software that is unsupported in any official manner (much FOSS stuff, for instance). I do have a problem with paying for software, then paying for support, and not being able to get it when I have to have it.

Re:

[Kohath]

Is there any way to get internal DNS to work for VPN users? Our IT Dept. can't do it.
Is there any way to get it to authenticate VPN to Windows Active Directory in a company with multiple Active Directory domains? Our IT Dept. can't do it.
Also, Secure Remote pops up and asks for a password about 20 times an hour unless Auto Login is enabled. Any ideas?
Not to mention the "if you tell Secure Remote to connect to site A, then you can't access systems at site C" problem. That's too complicated.

Is there any w

Re:

[Anarke_Incarnate]

Split tunnels do that. My company uses a Juniper/netscreen/Neoteris SSL VPN (they were progressively bought out, originating as Neoteris, then Netscreen, then Juniper IVE SA series. They ROCK. You have a "clientless" VPN that can support multiple users without having to configure a client on the remote machine. They log into a web portal and then can launch (or your policy can auto launch) Network Connect. It is unobtrusive, and very friendly (except a minor bug that can cause problems if you lose your

Re:

[Cybersonic]

I second this - Juniper's Secure Access SSL VPN is one kick ass device. The web GUI takes a bit of getting used to (not as intuitive as I would have liked it to be). As far as feature sets are concerned it really is a market leader. (I work for a VAR and I deal with about 80 vendor's products)

The Java processes create VPN tunnels that work. Active-X 'W-SAM and Java 'J-SAM' for TCP only applications and 'Network Connect' for true IPSEC like emulation (emulates a point to point tunnel and gives the client

Re:

[Anarke_Incarnate]

SecuRemote/SecureClient sucks hard big balls. My company still uses CP for our firewall, but we have replaced that horrid VPN client (constantly broke remote user's network settings) with a Juniper SSL VPN. However, the Cisco VPN clients we have used sucked harder, so perhaps you were right in saying that they were not worse than others.

Re:

[lactose99]

If you actually have to administer the firewall, the Checkpoint GUI is second to none.

I find that Firewall Builder [fwbuilder.org], while having an interface similar to the CheckPoint GUI, is more robust. Plus it gives the added benefit multiple firewall backends including pf, ipf, ipfw, iptables, and Cisco PIX. The new queuing and rule options available with the 2.1.x series alone are worth taking a look at. Plus the file format is an open XML-based format and the output rule files are actually quite readable.

Re:

[mvdwege]

I have used Checkpoint on Nokia IPSO, under Provider-1.

The good:

• Central management for a lot of firewalls works great. P-1 makes it really easy to push out multiple updates, and using global objects makes it easy to manage large environments with multiple DMZs.
• The interface for actual policy editing is pretty decent. The thorough support of drag&drop is nice.
• VPN setup integrates nicely in the policy editor.
• The log viewer is pretty good, and the next best thing to grepping the logs yourself.

The

Re:

[scottv67]

If you have the budget, go with Checkpoint. Otherwise, Juniper is a solid choice.

The budget is a big factor. Checkpoint is known for their bend-you-over-the-rail annual maintenance costs. Comparable products from other vendors will not consume so much of your budget when it comes time to renew the support contract.

Re:

[itwerx]

Checkpoint is stable, secure and has an excellent track record.

Er, no, sorry. I won't argue that Fortinet is great (it's about the same level as Checkpoint in my book) but if you've truly never had any problems with Checkpoint then you're the only installation of it I know of that can make that claim. (And I've been consulting for over 15 years for many hundreds of companies of all sizes including some Fortune-100 with really outstanding IT people).

Re:

[Bishop]

It is not just your IT dept. Checkpoint has issues. It has always had issues. Earlier versions would even fail into a wide open state.

Re:

[drakaan]

Watchguard's gear is decent for the price (and I think bsd or linux-based)...does arp proxy, vpn, nat, etc. It's been 5-6 years since I've used one, but it was a good fw for a small network to hide behind.

Re:

[asdfghjklqwertyuiop]

and the Nokia Checkpoint appliances (i350, etc)

checkpoint is ok, but don't flush your time and money down the toilet running it on nokia hardware. The nokia "appliances" are just standard X86 hardware in a different case for 10X the price. They may be in a fancy case, but inside they're just standard multi-year-old CPUs (Intel, AMD or Cyrix on the lowest end ones) with standard intel (or ServerWorks) chipsets and regular non-RAID western digital ATA hard disks. They are even less reliable than PCs from othe

Re:

[Dadoo]

While I don't have any experience with the Checkpoint stuff, I certainly wouldn't recommend firewalls from Netscreen or Cisco (though I do like Cisco's switches and routers.) I inherited a few Netscreen boxes at my new job and, as far as I can tell, they're junk. I tried to replace a couple of them with a Cisco ASA box, but that didn't turn out well, either.

I've worked with a bunch of different firewalls - Gauntlet, Sonicwall, Cisco PIX and ASA, and Netscreen - and the best one by far, in my opinion, is Ast

Re:

[itwerx]

Netscreens are okay, but Checkpoint? Eww... :/

The perfect firewall

[ernest.cunningham]

Well fairly good anyway. check out Smoothwall Linux Firewall. http://www.smoothwall.org/get/ [smoothwall.org] SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. SmoothWall includes a hardened subset of the GNU/Linux operating system, so there is no separate OS to install. Designed for ease of use, SmoothWall is configured via a web-based GUI, and requires absolutely no knowledge of Linux to install or use. We use this in our business. VERY good.

Re:

[skogs]

I second this vote for smoothwall.

The corporate friendly version with everything fully configured/implemented for you is a good decision. This requires some $$, and less time.

Or, you can roll your own with the smoothwall express 2.0. I run it with DanGuardian content filter - gets rid of ads and other pr()n and stuff. Also have several mods on it. Really, visit the homebrew forum and you can do anything with it. This of course, requires no $$, and more time.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[the_crowbar]

I would also vote for SmoothWall. We have been testing their Advanced Firewall product at work. We were running an old PC with Debian and some custom IPTables rules I put together. Our company size has expanded and those that work for me lack the technical skills to understand how a firewall works. SmoothWall has an easy enough web gui that I can walk someone through what to change while I'm on the road.

The product does cost money, but we also have several SonicWALL firewall appliances and the SmoothWall I

Astaro

[Anonymous Coward]

http://www.astaro.com./ [www.astaro.com] 'nuff said.

Re:

[pookemon]

I'm curious as to why this was modded "Funny". One (maybe more) of our clients runs Astaro v6 and it seems to run fine. The only gripe I've had with it is that I couldn't do a port forward and translation at the same time (ie. If I want a client to connect on port 12345 and forward the traffic to machine x on port 1234 then it wouldn't do it) - mind you that was an older version and I haven't tried since. It's easy to configure and handles large amounts of traffic - but apparently it's funny...?

DISCLAI

Windows Computers

[Anonymous Coward]

Computers with Microsoft Vista make the best firewalls. Let's say you have a large boiler room, and you really want to keep the heat contained. A good thick layer of 3-4 PCs with Vista Home Premium (or 2-3 PCs with Vista Ultimate) will keep just about anything contained. Please note that Vista Home Basic isn't really suitable for this job in any thickness, as it will tend to burn and contribute to the problem.

Oh, and don't forget to apply a generous coat of anti-virus paint every morning!

Re:Windows Computers

[nacturation]

Computers with Microsoft Vista make the best firewalls.

The network interface received an incoming packet.

[Cancel] or [Allow]
 

We use one

[realmolo]

We have a Fortigate 400, and we love it. It's damn near perfect. I recommend them to EVERYONE who is in the market for a high-end firewall appliance.

Truly, it the best thing on the market, right now. Much better than a PIX, or Netscreen, or anything else. And cheaper. And it does more.

They really need better marketing, because few people even know they exist, which is too bad.

So yeah, you should get one.

Re:

[NetJunkie]

What does it do that a PIX or NetScreen doesn't?

Re:We use one

[CFrankBernard]

Fortinet was Founded in 2000 by Ken Xie, founder of NetScreen which later sold to Juniper for $3.5B.
Fortinet was accused of using Linux kernel in FortiOS w/o credit:
FORTINET VIOLATES GENERAL PUBLIC LICENSE IN SECURITY PRODUCTS [gpl-violations.org]

Re:

[AlphaSys]

Yes, they were, and they re-wrote most of their stack to deal with it. They're still one of the best of breed. You just can't match their features for the money. I deploy about 50-60 of their units a year.

It might be carcinogenic

[andy314159pi]

Even though it's carcinogenic, I recommend asbestos. It's one of the best thermal insulators known and if you don't rip your walls open you'll never breath it in.

pfsense

[linuxtelephony]

pair of computers with extra nics and you can have redundant firewall

Firewall Recomendations

[Whuffo]

More than one, with the firewalls all as different from each other as possible. Hackers do find and exploit bugs in commercial firewalls, so when they breach the one facing the internet there's another level of protection. Widely differing firewalls in series greatly reduce the change of anyone breaking in. The number of series firewalls depends on your security needs. Note well: if you're depending on one commercial firewall to protect your business - you will be hacked. You probably have been already. E

IPCOP

[brenddie]

IPCOP is a very secure and flexible firewall plus its open source. It runs on all kind of hardware like normal PCs , boards with CF cards , servers. A vanilla installation is full of features like VPN, QoS, IDS, web proxy and by using addons you can add stuff like detailed proxy reports, content filtering, traffic monitoring and a lot more.
You can find it at http://ipcop.org/ [ipcop.org]
Their mailing list is pretty active and full of helpful people.
If you have a spare PC and some network cards give it a try.

OpenBSD + PF

[grub]

We run several PIXes (Cisco) at work and at branches across the country. They handle the VPNs well enough and are simple enough to work with but when you see shit like this (IPs removed):

Mar 28 14:45:25 x.x.x.x Mar 28 2007 14:46:16: %PIX-4-407001: Deny traffic for local-host inside:y.y.y.y, license limit of 50 exceeded

in your logs from units which cost thousands of dollars, you have to scratch your head. Yeah, they charge for how many machines you'll run through it. We have a few "unrestricted" ones but they're thousands of dollars. Thousands of dollars I can better spend on other stuff.

We let our contracts lapse and are working hard at moving everything to OpenBSD, PF and the native IPSEC although OpenVPN is a serious contender as we use that for the road warriors already.

It pisses me off to no fucking end that to get a firewall capable of gigabit (we're a bunch of research labs on CANARIE [canarie.ca]) from Cisco will each a big bite from my budget, just to have the "Cisco" brand on it.
nb: I do love their routers and switches. Their firewalls are overpriced and underwhelming.

Re:

[scottv67]

We run several PIXes (Cisco) at work and at branches across the country. They handle the VPNs well enough and are simple enough to work with but when you see shit like this (IPs removed):

Mar 28 14:45:25 x.x.x.x Mar 28 2007 14:46:16: %PIX-4-407001: Deny traffic for local-host inside:y.y.y.y, license limit of 50 exceeded

in your logs from units which cost thousands of dollars, you have to scratch your head. Yeah, they charge for how many machines you'll run through it. We have a few "unrestricted" on

Re:

[Sancho]

You won't get those kinds of speeds on any PC platform without some sort of dedicated firewall on your NIC (so that you can avoid the PC's BUS.) In practice, you might get as much as 300Mbps.

Basically, once you start getting into those speed ranges, you need an appliance.

Re:

[Sancho]

Can you give me more details on your hardware, then? All my tests have indicated that the bus was our limitation, so if you've overcome that limitation, it would be useful for me to know more.

Also, I assme that is bridging, not routing?

Sonicwall?

[Southpaw018]

Anyone have experience with the Sonicwall PRO series?

Re:

[afidel]

Love em, especially with the Advanced OS, without it I would take a PIX but the advanced OS gives me all the flexibility I need with a MUCH easier to manage interface. Managing a large number of them is easy with the Global Management System. For a small office the AV subscription service is nice because it enforces client updates without the need for an IT person to hound the users or checkup on them.

Re:

[Dadoo]

I'd have to agree with the guy above, who said to get a bigger one than you think you need. The thing that really pissed us off is that you can only define a limited number of custom services (TCP ports). If you run out, you have to buy a new firewall.

But what exactly?

[kosmosik]

Firewall technically speaking was always simply a filter for lowend network traffic. Like open this port for this IP and DROP else etc. Right now I see the term "firewall" has evolved to meaning - everything that does border security (firewall, proxy filtering, NIDS, monitoring etc.). So I guess you should be asking about security appliance...

According to their description here - http://www.fortinet.com/products/telesoho.html [fortinet.com] - it does lots more than a firewall:

"These [...] systems deliver [...] security se

IPCop again

[taustin]

I would also recommend IPCop (http://www.ipcop.org/) It has been rock solid for me, with eleven locations, and it's actively supported. It runs on nearly anything (I believe you actually need a Pentium now, but 1.3 ran on 486s), and best of all, it's free. That means you can experiment with it on an old PC at no cost other than time (and maybe a cheap-ass network card or two). At the very least, it's a great way to evaluate the idea of a Linux based firewall, even if you end up going with something else.

gentoo linux

[stratjakt]

seriously, i made my firewall out of that shit

what kind of an asshole am i?

you know, squid, openvpn, old emachine with an extra nic

lool :) smiley face

Fortigates

[NiTr|c]

We have at least two dozen of the lower end (50, 60) Fortigates deployed to a majority of our clients. We love them! Support from Fortinet is top notch (if you're paying for the 8x5 or 24x7). We've had to replace a few units, but some of our clients are in, shall we say, less-than-ideal environments. Though, in those cases we get very prompt service, usually overnight of a new unit to put back into place.

The configuration can be done via web, or command prompt which is nice, and of course fully remote admin

Re:

[scottv67]

The firewalls supported a VPN partner network to our companies specs that the cisco pix could not do. Fortinet wrote custom code for us just to make this work.

That sentence caught my eye. Can you provide more details on what you were trying to do with VPN that the PIX could not handle? I do a lot of work with IPSec tunnels and it sounds like you were pushing the VPN feature pretty hard. I don't doubt what you said. I am simply asking for further technical detail into the issue you uncovered with the PI

Well....

[cbiltcliffe]

Pretty much anything, as long as it's running on a Dell laptop......

Plenty to check out

[Sycraft-fu]

I'd probably most recommend the Cisco ASAs. Pricey, but worth it. They really are top notch. You can also look at Juniper's NEtscreen boxes (Juniper bought Netscreen). We have one at work and it does quite a good job. Easier to set up for simple things than the Cisco, but it's web based config means that come of the complex stuff is tricky or impossible. No complaints in general though.

When money is involved, I really recommend sticking with commercial solutions, however if you want something cheap, look at

Are you serious?

[Dadoo]

'd probably most recommend the Cisco ASAs. Pricey, but worth it. They really are top notch. You can also look at Juniper's NEtscreen boxes (Juniper bought Netscreen).

Are you serious? I inherited a few Netscreen boxes at my new job, and as far as I can tell, they're junk. Unfortunately, I replaced a couple of them with a Cisco ASA... big mistake. I have yet to find a firewall better than the Astaro appliances I had at my old job.

Re:

[Sycraft-fu]

Yes, I am serious. I'm going to guess that you either bought firewalls too small to do the job, don't know what your doing particularly with the Ciscos since IOS is complicated, or both. I work for a university and our border firewalls are Cisco ASAs. They deal with all the traffic from about 70,000 computers to 5 different off campus links (3 to the Internet, 1 to I2, 1 to our sister university in state). In our department we use a Netscreen. Not nearly as big a job, only has about 1,000 computers to deal

Here are some good ones you won't have to homegrow

[Anarke_Incarnate]

Netscreen (By Juniper Networks), Astaro Firewall, and a relative newcomer, ZyWall by ZyXel. They should all work REALLY well.

Mikrotik's RouterOS

[zeenixus]

RouterOS is linux based with a very nice console interface as well as a windows client.

It does all the usual linux fw stuff, as well as traffic shaping, connection rate limiting, traffic identification, rip/ospf/bgp, vpns, lots more.

Unique features include a scripting host and cron-jobs. Very cool, indeed.

They also make their own hardware (expandable sbc's, wifi) with their routeros embedded in flash.

http://www.mikrotik.com/ [mikrotik.com]

Re:

[Anarke_Incarnate]

Funny that you mention RouterOS. My company (actually, I am leaving them very soon) uses routerboard routers with RouterOS on them in place of Cisco stuff because it is cheaper and far more functional (easier to use too). The boxes are small, very cheap and work well. I think we had to reboot ours recently, after almost 350 days of uptime, only because we had to move it.

Many choices

[Pathway]

There are a ton of firewalls out there. Depending on what you're looking for, you will have plenty of choices.

Basicaly, you can split firewalls into two camps: Those which are installed onto a computer with multiple network cards, and Those which are a pre-build appliance.

I don't use the pre-built appliances (too expensive) but I can recommend a few of the linux-based installed types:

ClarkConnect.com - This is a very flexible and inexpensive firewall. Can do just about everything. There is a free community

Why not Cisco?

[Rudolf]

Are there any recommended firewalls (outside of Cisco's) that we should seriously look at?"

OK, I'll bite: why not Cisco?

Re:

[Dadoo]

Want a list? Okay, of the top of my head:

Crappy user interface. (You may as well learn the command line interface, which is what I did.)
Outrageously expensive.
Stupid hardware configuration. (Seperate interface for the IPS.)

That's enough for me.

Meh, firewalls.

[Khyber]

two years now, Windows XP + router + internet connection + firefox + java/flash/unnecessary services disabled. Haven't had a problem for a while now (minus MS Updates screwing my stuff up,) and most exploits require user intervention anyways. I'm not that stupid, but then again not everyone is me. That being said, good luck getting past my secondary BeOS box which manages my micro-network (three computers in my room, which then go thru that box to the router.) Enjoy trying to get anywhere NEAR my computer

Re:

[account_deleted]

Comment removed based on user account deletion

My recommendations

[Cybersonic]

I deploy, teach, and troubleshoot firewalls for a living. It seems most of the responses point to various open source technologies. If it were my company, I would use a custom built Linux box with a sick NetFilter rulebase. If you just need something that works with a slick interface, however, I would recommend a commercial solution.

It seems all of the security vendors are moving to the appliance model. I like this model and recommend it. It gives the vendor the ability to properly support the device a

"Me, too!"

[NerveGas]

I'll vote for a Linux firewall, like many of the other persons here - with one conditional. *If* your administrator is as comfortable administering a Linux firewall as he is the other products. If he's uncomfortable and unwilling to learn, it would be a poor choice.

You haven't mentioned how much traffic you handle, but even a very low-end server-class machine with Linux can handle some very impressive firewalling loads. On my core router, I used a dual-CPU mach

Lucent Brick

[Paul Carver]

We've had good luck with Lucent Bricks. Very easy to use, a wide range of models with absolutely identical interface. Just choose a model based on how many ports you need or how much throughput. They run the Inferno operating system which is based on Bell Labs' uber-geek Plan 9 OS.

In particular, active-standby is brilliant. Need high availability? Just buy a second Brick of the same model and plug it into all the same switches/vlans as the first. The entire configuration of the backup consists of exactly o

Re:

[couchslug]

Runs well off a CF card, as does m0n0wall, etc.

You can also Ghost or dd an image of the CF card to load more systems or as backup.

I partitioned my CF card so I could Ghost the OS partition easily.
The CF card adapter is mounted in an old IDE swap rack. Pull rack, pull card, copy Ghost image using a card reader in another box.

Astaro

[LordEd]

We are considering upgrading to a firewall system with high-availability capabilities. Astaro [astaro.com] is on the top of our list right now. Its Linux based and is reasonably priced considering the features. I believe they have a "home" edition that you can install on your own machine and use for a limited network for demonstration purposes. Maybe somebody else has used it here and could provide better commenting.

We currently have some old Watchguard fireboxes which have mostly worked well, minus a lockup inci

Re:

[itwerx]

Watchguard is decent, though their low end boxes use a proprietary VPN protocol. And their LiveSecurity scanning isn't quite the cat's pajamas they present it to be, (but it doesn't hurt anything either).

Re:

[SanityInAnarchy]

Dedicated hardware firewalls will always be my choice for many reasons.

Care to enumerate them?

I've seen plenty of small businesses (and 400-plus users is still relatively small) run off a similar setup to what you described. Maybe not a Pentium 2, but maybe some stock Dell (couple gigahertz) is still going to be cheaper than a Cisco box. It also doesn't stop you from buying a Cisco box later, if you really want it, but this would be more flexible, cheaper, potentially easier to admin.

Regarding warranty,

Re:

[KingDaveRa]

I have a few reasons:

Appliances are always good because they are simple. Say for example, your network guy goes under a bus. Assuming he's at least documented the passwords for the system, somebody will be able to get in, and work on the system. Plus, in the case of Fortinets, they come with a full manual all about the firewall. A custom system (which I personally also have nothing against) based on OpenBSD or something would be much harder for anybody to administer. In that respect, M0n0wall helps though a

Re:

[SanityInAnarchy]

Support: Plenty of commercial support options for Linux. That's assuming you ever need it. Like I said -- if it's set up properly, it should run itself. I'm actually thinking of starting a business managing things like this, where I ssh in to fix them if there's a problem...

Pretty interface: You described it yourself (monowall and others).

Mail: Postfix. AV: Clamav + Postfix. Easy to do. URL Filtering: Squid. Probably not as easy.

VPNs can be done with OpenVPN -- you have to install it on the clients, but the

Re:

[Wudbaer]

Especially with firewalls it makes sense doing an Ask Slashdot. Google will give you myriads of possible solutions of all kind, and every vendor or consultant has some kind of firewall solution they are trying to push, often because they make shitloads of money selling broken or oversized commercial solutions.

Getting an impression of what works for whom is priceless, even/especially if you are already working with some kind of security consultant (I cannot count the ridiculously insecure, oversized/-priced

Re:

[Wudbaer]

Sure. The same as on Usenet, any kind of Web forum etc.pp. And you get all kind of astroturfers, trolls, self important idiots and fanbois, but also lots of people with real experience and know-how (ok, now who's who ?).

Perhaps I formulated it wrong in that you do not necessarily find out what works but rather what not. If enough people say "xyz does not work because blablabla" and not another hundred people come in screaming "wrong ! wrong!" or the other way round you get at least some idea about the merit

Re:

[scottv67]

Sidewinder from Secure Computing is the only commercially available sidewinder to never have a CERT. http://www.securecomputing.com/index.cfm?skey=20& l [securecomputing.com] ang=en [securecomputing.com] You get anti-virus, anti-spam, and the strongest firewall in the world on a single appliance. Hook it into Secure Computing's TrustedSource solution and you will not only have an incredible firewall but you will also stop 99% of Spam (including image spam) from hitting your network.

ACK! Secure Computing Sidewinders suck!

Re:

[Dadoo]

Wait... You're going to replace your Sidewinder with a Netscreen box? Are you crazy? I inherited a few Netscreen boxes at my new job and I'm trying to get rid of them as soon as I can. As far as I can tell, they're junk. Sadly, I already replaced a couple of them with a Cisco ASA box, which turned out to be a big mistake... Yuck.

My next firewall will be an Astaro, like I had at my old job.