Hardware firewall - growing network

colm_c

We currently use an old PC with a copy of IPCop on it as our broadband firewall and it works very well.

However the network is growing, gone from 4 people to 15 over the last 6 months not to mention servers and appliances being added - so I need to get some kind of hardware firewall setup for the office.

We have a managed switch - so we don't need a built in switch but we need something that can handle up to 50 users, and can do port forwarding. VPN would be nice but not essential.

I've looked at some Cisco PIX appliances but they're pretty expensive (or they only allow 15 users).

Are there any hardware firewalls that don't have a per user licensing system and does a server count as a user (none of the sales people I've talked to seem to know!)?

Any advice or recommendations appreciated.

Jaden

I have an IpCop machine running, protecting 75+ users, plus a 6 point VPN.

Just Run IpCop in a bigger PC if you think it's the bottleneck. Mines on a 1.6GHz P4 with 512Mb RAM, and it's nowhere near capacity.

Static M.e.

Did you look at Sonicwall ?

Actually not sure about the licensing system in place, but Ill see if I can find out

colm_c

Not really worried about a bottleneck - it's just a concern that a free firewall isn't as good as a firewall with money invested in R&D, and the fact that support is only a phone call / email away.

Plus having that old PC in the cabinet is flugly to say the least.

I think I looked into sonicwall before and they have some funny licensing thing... but any info appreciated...

Jaden

I understand that the perception of free can't be as good as paid for. It's a natural thing to assume.

However, consider Apache. It's free, and it is the platform on which the majority of the world's webservers run on. Why? Because it is considered the best solution available.

I dumped a VERY expensive firewall/router/VPN setup in favour of IpCop. We had Cisco Routers and Netscreen Firealls all over the place. IpCop does everything this setup could do, and a great deal more. It is also alot easier to maintain.

If you are just dying to spend money on this, buy a new PC for IpCOp to run on, or even a 1U rackmount server with 2 or 3 network cards. Now it looks lovely in your cabinet.

Don't let concerns over the fact that you don't have to pay through the nose put you off. I would happily take the pepsi challenge with IpCop versus any over-priced firewall setup you care to mention.

Cake Fiend

colm_c wrote:

Not really worried about a bottleneck - it's just a concern that a free firewall isn't as good as a firewall with money invested in R&D, and the fact that support is only a phone call / email away

IPCop support is only a google search away. If you really need the fuzzy blanket of paid-for support, there are commercial firewall distros out there - Smoothwall (half-brother of IPCop) has a commercial version, as does Clarkconnect.

WWMan has already pointed out the folly of believing a commercial product is automatically better than a free/open source application.

Screaming Monkey

Some background, top commercial firewall vendors based on worldwide share, so for your environment look at the following
1) Checkpoint firewall-1
http://www.checkpoint.com/products/vpn-1_edge/vpn-1_edge_chart.html
2) Cisco PIX - (501, 506), but only the 515 supports the latest OS, this might put you into a higher price bracket
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b18.html
3) Netscreen
http://www.juniper.net/products/integrated/ns_5series.html

Other commercial firewalls worth a look Sonicwall, Watchguard and Symantec firewall.

The firewall market is very competitive at the moment, so you should get a good deal on a commercial firewall. Kind of surprised at the pix, its usually quite competitive price wise and the sonicwalls are very good too but slightly overpriced for some reason.

Now as for IPCop and the "pepsi challenge"
1) IPCop is a free <25 user firewall, designed for technically aware users.

2) You can get a certified commercial grade firewall for a decent price, with proper support. You should’nt need to look at IPCop.

3) Apache is open source and successful, but that doesn’t mean that all open source projects are great, were talking about apples and oranges here. Apache is an application, the main design criteria is performance, flexibility with no security holes. A firewall is the keys to your kingdom, with absolute requirements for security first.

4) IPCop might beat a commercial firewall at the 25 user level with one or two features or the price (free), but in a company with 50+ users, looking for a security certified firewall http://www.checkpoint.com/products/certifications/ from a company that specialise in firewalls with 10yrs R&D, installed worldwide in high security environments, audited by a large number of 3rd parties and security professionals, i think your ipcop would fail the test.

If you were a bank wanting to protect a small remote site, would it be IPCop or FW-1/PIX/Netscreen ?, even though they might use apache for their webservers.

...So at the end of the day if you’re comfortable with supporting and managing IPCop go for it, it's very good, but i would suggest you have a look at one of the top 3 firewall vendors, get it from a security reseller in Ireland, who will provide you with support and if something goes wrong or doesn’t work you can ring them up and shout at them.

Cake Fiend

Screaming Monkey wrote:

1) IPCop is a free <25 user firewall, designed for technically aware users.

Actually, it's designed for people who know little more than how to put a CD into a computer and click a mouse on a web page.

I'd trust IPCop with far more than 25 hosts, depending on the hardware I could throw at it.

I'd also personally trust netfilter/iptables as much as I'd trust Checkpoint or Cisco code.

Capt'n Midnight

What is the firewall for.

Are you protecting a buying on line site
Are you using / intending to use VPN
Will the only access be webmail
Are your users just browsing & email with no extranet

Apart from the slight HW cost there is nothing stopping you using both in series, incoming tunnels would be a bit trickier and other rules would have to be setup twice.

Also have a look at http://secunia.com/search/?search=firewall&w=0

colm_c

Are you protecting a buying on line site
Nope

Are you using / intending to use VPN
Yes we are currently using 3 to connect to client's networks

Will the only access be webmail
There are several access points into the network, including our intranet / wiki (password protected), a couple of search appliances which we'll be getting in a few weeks. There's also access for a couple of software vendors to a server on our network for updating purposes. Most of these just use simple port forwarding with an IP check.

Are your users just browsing & email with no extranet
Users have access to use whatever applications they need - no restrictions apart from P2P.

http://secunia.com/search/?search=firewall&w=0
I'll take a look at that - Cheers

ZygOte

For SME you would be crazy not to look at sonicwal's stuff they are really good, any 'tard can use one and never have problems.

steve-hosting36

Looks also at http://www.m0n0.ch/wall/

Jaden

Interesting points raised.

I'm unsure where this <25 user figure comes from. I have no experience with any limitations regarding the number of users and IpCop. Conversely, I think it scales quite well. There are no licencing issues as per Sonicwall and others.

Network security has never been about throwing money at a problem. Theoretically, if every machine on a network was perfectly setup, with no known OS vunerabilities unpatched, then a firewall is almost a moot point. As it is Firewalls exits as a "safety net", and should simply be one more step between you and the nasties that exist.

A good, secure setup is not rocket science.

* Tie down all machines so that the minimum level of user priviledge is required.
* Minimise the number of services that any machine runs.
* Have updates done automatically, with critical machines checking several times a day.
* Isolate (DMZ) and servers, so that even if they are compromised, at least they are contained.
*Isolate wireless connections from your main network.
* Allow only what is needed from the outside to the inside of your network.
* Deny all outbound, unless expressly required. In fact, Default Deny is a good approach to anything security related.
* Regarding e-mail, filter at the server level. Why in God's name does anyone accept .exe or .pif attachments? Remove any attachment that can execute code. Download and quarantine if need be, but don't pass it on to users.
* Ensure your firewall can only be administrated Internally, or externally after jumping through hoops. HTTPS and SSH are your friends here.
* Ensure that your firewall knows if it has been tampered with, a la Tripwire or other IDS.
* Turn on firewalls on the PC level, regardless of how much you trust your main firewall.
* Use MAC filtering on DHCP requests. Deny unknown MAC addresses.
* Filter out all HTTP requests to suspect sites or content. Squid is great for this.

Do all this, and there is no need to go out and spend a packet on commercial solutions. Of course if your a bank, there is a small army of consultants you need to feed, so get the most expensive solution you can, just for the warm fuzzy feeling effect.

Just a small point, but one that needs to be made. IpCop is not free, it's open source. Smoothwall is a commercial code branch that you can buy, if that's your thing. It may seem like a pedantic point to make, but open source projects mean that a certain standard of production is maintained. To compare Apache and IpCop is perfectly valid. Both are popular open source projects that are striving to be that best at what each do.

As a side, if you are not willing to learn about network security, firewalling and routing, then you are always going to be exposed to threats, regardless of what solution you pick, and how much it cost. Ignorance is always the biggest threat. Having a support contract so that I can ring people up and shout at them is alot less preferable than being able to fix something myself.

NutJob

steve-hosting36 wrote:

Looks also at http://www.m0n0.ch/wall/

I have used this and have seen preformance statistics and on a pentium 266 with 512 ram can nearly saturate the cable.

Preformance rocks and as for features stability value for money and the R&D concerns.

Ever tried to use windows to share a net connection for 4 pcs (yes unfair comparison but .....)

-The only firewall/router problems i ever had was eircoms netopia crap that used to crash when i took a day off or was at lunch :-(



oh and the post below by Jaden/above covers a large area and is all good

Cake Fiend

Jaden wrote:

As a side, if you are not willing to learn about network security, firewalling and routing, then you are always going to be exposed to threats, regardless of what solution you pick, and how much it cost. Ignorance is always the biggest threat.

This is a point I wish more managers and directors (and technicians for that matter) would get through their skulls.

hobie

The only firewall/router problems i ever had was eircoms netopia crap that used to crash when i took a day off or was at lunch

NJ, would you have the same reservations about Netopia on a "single home user" installation ? .....

I notice Eircom currently supply Netopia routers as part of their broadband packages for home use ....

NutJob

off point but no problem for home use

Reason being its not locked in a server room and is easy to turn it on and back on again.

hobie

no problem for home use

O-Key-Doke ....

Capt'n Midnight

NutJob wrote:

off point but no problem for home use

Reason being its not locked in a server room and is easy to turn it on and back on again.

Ye olde trick, domestic gear doesn't have the duty cycle that the more expensive stuff has, so stick it on a timer switch so it gets powered off at say 4am every night. (or if it's really acting the maggot at lunch time too - so you can have it "fixed" after lunch )

NutJob

simple smart i like it lunch time it is

Unfortunatly i plan to replace it looking at replacements now

voodoo

Hi all,

I work for a Security Solutions reseller and we have an R&D department in Germany that is looking at technology called UTM - Unified Threat Management.

Our search has shown that Fortinet is an excellent technology that gives everything from Firewall through to Gateway AntiVirus checking, Intrusion Prevention, VPN, Content Filtering and Anti-Spam.
It has also been selected by IDC as being the best UTM product in it's space.
www.fortinet.com

The product is extremely competitively priced considering it's an appliance with all of this security on-board....

I am not trying to sell commercially here, but just wanted to bring some new technology to your attention.

Anyway, hope someone finds it useful