Fog Creek Software
Discussion Board




Recommend Hardware Firewall?

Coincidentally to the worm [grin]

I need a decent low-cost hardware firewall. I've worked (tangentially) with Pix before, and like it. I'm looking at this:
http://www.ecost.com/ecost/shop/detail.asp?dpno=330682

I *don't* have experience with the VPN/licensing side of things - does this include everything necessary to firewall web & application servers?

I'm also open to other suggestions, other than "build your own linux router"

Philo

Philo
Tuesday, August 12, 2003

Is there something wrong with a SOHO router like the Linksys DSL/CableModem routers? They are firewalls by default, unless you open up ports or set up DMZs.

Buy one with wireless in it (like the WRT54G), and get a twofer. :)

Brad Wilson (dotnetguy.techieswithcats.com)
Tuesday, August 12, 2003

Brad makes a good point.  By default those linksys et al cable modem routers are configured so everything is non routable.  If you need a robust solution with lots of features Pix is the way to go.  If you need to simply be protected the linksys is fine

Mike
Tuesday, August 12, 2003


I second ( third? ) the recommendation of the Linksys router.  I just replaced my wired one with a four port router, switch and Wireless Access Point for $115 Cdn.  I plugged it in, gave it my cable settings and it just works.

In three years of using these things, I've never had down time and never had anyone hack through it to get at my home network.

I don't try to run any servers through it.  The facility is there, but it's not really industrial strength.  If you need home networking plus basic firewall protection you can't beat it.

Craig
Tuesday, August 12, 2003

Why not use Zone Alarm Pro?

It stoped the worm for me.

Tyrian
Tuesday, August 12, 2003

Yeah, I'm running my home network through a linksys. But I need real multiple-IP routing for several production servers.  VPN is pretty vital, too.

Philo

Philo
Tuesday, August 12, 2003

Well, if you need the honest to god stuff, the only recommendation I will make is to stay as far away as possible from anything from Watchguard. We have a SOHO router/firewall and a FireBox II, and the stuff is absolutely HORRIBLE to admin (oh, you want security updates? that's $1000/year, please).

Considering the FireBox II is actually a stripped down Linux PC, that's just ludicrous.

Brad Wilson (dotnetguy.techieswithcats.com)
Tuesday, August 12, 2003

I've been admining fireboxes for a few years.  I don't think they are horrible.  They are cheap on ebay.  They work...

I like ipcop.org.  All the rolling has been done for yea ; )  That's what I use at home.

christopher baus
Tuesday, August 12, 2003

Nokia has some firewalls that runs Check Point 1. Using Check Point doesn't necessarily make it good, but since many are familiar with that commercial product it might be a plus in your book. They are relatively pricy and aren't as fully featured as a real Check Point 1.

Li-fan Chen
Tuesday, August 12, 2003

> I'm also open to other suggestions, other than "build your own linux router"

Damn. I think I saw one that boots off a floppy or CD-RW... Which makes it fairly hack proof, and is probably easy to configure.

I also use & like the Linksys router. Easy to use, never had a problem with it. Just keep adding to it when you add more computers.

www.marktaw.com
Wednesday, August 13, 2003

I used a Linksys router on my DSL line for a couple of weeks, and had to get rid of it.

My ISP uses PPPoE, and the linksys wouldn't stay connected for more than about two hours at a time. I switched to an SMC wireless router, and that works much better than the linksys for me.

I've heard lots of good things about the linksys boxes for those not stuck with PPPoE, though.

Chris Tavares
Wednesday, August 13, 2003

Having used a Linksys router/wireless ap as well as a D-Link router/wireless ap, I have to recommend D-Link.  Service has been great, more features for less cost, and it works like a charm.


Wednesday, August 13, 2003

I also use PPoE for DSL and have 0 problems with my linksys firewall. I'm never disconnected longer than... well, Verizon.

www.marktaw.com
Wednesday, August 13, 2003

There's a nice list at http://cable-dsl.home.att.net/#HardwareFirewalls and http://www.practicallynetworked.com has good product reviews as well.

Nick
Wednesday, August 13, 2003

marktaw - probably smoothwall.

What's up Philo, have you got something against Open Source?

d&rfc


Wednesday, August 13, 2003

I've used smoothwall for about 2 years now. It's good. Easy install, easy to maintain, does proper DMZ, etc.

It has VPN stuff but I've never used it. I think you need to buy one of the commercial smoothwall products to get VPN that works with Windows easilly, but I may be wrong.

Len Holgate (www.lenholgate.com)
Wednesday, August 13, 2003

"What's up Philo, have you got something against Open Source?"

Nope, just don't have time to babysit a firewall.

Also, now that I think of it, I'd rather not put pressure on our colo facility to charge us for another box. A hardware firewall *looks* like a firewall.

Philo

Philo
Wednesday, August 13, 2003

I am running a netscreen 5xp device now to protect an internal network and our webservers. Some things I can say about it:

Hard to configure, everything is broken into objects and knowing how to glue them together is tough. The manuals stink at explaining it.
Expensive licensing for VPN, the 5xp only allows 10 users, if I want more I have to buy a bigger firewall (big money)
Every once in a while it dumps its configuration after a UDP attack.
Support sucks, impossible to get a hold of.
Software updates only available if you pay for them and the prices we were quoted were not in my opinion realistic.

In the near future I am looking to put the 5xp infront of only our public machines and place a sonicwall pro 200 in front of the internal network, split the network into two more logical zones. The price points for the number of VPN users was nice, the interface looked much cleaner and the overall cost was not that bad at all. Sonicwall makes some smaller models and they looked interesting if I ever wind up throwing the netscreen against a brick wall in disgust.

We run some of our outside sales people behind Linksys routers and I run one at home, they are good for home use, but only offer a slim line of defense against many of the more complicated attacks I see going against our netscreen, namely surving some of the flood attacks. I am considering doing a test with some SOHO sonicwall products to see if they will make the remote offices more secure and reliable.

The one thing I can say I like about having a netscreen rather then a simple linksys infront of our servers is that although the rules are complicated to setup we have been well served with being able to block constant problem ip addresses and certain web crawlers that were poorly written and banging the servers too hard.

I would recommend against anything with a wireless connection. We have a wireless access point in our warehouse that leaks its signal outside of the building at two points and I have seen some very nice attacks on it and we are not in an area that lends itself to easy scanning and casual curiosity. The simple security of the linksys was easily comprimised in that case. Also we are considering no longer allowing our remote users to use wireless networking until we can better address the security of their connections.

Jeff
Wednesday, August 13, 2003

I was just being sarcastic, Philo. There've been so many I Hate OS threads these last few weeks that they were getting on my nerves.


Wednesday, August 13, 2003

Philo,

You have multiple (Windows OS - I assume) co-located boxes and you don't have firewall?!?  My god...

Unfortunately, I don't have much to add to the discussion: My home is protected by a Linux-based firewall (my old PC) and I cried after my last attempt at getting VPN working with it.  ;)

Almost Anonymous
Wednesday, August 13, 2003

We also use NetScreen devices and I can confirm what Jeff says: they can be complex to configure, and the configuration interface can be slow too. However they also seem to work quite well and are very flexible with things like remapping external IP addresses or ports to specific internal addresses or ports.

For a lower-end solution with VPN, I've used the Netgear FVS318, which is easy to setup and VPNs into the Netscreen (and other VPNs I assume). I've had problems when an internal computer tries to start a software IPSec VPN that passes through the Netgear. But then, you're not supposed to do that with IPSec. Otherwise it's been very solid.

I've not been too impressed with Linksys equipment; the configuration interface is slow and flaky, although this may be changing -- the new WRT54G has a faster, more-reliable configuration interface.

Nate Silva
Wednesday, August 13, 2003

What are you going to use the firewall for? Is it just a web server or a whole company network?

Personaly I have good experiances with Sonic walls.

Martin Schultz
Wednesday, August 13, 2003

Cyberguard, however I might be a bit biased. There exists a low end model, however most of the products are geared towards enterprise customers.

I'd suggest going to ICSA's website, and looking for a certified firewall vendor. There were lots of SOHO type stuff listed, and it's a fairly decent evaluation. I think there might be documents describing features of each appliance at their site.

Look at VPNC's site for VPN devices. They also have documents describing how to setup VPN gateways of VPNC members -- so you can take a look at how hard/easy VPNs are to setup.

SG
Wednesday, August 13, 2003

AA - not yet. Right now it's just the single colo'd box running a software firewall. I'm configuring box number two right here - thus the "sudden need". [grin]

And - agreed on Linux/VPN. That's when I bought my linksys router for home.

Philo

Philo
Wednesday, August 13, 2003

Linksys DSL/cable router for me too.
Foolproof

Bella
Saturday, August 16, 2003

Bella, you've got to work on your reading comprehension. Really.

Philo

Philo
Saturday, August 16, 2003

*  Recent Topics

*  Fog Creek Home