[CentOS] [OT] Corporate Firewall

[Nick Bryant]

*if* you have a cisco router connecting you to your ISP you could always
look at adding the firewall feature set to it? 

> The company I work for is in the market for a new firewall.  Right now
> we're hosting all of our own stuff (on CentOS servers) behind an old
> checkpoint firewall.
> 
> I think Checkpoint is overkill for our needs and very expensive, plus I
> don't like the "per-user" charges of some commercial solutions.  What do
> you guys suggest that we upgrade to?  Here are some of the features that
> I would like:
> 
> 1) decent gui, either web based or a local client
> 

As of 12.4 you get a decent(ish) web based GUI. (see www.cisco.com/go/sdm)

> 2) usage graphs based on protocol.  So if our tiny T1 is saturated, I
> want to be able to find out what's eating up the bandwidth

Cisco's can export netflow stats into something like ntop for analysis.
Although better still you can configure your self a nice CBWFQ Quality of
Service policy so people can't eat bandwidth needed by other services.

> 3) VPN-friendly for a couple of road-warriors.  There won't be any
> remote offices so no server-to-server setups, just remote clients.

Cisco has a VPN client.

> 4) we have a DMZ and about 30 machines on the local network.  Everyone
> has a "normal" IP address, meaning that no one is behind NAT.  So it
> needs to handle this (which is pretty basic stuff)

Not a drama.

> 
> 5) high-availablity.  So if I buy two machines, one can successfully die
> and the other take over.
> 

Cisco has many ways of doing high availability (depending on how your ISP
connection comes in) but then a router doesn't have as many working parts as
a PC based solution so is less likely to go wrong.

> 6) no per-user charges.  If the company hires a dozen people next year,
> we shouldn't have to "upgrade" our license.

Not sure how the licence on cisco VPN client works but you certainly
wouldn't have to upgrade your licence for more internal hosts.