Hey,
The company I work for is in the market for a new firewall. Right now we're hosting all of our own stuff (on CentOS servers) behind an old checkpoint firewall.
I think Checkpoint is overkill for our needs and very expensive, plus I don't like the "per-user" charges of some commercial solutions. What do you guys suggest that we upgrade to? Here are some of the features that I would like:
1) decent gui, either web based or a local client
2) usage graphs based on protocol. So if our tiny T1 is saturated, I want to be able to find out what's eating up the bandwidth
3) VPN-friendly for a couple of road-warriors. There won't be any remote offices so no server-to-server setups, just remote clients.
4) we have a DMZ and about 30 machines on the local network. Everyone has a "normal" IP address, meaning that no one is behind NAT. So it needs to handle this (which is pretty basic stuff)
5) high-availablity. So if I buy two machines, one can successfully die and the other take over.
6) no per-user charges. If the company hires a dozen people next year, we shouldn't have to "upgrade" our license.
Right now we're looking at some open-source stuff like pfsense, m0n0wall, etc... But I'm totally open to an affordable commercial firewall appliance.
Thanks for you help.
--Ajay
On Wed, Nov 09, 2005 at 11:23:59PM -0800, Ajay Sharma wrote:
I think Checkpoint is overkill for our needs and very expensive, plus I don't like the "per-user" charges of some commercial solutions. What do you guys suggest that we upgrade to? Here are some of the features that
It depends very much on you and how much knowledge and work you're prepared to put into it. Pretty much everything you want can be done with a hardened CentOS 4.x box and a couple of extra packages. There is one exception, which I will address below.
I would like:
- decent gui, either web based or a local client
If you use Shorewall (http://www.shorewall.net) there is a webmin gui module for administration.
- usage graphs based on protocol. So if our tiny T1 is saturated, I
want to be able to find out what's eating up the bandwidth
There are a number of packages on Freshmeat that will do this.
- VPN-friendly for a couple of road-warriors. There won't be any
remote offices so no server-to-server setups, just remote clients.
OpenVPN will handle this no problem (Windows and Linux clients) it also integrates well with shorewall. (http://openvpn.net/)
- we have a DMZ and about 30 machines on the local network. Everyone
has a "normal" IP address, meaning that no one is behind NAT. So it needs to handle this (which is pretty basic stuff)
Standard stuff - no problem.
- high-availablity. So if I buy two machines, one can successfully die
and the other take over.
This is where you could have a problem - if you want hot failover, with no interruption to service, I don't think the current state-of-the-art is capable of handling it. The problem is synchronising the iptables state tables between the two machines. There is a project working on this, but I'm not sure what the present status is - have a look on http://www.linux-ha.org/
- no per-user charges. If the company hires a dozen people next year,
we shouldn't have to "upgrade" our license.
No problem there either.
Neil Thompson abraxis@telkomsa.net wrote:
If you use Shorewall (http://www.shorewall.net) there is a webmin gui module for administration.
There are lots of GUI admin tools for the packet filter. The question is what do you want around your packet filter?
IDS? Proxy? Etc...?
There are a number of packages on Freshmeat that will do this.
But how "canned"? MRTG is MRTG, but what do you feed into it? How do you collect those statistics?
I'm not questioning that there aren't some excellent projects on Freshmeat.NET are built for accumulating data and feeding it MRTG, but there is still a heafty number of them. I agree with your recommendations, but I just hope he knows what kind of "project" he's getting himself into -- at least after using more of an "appliance/software" solution prior. ;->
Furthermore, what about presenting all that data? You've now gotta setup all sorts of web administration. Again, how much of a "project" should this be? ;->
You and I might love doing this (and I noted below you are actively involved with providing such software), but how much for end-users who are used to "canned" appliances/software? ;->
In all honesty, just stopped dealing with that assembly. But nowdays, I find it easier (and cheaper) to just buy an appliance, or at least start with IPCop and modify it. Especially when an executive at a small client gets too much of his info from his neighbor's kid and wonders why I can't just use a $50 Linksys device. (sigh, he gets IPCop ;-)
OpenVPN will handle this no problem (Windows and Linux clients) it also integrates well with shorewall. (http://openvpn.net/)
IPSec is also an option, as well as MPPE support. OpenVPN is clearly much easier and more reliable. But be wary that you'll be providing your own software to the clients as well.
This is where you could have a problem - if you want hot failover, with no interruption to service, I don't think the current state-of-the-art is capable of handling it. The problem is synchronising the iptables state tables between the two machines. There is a project working on this, but I'm not sure what the present status is - have a look on http://www.linux-ha.org/
Neil is dead-on there. There are many aspects to fail-over, such as sharing a virtual interface with a virtual MAC address (or even re-using the original systems physical one), heartbeat and take-over, etc... Linux-HA is addressing this, in conjunction with LVS.
And as I pointed out, how much trouble is it worth in addressing gateway redundancy if you haven't addressed it at either your external router as well as your internal network?
Neil Thompson wrote on Thu, 10 Nov 2005 09:49:25 +0200:
If you use Shorewall (http://www.shorewall.net) there is a webmin gui module for administration.
The main problem with all these firewall builders or Open Source gateway applications (shorewall, monowall, ipcop etc.) is that you can't switch off NAT and have to use a DMZ for publically accessable machines. At least at the time when I was evaluating them for my own needs. That's probably just fine for most people, but if you need transparent public IP routing (as the OP said) you have to look elsewhere (I did't find such a package and the only reasonably priced commercial devices I found where the ones from Snapgear) or roll your iptables stuff manually.
Kai
Kai Schaetzl wrote:
Neil Thompson wrote on Thu, 10 Nov 2005 09:49:25 +0200:
If you use Shorewall (http://www.shorewall.net) there is a webmin gui module for administration.
The main problem with all these firewall builders or Open Source gateway applications (shorewall, monowall, ipcop etc.) is that you can't switch off NAT and have to use a DMZ for publically accessable machines. At least at the time when I was evaluating them for my own needs. That's probably just fine for most people, but if you need transparent public IP routing (as the OP said) you have to look elsewhere (I did't find such a package and the only reasonably priced commercial devices I found where the ones from Snapgear) or roll your iptables stuff manually.
M0n0wall is a freebsd based system but it does support a public IP DMZ/Service interface. You have to enable advanced NATing. Remote updating of the firmware/software is a big plus too.
Kai
Adam Gibson agibson@ptm.com wrote:
M0n0wall is a freebsd based system but it does support a public IP DMZ/Service interface. You have to enable advanced NATing.
Layer-3/4 Source and Destination NAT/PAT (network/port address translation) is _not_ the same as layer-2 bridging or layer-3 routing between networks and inspecting the packets then. I think he's looking for layer-2 bridging or layer-3 routing, not SNAT/DNAT.
IPCop does SNAT/DNAT, and can translate multiple public IPs into private ones -- LAN, 2nd LAN (e.g., WLAN), DMZ, etc... as well. 1:1 (NAT-only), 1:Many, Many:1. Not the same as inspecting frames/packets as they pass through a true layer-2 bridge, or a layer-3 router.
Remote updating of the firmware/software is a big plus too.
As with IPCop.
Bryan J. Smith wrote:
Adam Gibson agibson@ptm.com wrote:
M0n0wall is a freebsd based system but it does support a public IP DMZ/Service interface. You have to enable advanced NATing.
Layer-3/4 Source and Destination NAT/PAT (network/port address translation) is _not_ the same as layer-2 bridging or layer-3 routing between networks and inspecting the packets then. I think he's looking for layer-2 bridging or layer-3 routing, not SNAT/DNAT.
M0n0wall can be configured as a bridging firewall.
It only appears to be another IP on the LAN when in this mode and does not do NAT.
IPCop does SNAT/DNAT, and can translate multiple public IPs into private ones -- LAN, 2nd LAN (e.g., WLAN), DMZ, etc... as well.
Yes, but you need to seriously hack it.....IPCop doesn't support multiple subnets on the same interface (LAN or WAN) very well at all.
Pre-built m0n0wall boxes are pretty cheap these days: http://www.netgate.com/product_info.php?products_id=209
Butting into the thread ;-)
I am using CenOS on my machines, with an IPcop Internet Gateway, only one public IP and Web/Mail/DNS Servers in DMZ (private C Class) as well as Lan.
Overall am bit satisfied with it...low maintainence, except for some manual tinkering or addons for outbound connections. BUT failover on WAN side seems to be becoming a requirement. Have been asked to device a shoe-string (and a small string at that) strategy to mix DSLs, lowspeed leased line (they are expensive here in India) and a DVB VSAT connection (DirecPC) in future.
Issue with DSLs is that the gateway has to be capable of handling Dynamic IPs as well as Static IPs, in addition to private IPs allocated by the ISP (they do transparent proxy/NAT). Wan Failover is to be handled.
One idea I was thinking of was a commodity Switch in front of (WAN interface) the IPcop box and some fancy IProute2/Nexthop footwork.
Second was to find an opensource distro that did WAN failover unlike IPcop...so am exploring the leads from this thread.
I will be implementing Snort with database backend to analyse security aspects and maybe even script some blocking/IPS features/opensource projects including the layer 7 firewalling. So basically, I am planning to go with open source setup, as I feel that the kind of setup I want, I will have to sell my soul (even the devil does not seem to want it!!) or my Company to buy a commercial product.
Request please advise if someone can point me to an open source/GPL project that can either add WAN failover/load-sharing/load-balancing & port based traffic partitioning capabilities to some firewall distro or minimal centos install for creating a Firewall gateway.
Pointers to literature/resources/projects on various issues mentioned above will be appreciated.
With best regards. Sanjay.
http://www.mikrotik.com They have a demo online you can check out. Read about it here. http://www.mikrotik.com/2index.html (left side of page)
The initial learning curve isn't to hard to get around, but once you understand it, its a breeze to work with. Took me a long weekend. Definately worth looking into
The rest inline........
Ajay Sharma wrote:
Hey,
The company I work for is in the market for a new firewall. Right now we're hosting all of our own stuff (on CentOS servers) behind an old checkpoint firewall.
I think Checkpoint is overkill for our needs and very expensive, plus I don't like the "per-user" charges of some commercial solutions. What do you guys suggest that we upgrade to? Here are some of the features that I would like:
- decent gui, either web based or a local client
They have a great local client gui called winbox. Works under wine if you have linux stations.
- usage graphs based on protocol. So if our tiny T1 is saturated, I
want to be able to find out what's eating up the bandwidth
They have graphing built in but for traffic on interfaces and queues. You can set up queues based on mangle rules with no limits and graph these as well. Otherwise they have a tool called torch, where you can view traffic in real time and use filters to find your bandwidth hog.
- VPN-friendly for a couple of road-warriors. There won't be any
remote offices so no server-to-server setups, just remote clients.
Does ipsec PPTP and L2TP. Very easy to setup.
- we have a DMZ and about 30 machines on the local network. Everyone
has a "normal" IP address, meaning that no one is behind NAT. So it needs to handle this (which is pretty basic stuff)
does that
- high-availablity. So if I buy two machines, one can successfully
die and the other take over.
VRRP- Very redundant router protocol. Built in........
- no per-user charges. If the company hires a dozen people next
year, we shouldn't have to "upgrade" our license.
And last but not least. Runs on any i386 based pc and the software costs $45-$65 a license which gives you a year of updates. Buy multiple year licenses and the price goes down. Renew prices are cheaper than new.
Right now we're looking at some open-source stuff like pfsense, m0n0wall, etc... But I'm totally open to an affordable commercial firewall appliance.
Thanks for you help.
--Ajay _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Daniel Wright dw@wonderwave.net wrote:
http://www.mikrotik.com They have a demo online you can check out. Read about it here. http://www.mikrotik.com/2index.html (left side of page) The initial learning curve isn't to hard to get around, but once you understand it, its a breeze to work with.
The RouterBoard guys have some neat products. They've moved to 64-bit MIPS4000 series and away from AMD/NS Geode GX1 (Cyrix M2 core) products. The RouterOS is also a nice solution (although it doesn't seem to have a full security suite), it's a basic Router and NAT/PAT solution with monitoring (and it does that well).
You'll still want to have additional capabilities outside the box though.
And when I build an IPCop box, I like to go for the RouterBOARD 4x products -- 4 independent NICs on a PCI card. Especially the newer 44 which is an universal 3.3/5V card which works in any system (legacy 32-bit, 5V PCI to 3.3V PCI-X slots), and does auto-MDX (which is a Godsend for some "smaller" clients ;-).
We are using SonicWall Pro4060, firewall in our organization, National Geophysical Research Institute, Hyderabad. We have been using SonicWall for the last five years (Pro4060 is new got recently). You can try IPCOP or SmoothWall, free downloads, these are pretty good also.
Sivaraman.
Ajay Sharma wrote:
Hey,
The company I work for is in the market for a new firewall. Right now we're hosting all of our own stuff (on CentOS servers) behind an old checkpoint firewall.
I think Checkpoint is overkill for our needs and very expensive, plus I don't like the "per-user" charges of some commercial solutions. What do you guys suggest that we upgrade to? Here are some of the features that I would like:
decent gui, either web based or a local client
usage graphs based on protocol. So if our tiny T1 is saturated, I
want to be able to find out what's eating up the bandwidth
- VPN-friendly for a couple of road-warriors. There won't be any
remote offices so no server-to-server setups, just remote clients.
- we have a DMZ and about 30 machines on the local network. Everyone
has a "normal" IP address, meaning that no one is behind NAT. So it needs to handle this (which is pretty basic stuff)
- high-availablity. So if I buy two machines, one can successfully
die and the other take over.
- no per-user charges. If the company hires a dozen people next
year, we shouldn't have to "upgrade" our license.
Right now we're looking at some open-source stuff like pfsense, m0n0wall, etc... But I'm totally open to an affordable commercial firewall appliance.
Thanks for you help.
--Ajay _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
"T. V. Sivaraman" tvsraman@ngri.res.in wrote:
We are using SonicWall Pro4060, firewall in our organization, National Geophysical Research Institute, Hyderabad.
As I mentioned, SonicWall (VxWorks-based) and WatchGuard (Linux-based) are the "big 2" SMB firewall/VPN vendors for products costing $200-$5,000. SonicWall has per-user charges for many of their features, typically at the 25 and 100 user price-points.
You'll find most appliances have this as well -- especially for added features.
You can try IPCOP or SmoothWall, free downloads, these are pretty good also.
Last time I checked, IPCop prefers private IPs. I could be wrong though. And it can be solved with 1:1 NAT and or SNAT/DNAT public IP pooling options (which might actually be better than using "raw" public IPs).
On Thursday 10 November 2005 07:06, Bryan J. Smith wrote:
"T. V. Sivaraman" tvsraman@ngri.res.in wrote:
You can try IPCOP or SmoothWall, free downloads, these are pretty good also.
Last time I checked, IPCop prefers private IPs. I could be wrong though. And it can be solved with 1:1 NAT and or SNAT/DNAT public IP pooling options (which might actually be better than using "raw" public IPs).
The commercial SmoothWall is what I use, but I use NAT here (32 outside IP's, three class C 1918's inside). The commercial smoothwall is not cheap, but does seamless L2TP/IPSec VPN with Windows boxes (that is, a Windows XP SP2 user simply sets up a 'Dialup Networking' VPN and configures it for L2TP optional encryption (note: L2TP has three layers of encryption capability; this option does not shut off the IPsec encryption, just the L2TP encryption), along with some other non-default options. The SmoothWall SmoothTunnel distribution includes a GUI for installing the crypto certificates in the right place on the Windows side, and the SmoothWall Web GUI does all the Certification Authority work for you. There is no additional client software to install for Windows 2000 and XP clients, and a free Microsoft L2TP client for other Windows. It also supports raw IPsec tunnels for both point to point and IPsec roadwarriors (like Linux users).
The reason the DuN wizard is used is because, to the Windows box, the L2TP VPN _is_ a point to point dialup connection; it's PPP over L2TP over IPsec.
As a general purpose router it's probably not the best solution, but I have found it has met our needs. But, again, I'm using NAT; I have not tried configuring it without NAT.
I do have the SmoothHost, SmoothTraffic, and SmoothRule modules in addition to the SmoothTunnel module that gives it more of a 'real' router feel; including blocking outbound traffic by port, time of day, etc, as well as bandwidth throttling.
But due to my network core redesign it's going to get replaced with a much smaller box, a Cisco 7401ASR running IOS 12.4.4T. In one rack unit I get everything I need, including the VPN endpoint. What I get with the 7401ASR that I can't get with SmoothWall is HSRP on the LAN interfaces; I'm building a new core network using Cisco 8540CSR's in full redundant mode with meshed Gigabit EtherChannels; the SmoothWall box can't do HSRP for one, and couldn't handle multiple inside interfaces anyway, and thus becomes a single point of failure. And SmoothWall doesn't do either OSPF or EIGRP.....
(In case you're wondering, the Cisco gear was all donated, otherwise there would not be an upgrade.)
Ajay Sharma ssharma@revsharecorp.com wrote:
Hey, The company I work for is in the market for a new firewall.
How big of a company? How much do you want to lock-down access?
Traditionally, people take 3 approaches:
1. Allow everything out (SOHO 'Ritters)
2. Allow everything out by default, then block destination ports (SMB 'Ritters)
3. Allow nothing out by default, then open destination ports (a "real" setup)
Ideally, even in a small-to-medium business (SMB), you should do #3 and deny _all_ access in _both_ directions, and then only open on explicit ports as necessary.
This includes not even allowing out 53 (domain), 80 (http) and 443 (https). I use dedicated, internal DNS servers and a proxy server, and only those dedicated systems can get out. I also like to setup a SOCKS5 proxy for other protocols, including SSH. That way I know about those connections, and some arbitrary Malware can't simply establish a tunnel without my knowing about it.
I would at least do such and block those ports even for #2. But all it takes is someone to run something on a non-standard port and they can go right through #2 -- hence why I do #3.
Right now we're hosting all of our own stuff (on CentOS servers) behind an old checkpoint firewall.
Eeewwwww. ;->
I think Checkpoint is overkill for our needs and very expensive,
Actually, it might be underkill!
plus I don't like the "per-user" charges of some commercial solutions.
You'll find that still remains true of the top-2 appliances under $5,000 -- SonicWall (VxWorks-based, http://www.sonicwall.com/) and WatchGuard (Linux-based, http://www.watchguard.com/). 25, 100, etc... user licenses are typical as well.
What do you guys suggest that we upgrade to?
Depends on size, budget, etc...
I mean, you can go as little as IPCop (http://www.ipcop.org) and tie it down tight -- such as blocking all outgoing, and redirecting select ports to internal DNS, proxy and other servers. IPCop has IDS and everything else built-in, but it's a pretty "canned" solution overall. E.g., last time I checked, it still used SNAT/DNAT to private IPs for the DMZ and LAN -- although you _can_ setup 1:1 NAT or "pool" public IPs.
Or you can spend from hundreds to upwards of $20,000+ on a Nokia (Linux-based with optional Checkpoint features) product. In financial environments, I've typically trusted Nokia's solutions.
http://www.nokiausa.com/business/security/1,8189,fwall,00.html
Network Associates and Symmantec also sell Linux-based gateway appliances with scanning features, let alone a huge 3rd party market has been built up around firewalls with SPAMAssasin and ClamAV built-in for inbound SMTP. A consideration if your SMTP server(s) are in the DMZ.
Here are some of the features that I would like:
- decent gui, either web based or a local client
One thing to remember with a web-based client -- don't use the same browser profile (and all its cookies) that you use to surf the web with.
- usage graphs based on protocol.
A managed layer-2/3 switch on your network would provide a far better solution for this -- probably at a lower price.
Cisco has some excellent 5000 series SMB switches for a couple thousand with lots of such capabilities, as well as built-in PIX. I didn't know if you were a Cisco shop.
And if that's still too costly, the NetGear FSM7328 (http://www.netgear.com/products/details/FSM7328S.php) has an entry-level layer-3 switch (RIPv1/v2, including port-to-port switching across VLANs of different subnets) with 4xGbE, 24x100M that has full SNMPv3, RMON, etc... for under $400 (double the 100M ports with the FSM7352S for a couple hundred more). You can also setup a monitoring port to tap your internal IDS to.
As you can see, there are a _lot_ of considerations here -- many outside the real of your "gateway device." ;->
So if our tiny T1 is saturated, I want to be able to find out what's eating up the bandwidth
You can do that with an intelligent layer-2 (or layer-3) switch for your _entire_ LAN, not just the Internet connection.
- VPN-friendly for a couple of road-warriors.
You can do VPN at the gateway, or you can pass it through to a VPN device behind the device (possibly into a limited access DMZ).
There won't be any remote offices so no server-to-server setups, just remote clients.
I was going to say, if you start doing more than 1 subnet, then having a layer-3 switch is a _huge_ advantage. If anyone is remotely considering connecting two networks, plus having roaming users, then those networks could really use a layer-3 switch.
Including the recent thread on routing issues with a VPN and multiple subnets. ;->
[ Oh if I could only take a baseball to some of my "smaller" clients in the past that said, "why do I have to pay over $500 for only a few GbE ports when I can get a Linksys 8-port GbE for under $100?" Grrrrrr. Thank God for NetGear's entry-level FSM7328S product, or I'd _never_ get routing problems solved at this firms! ]
- we have a DMZ and about 30 machines on the local
network. Everyone has a "normal" IP address, meaning that no one is behind NAT.
That's one area where IPCop doesn't really care for. I've never tried it without using private IPs. But you can setup public IPs to 1:1 NAT, as well as pool connections.
So it needs to handle this (which is pretty basic stuff) 5) high-availablity. So if I buy two machines, one can successfully die and the other take over.
With IPCop, you can save all settings to a floppy and build a replacement, or download/upload settings. But no, it doesn't have heartbeat/failover capabilities.
Other software solutions in Linux do offer them, and there are devices that such.
But if you're really worried about that, then you should _also_ be worried about the router beyond your gateway device. It should do Hot Standby Routing Protocol (HSRP) otherwise you're fail-over design will be incomplete.
And then what about your internal network, DMZ, etc...?
I mean, what's the sense of building redundancy at the gateway if the router beyond the gateway can still fail (let alone you don't know if it has!), or the ports of the LAN have, etc...
E.g., you _could_ consider an "all-in-one," dual-unit product that is the external routers, gateway, internal switch ports/router, firewall, IDS, etc... all-in-one, that fails over between 2 devices. I'm clearly looking at the Cisco 5000 series now, and it ain't so cheap with those features. ;->
- no per-user charges. If the company hires a dozen
people next year, we shouldn't have to "upgrade" our license.
Then forget a lot of products. The key is that depending on the features you want, some might be per-user -- especially if they are software/firmware of gateway/firewall/IDS/etc... appliances.
Right now we're looking at some open-source stuff like pfsense, m0n0wall, etc... But I'm totally open to an affordable commercial firewall appliance.
I could make far better recommendations if I knew how many users (current and possible), components of your network that you have or want to implement (you have IDS, right? ;-), how much you are willing to tie down your outgoing access (e.g., internal DNS, proxy, etc... servers), etc... and what other networking hardware you are currently using (e.g., does your internal switch currently have SNMP/RMON capabilities?).
And especially your budget.
Given your list of desires for a gateway device, I think you might be overlooking a lot of things that you should probably do outside of the gateway device.
Ajay Sharma wrote on Wed, 09 Nov 2005 23:23:59 -0800:
Right now we're looking at some open-source stuff like pfsense, m0n0wall, etc... But I'm totally open to an affordable commercial firewall appliance.
I suggest taking a look at the Snapgear devices, now bought by Cyberguard (-> www.snapgear.com). They deliver excellent value for the money. When I bought mine about three years ago or so it was the only device under $1000 where you could switch off NAT and enable transparent/bridged routing of public IP addresses. I don't know if it still is. They actively maintain the firmware (an embedded Linux version) and just delivered a completely rewritten interface, new kernel and much more functionality. The one thing from your list which is missing is traffic graphing, however, you can add this with ntop on one of your machines.
Kai
Just today my publisher has released a new article entitled "All-in-One Security Appliances": http://www.networkcomputing.com/showArticle.jhtml?articleID=172901783
Their interactive guide to various products is here: http://www.ibg.networkcomputing.com/guide.jhtml?guide_id=160400002
The Cisco ASA 5520 is reviewed here: http://www.networkcomputing.com/showArticle.jhtml?articleID=163103868
[ **NOTE: I've personally used the ATA 5510. It does the job, although it's limited as a router in the base package. ]
They also did a series of article at the end of April on more SMB to enterprise firewalls. Probably the most interesting is this feature comparison table between "Branch Office" firewalls ($1,395-$5,000+) here: http://i.cmpnet.com/nc/1608/graphics/1608f4a.gif
Performance comparison here: http://i.cmpnet.com/nc/1608/graphics/1608f4b.gif
Some offer routed and/or transparent modes (public subnet and/or bridged layer-2), as well as NAT. Some also support failover -- some for device (device failure), some for another network (network failure). All support DMZs, VPNs, etc..., although with varying support.
The review of the "Branch Office" firewalls starts here: http://www.networkcomputing.com/showitem.jhtml?docid=1608f4
About mid-way down, on the left, you'll see links to various other articles in the series -- including ASIC-based/high-end "Deep Inspection" solutions, and other discussions on layer-7/application (typically port 80) filtering/inspection, etc...
Didn't see a good review of sub-$1,000 solutions at NWC though.
Wow. Thanks for all the suggestions guys. I went to bed with a list of requirements and now I have a ton of more options to research.
One thing, has anyone used Astaro? I was looking at their "security gateway 220" product last night and it looked like it fit my needs:
http://www.astaro.com/firewall_network_security/asg220
It doesn't have the failover, but everything else was there.
There were other emails in regard to "size of the company" and other stuff which I'll answer:
- there's about 30 people here now, and we plan to add about 10 more next year.
- our firewall has a default deny in and out. So we have to open up ports for access and internally we have our own DNS and email so those ports are closed.
- we don't proxy any services.
- I'm already a super busy admin/programmer so I kinda don't want to babysit this thing (which is bad considering it's a fundamental component of the network). In any case, I'd rather buy a product and keep it updated then have to build a home-grown type of solution.
Again, thanks for all your help.
--Ajay
Ajay Sharma wrote:
Hey,
The company I work for is in the market for a new firewall. Right now we're hosting all of our own stuff (on CentOS servers) behind an old checkpoint firewall.
I think Checkpoint is overkill for our needs and very expensive, plus I don't like the "per-user" charges of some commercial solutions. What do you guys suggest that we upgrade to? Here are some of the features that I would like:
decent gui, either web based or a local client
usage graphs based on protocol. So if our tiny T1 is saturated, I
want to be able to find out what's eating up the bandwidth
- VPN-friendly for a couple of road-warriors. There won't be any
remote offices so no server-to-server setups, just remote clients.
- we have a DMZ and about 30 machines on the local network. Everyone
has a "normal" IP address, meaning that no one is behind NAT. So it needs to handle this (which is pretty basic stuff)
- high-availablity. So if I buy two machines, one can successfully die
and the other take over.
- no per-user charges. If the company hires a dozen people next year,
we shouldn't have to "upgrade" our license.
Right now we're looking at some open-source stuff like pfsense, m0n0wall, etc... But I'm totally open to an affordable commercial firewall appliance.
Thanks for you help.
--Ajay _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
If failover is something you want/need, may I suggest pfsense... its m0n0 with carp. quite cool, relatively easy to setup, and runs quite well on older hardware you may already have on a shelf gathering dust.
just my $0.02
-Cameron
Cameron Showalter wrote:
If failover is something you want/need, may I suggest pfsense... its m0n0 with carp. quite cool, relatively easy to setup, and runs quite well on older hardware you may already have on a shelf gathering dust. just my $0.02
We were going down that road but I'm kinda shying away from it now since their freshmeat page says it's in "alpha":
http://freshmeat.net/projects/pfsense/
I wouldn't mind switching it out, but it's making the guys upstairs nervous. :)
--Ajay
Ajay Sharma wrote:
Cameron Showalter wrote:
If failover is something you want/need, may I suggest pfsense... its m0n0 with carp. quite cool, relatively easy to setup, and runs quite well on older hardware you may already have on a shelf gathering dust. just my $0.02
We were going down that road but I'm kinda shying away from it now since their freshmeat page says it's in "alpha":
http://freshmeat.net/projects/pfsense/
I wouldn't mind switching it out, but it's making the guys upstairs nervous. :)
I'd strongly suggest m0n0wall if you can live without the failover. If you can't buy a commercial solution.
--Ajay
Astaro has failover capabilites. I have used it and found it to be very resource hungry. Astaro is also licnesed by users so when you add users you'll have to add licenses which is something you did not want to do.
Astaro is very good at what it does bu the latest versions 5 and 6 IMO need more polish before they are truly ready.
Ajay Sharma wrote:
Wow. Thanks for all the suggestions guys. I went to bed with a list of requirements and now I have a ton of more options to research.
One thing, has anyone used Astaro? I was looking at their "security gateway 220" product last night and it looked like it fit my needs:
http://www.astaro.com/firewall_network_security/asg220
It doesn't have the failover, but everything else was there.
There were other emails in regard to "size of the company" and other stuff which I'll answer:
- there's about 30 people here now, and we plan to add about 10 more
next year.
- our firewall has a default deny in and out. So we have to open up
ports for access and internally we have our own DNS and email so those ports are closed.
we don't proxy any services.
I'm already a super busy admin/programmer so I kinda don't want to
babysit this thing (which is bad considering it's a fundamental component of the network). In any case, I'd rather buy a product and keep it updated then have to build a home-grown type of solution.
Again, thanks for all your help.
--Ajay
Ajay Sharma wrote:
Hey,
The company I work for is in the market for a new firewall. Right now we're hosting all of our own stuff (on CentOS servers) behind an old checkpoint firewall.
I think Checkpoint is overkill for our needs and very expensive, plus I don't like the "per-user" charges of some commercial solutions. What do you guys suggest that we upgrade to? Here are some of the features that I would like:
decent gui, either web based or a local client
usage graphs based on protocol. So if our tiny T1 is saturated, I
want to be able to find out what's eating up the bandwidth
- VPN-friendly for a couple of road-warriors. There won't be any
remote offices so no server-to-server setups, just remote clients.
- we have a DMZ and about 30 machines on the local network. Everyone
has a "normal" IP address, meaning that no one is behind NAT. So it needs to handle this (which is pretty basic stuff)
- high-availablity. So if I buy two machines, one can successfully
die and the other take over.
- no per-user charges. If the company hires a dozen people next
year, we shouldn't have to "upgrade" our license.
Right now we're looking at some open-source stuff like pfsense, m0n0wall, etc... But I'm totally open to an affordable commercial firewall appliance.
Thanks for you help.
--Ajay _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
You can add failover via which license you buy with it..:)
Ajay Sharma wrote:
Wow. Thanks for all the suggestions guys. I went to bed with a list of requirements and now I have a ton of more options to research.
One thing, has anyone used Astaro? I was looking at their "security gateway 220" product last night and it looked like it fit my needs:
http://www.astaro.com/firewall_network_security/asg220
It doesn't have the failover, but everything else was there.
There were other emails in regard to "size of the company" and other stuff which I'll answer:
- there's about 30 people here now, and we plan to add about 10 more
next year.
- our firewall has a default deny in and out. So we have to open up
ports for access and internally we have our own DNS and email so those ports are closed.
we don't proxy any services.
I'm already a super busy admin/programmer so I kinda don't want to
babysit this thing (which is bad considering it's a fundamental component of the network). In any case, I'd rather buy a product and keep it updated then have to build a home-grown type of solution.
Again, thanks for all your help.
--Ajay
Ajay Sharma wrote:
Hey,
The company I work for is in the market for a new firewall. Right now we're hosting all of our own stuff (on CentOS servers) behind an old checkpoint firewall.
I think Checkpoint is overkill for our needs and very expensive, plus I don't like the "per-user" charges of some commercial solutions. What do you guys suggest that we upgrade to? Here are some of the features that I would like:
decent gui, either web based or a local client
usage graphs based on protocol. So if our tiny T1 is saturated, I
want to be able to find out what's eating up the bandwidth
- VPN-friendly for a couple of road-warriors. There won't be any
remote offices so no server-to-server setups, just remote clients.
- we have a DMZ and about 30 machines on the local network. Everyone
has a "normal" IP address, meaning that no one is behind NAT. So it needs to handle this (which is pretty basic stuff)
- high-availablity. So if I buy two machines, one can successfully
die and the other take over.
- no per-user charges. If the company hires a dozen people next
year, we shouldn't have to "upgrade" our license.
Right now we're looking at some open-source stuff like pfsense, m0n0wall, etc... But I'm totally open to an affordable commercial firewall appliance.
Thanks for you help.
--Ajay _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Ajay Sharma wrote on Thu, 10 Nov 2005 09:56:10 -0800:
One thing, has anyone used Astaro? I was looking at their "security gateway 220" product last night and it looked like it fit my needs:
I used to know the software. It's good, but user licensed and forces NAT.
It doesn't have the failover, but everything else was there.
What do you mean by failover, failover to another line or another gateway device?
Kai
*if* you have a cisco router connecting you to your ISP you could always look at adding the firewall feature set to it?
The company I work for is in the market for a new firewall. Right now we're hosting all of our own stuff (on CentOS servers) behind an old checkpoint firewall.
I think Checkpoint is overkill for our needs and very expensive, plus I don't like the "per-user" charges of some commercial solutions. What do you guys suggest that we upgrade to? Here are some of the features that I would like:
- decent gui, either web based or a local client
As of 12.4 you get a decent(ish) web based GUI. (see www.cisco.com/go/sdm)
- usage graphs based on protocol. So if our tiny T1 is saturated, I
want to be able to find out what's eating up the bandwidth
Cisco's can export netflow stats into something like ntop for analysis. Although better still you can configure your self a nice CBWFQ Quality of Service policy so people can't eat bandwidth needed by other services.
- VPN-friendly for a couple of road-warriors. There won't be any
remote offices so no server-to-server setups, just remote clients.
Cisco has a VPN client.
- we have a DMZ and about 30 machines on the local network. Everyone
has a "normal" IP address, meaning that no one is behind NAT. So it needs to handle this (which is pretty basic stuff)
Not a drama.
- high-availablity. So if I buy two machines, one can successfully die
and the other take over.
Cisco has many ways of doing high availability (depending on how your ISP connection comes in) but then a router doesn't have as many working parts as a PC based solution so is less likely to go wrong.
- no per-user charges. If the company hires a dozen people next year,
we shouldn't have to "upgrade" our license.
Not sure how the licence on cisco VPN client works but you certainly wouldn't have to upgrade your licence for more internal hosts.
It seems when sendmail starts up it takes the host name from a gethostname() which in turn is derived from a reverse lookup of the machines IP.
It uses this hostname as the default "From" address in outgoing mails e.g. if the hostname was box.foo.bar mails from root would appear as root@box.foo.bar
In my setup foo.bar is an internal domain which isn't recognized by remote MTA's as being a valid domain, understandably.
So I'd like to change foo.bar to foo.bar.com so the box can send mails.
The catch is I don't want to change my hostname which is on an internal scheme which is working will for a lot of other things.
So far I've tried in sendmail.cf:
Djfoo.bar.com
And a sendmail -bt -d0.4 gives:
Version 8.12.11 Compiled with: DNSMAP HESIOD HES_GETMAILHOST LDAPMAP LOG MAP_REGEX MATCHGECOS MILTER MIME7TO8 MIME8TO7 NAMED_BIND NETINET NETINET6 NETUNIX NEWDB NIS PIPELINING SASL SCANF STARTTLS TCPWRAPPERS USERDB USE_LDAP_INIT Canonical name: box.foo.bar a.k.a.: box UUCP nodename: box.foo.bar a.k.a.: [10.1.1.1]
============ SYSTEM IDENTITY (after readcf) ============ (short domain name) $w = box (canonical domain name) $j = foo.bar.com (subdomain name) $m = foo.bar (node name) $k = box.foo.bar ========================================================
So although the canonical domain name now reads right it still takes the foo.bar domain :(
Any ideas? exim? :)
On Thu, 2005-11-10 at 21:55, Nick Bryant wrote:
It seems when sendmail starts up it takes the host name from a gethostname() which in turn is derived from a reverse lookup of the machines IP.
It uses this hostname as the default "From" address in outgoing mails e.g. if the hostname was box.foo.bar mails from root would appear as root@box.foo.bar
In my setup foo.bar is an internal domain which isn't recognized by remote MTA's as being a valid domain, understandably.
So I'd like to change foo.bar to foo.bar.com so the box can send mails.
Just set MASQUERADE_AS in sendmail.mc and restart sendmail with 'service sendmail restart' (the init script takes care of rebuilding sendmail.cf) If you want root's mail to also be masq'd, remove the EXPOSED_USER setting. If you are also receiving mail, be sure to put all the names to accept as local in the local-host-names file (also needs a sendmail restart).
On Thu, 2005-11-10 at 21:55, Nick Bryant wrote:
It seems when sendmail starts up it takes the host name from a
gethostname()
which in turn is derived from a reverse lookup of the machines IP.
It uses this hostname as the default "From" address in outgoing mails
e.g.
if the hostname was box.foo.bar mails from root would appear as root@box.foo.bar
In my setup foo.bar is an internal domain which isn't recognized by
remote
MTA's as being a valid domain, understandably.
So I'd like to change foo.bar to foo.bar.com so the box can send mails.
Just set MASQUERADE_AS in sendmail.mc and restart sendmail with 'service sendmail restart' (the init script takes care of rebuilding sendmail.cf) If you want root's mail to also be masq'd, remove the EXPOSED_USER setting. If you are also receiving mail, be sure to put all the names to accept as local in the local-host-names file (also needs a sendmail restart).
Many thanks, that was too easy (always is when you know how).
-
Adam Gibson -
Ajay Sharma -
Bryan J. Smith -
Cameron Showalter -
Daniel Wright -
Kai Schaetzl -
Lamar Owen -
Les Mikesell -
Neil Thompson -
Nick Bryant -
Ryan -
Sanjay Arora -
T. V. Sivaraman -
Ugo Bellavance -
William Warren