On Wed, Nov 09, 2005 at 11:23:59PM -0800, Ajay Sharma wrote:
I think Checkpoint is overkill for our needs and very expensive, plus I don't like the "per-user" charges of some commercial solutions. What do you guys suggest that we upgrade to? Here are some of the features that
It depends very much on you and how much knowledge and work you're prepared to put into it. Pretty much everything you want can be done with a hardened CentOS 4.x box and a couple of extra packages. There is one exception, which I will address below.
I would like:
- decent gui, either web based or a local client
If you use Shorewall (http://www.shorewall.net) there is a webmin gui module for administration.
- usage graphs based on protocol. So if our tiny T1 is saturated, I
want to be able to find out what's eating up the bandwidth
There are a number of packages on Freshmeat that will do this.
- VPN-friendly for a couple of road-warriors. There won't be any
remote offices so no server-to-server setups, just remote clients.
OpenVPN will handle this no problem (Windows and Linux clients) it also integrates well with shorewall. (http://openvpn.net/)
- we have a DMZ and about 30 machines on the local network. Everyone
has a "normal" IP address, meaning that no one is behind NAT. So it needs to handle this (which is pretty basic stuff)
Standard stuff - no problem.
- high-availablity. So if I buy two machines, one can successfully die
and the other take over.
This is where you could have a problem - if you want hot failover, with no interruption to service, I don't think the current state-of-the-art is capable of handling it. The problem is synchronising the iptables state tables between the two machines. There is a project working on this, but I'm not sure what the present status is - have a look on http://www.linux-ha.org/
- no per-user charges. If the company hires a dozen people next year,
we shouldn't have to "upgrade" our license.
No problem there either.