Slashdot Mirror
A Dedicated Firewall for a Small Town?
Germ-X asks: "My city's IT Manager is proposing a dedicated firewall system to protect the IT infrastructure. The solution, that is going to be presented to the City Council, is based on Windows 2003 and Symantec Enterprise firewall. It will be running on an HP DL380 G4, and will cost the city about $13,000. Most of that amount will be going to software licenses. I don't know the features of Symantec Enterprise Firewall, I just think that the city could do much better going for an applicance kind of solution, even if they stay with Windows. What do you guys think? Any other ideas? Keep in mind that this is a small town and I don't think we can count on any big time sysadmins, like most of yourselves, being on staff."
Or rather, 1/10 that price on hardware, and the rest on skilled maintenance and installation.
Watchguard Fireboxes are good, based on linux (unfortunately requiring windows to manage, or wine perhaps?), and will run $1500. Use the rest to pay someone will a clue to keep it up to date with good rules and security policies.
Karma: Chameleon (mostly due to the fact that you come and go).
Spending money on proprietary closed-source solutions. Get IP cop! It's free, costs nothing and works.
More details would help a lot (number of systems, incoming connections, type of services provided, etc.), but I do think you can do better. Take a look perhaps at WatchGuard. Nice easy interface, comes with 6 interfaces for various internal & DMZ segments and VPN. You could probably get a pair of X1000's for failover, a couple of years of security service and still be far less than $13,000. Plus I personally think it would be a better setup.
There are many others out there also, but I have had success installing these for folks who want to manage the setup themselves.
Hey, I presume that you guys use no firewall now. And you have Windows servers on the netowork! What kind of city is that?
:-P
Maybe I could make myself president of some company, or heck, be a mayor
The hip way to get your IP. No ads, ever.
I'd throw OpenBSD on there. And scale down the hardware a lot. You will run out of bandwidth on your bus before you run out of CPU. Get two boxes and run CARP for fail over. That way when you patch the box your whole network doesn't go down. Just get two uniprocessor boxes. Dual Dual cores is overkill, and Windows 2003 has a single TCP/IP stack so dual processors are almost pointless.
http://www.smoothwall.org./ That's all you need.
You need to tell us more about your requirements. That said, if you want a basic firewall, consider Cyberguard's SG family of firewalls, which are essentially little Linux appliances with an easy-to-use web interface. They're far less expensive than $13K.
So, I'm betting the real issue will be selling a cheaper or open source solution to people who are not in IT and are used to paying big money for anything "reputable"... I guess the strategy I would use would be to put a chunk of money into a "reputable" consultant who would then sell them on the OSS option. Remember, in business and in politics it's often about making them feel secure, regardless of whether or not they actually are. Somehow Microsoft and Norton branded products provide that sense of security to many outside of the IT field, so they'll continue to get the business unless you can provide them with that same sense of security at a cheaper price.
Give us a number of workstations and servers currently in operation and we'd give you a better answer. Are you small like Salem, OR? If so the solutions suggested so far are reasonable. But if you're small like Condon, OR (three full time employees, two part time, and about 20 volunteers, all centered in a single building) then I'd suggest something more along the lines of a Linksys or Netgear router is more what you should be looking at; both in terms of stability and ease of remote managment.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Try an ImageStream rebel router. It can serve as a direct termination point for your T3/T1 with no other equipment, it routes obviously, and it runs linux so you can ssh into it and configure iptables just as any other linux box.
No hard disk, it's flash based for reliability.
With a T3 card it'll be about $7000 so it's not cheap, but if it replaces some overpriced cisco crap along with the firewall, it could be a real money saver.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
So it's a small city or town. Like Minneapolis is a small city or are you talking Hickville Arkansas?
Come on, you need to be far more specific in your question than that if you want a helpful answer. How big is the network? How many workstations and servers and what operating systems are they all. How much internet traffic is going out and how much is coming in? What type of traffic, is it all http or do you run a lot of h.323 video conferences?
Do you need to provide protection for 10 Windows workstations that surf the web and get email via Hotmail accounts sharing a DSL line or, do you need to firewall several hundred workstations and have 50 servers in a DMZ all connected to the internet via dual OC-3's and running BGP4?
Additionally, what sort of firewalling are you looking for? Do you want a simple packet filter like IP Tables can provide or are you looking for a stateful, deep inspection, application layer gateway with two-way content filtering, proxy service, ids/ips and activity logging/recording based on user/group/ip address/url?
Based on the information that you provided, it is impossible for anyone to accurately answer whether the solution is the right one or if they should instead buy a Linksys cable router or a $100,000 Nokia system.
Perhaps I'm missing the point of your question, but why does your network security sysadmin have to be on staff? Or even local? Or even on the same side of the planet as you? It seems to me that you could contract this firewall function out to any network security firm for less than the amount you were quoted.
are both free and capable.
Keep in mind that this is a small town and I don't think we can count on any big time sysadmins, like most of yourselves, being on staff.
I'm no "big time sysadmin" either but I have some security knowledge. Security is not a "set and forget" operation. You don't need a full-time dedicated person but you do need someone to keep up with fixes, etc. Otherwise, you're throwing money down a hole.
It's simple: I demand prosecution for torture.
Whether you're talking "Windows 2003 and Symantec Enterprise firewall. It will be running on an HP DL380 G4" or "OpenBSD on there. And scale down the hardware a lot" or even a heavy-duty appliance box, the cart is in front of the horse, here. Don't know if that's a reflection of the planning or your thinking.
Plan the maintenance policy, first. Even if you have a heavy-duty appliance box, which you'd like to think of as "install and forget", someone's got to keep on top of security alerts and firmware updates. Remember the good old security mantra, "Security is a process, not a product."
Keeping that in mind, it can affect a purchasing decision, too. "Windows 2003 and Symantec Enterprise firewall" is 2 products from 2 companies, and the OS is very complex, needs significant work to lock down to minimal function, and has had a steady feed of monthly updates. On the other hand, "OpenBSD on there" is 1 (Isn't pf part of the base?) product, has a much more proven security track record, a lower update rate, and comes configured more securely out of the box.
Normally, I don't believe the "Just let me put an OSS firewall in there on the cheap," argument. But in this particular case, and keeping in mind that ongoing maintenance should be part of ANY solution, I guess I'd have to side with OpenBSD + pf.
The living have better things to do than to continue hating the dead.
Just wondering (as a Watchguard owner)...
What problems and restrictions do you have with the Watchguard product?
(Other than the obvious... needing Windows... that is)
TIA
--Phillip
Can you say BIRTH TAX
Cisco 2000 (or, for large values of "small" 3000) series Integrated Services Router.
I'm a a set-top box software QA guy, and even I know that!
-Peter
Why does this sound like you're trying to build an electronic Maginot Line?
"Every decent man is ashamed of the government he lives under." - H.L. Mencken
Take a look at Watchguard Firebox (www.watchguard.com). It's an appliance based on a Linux kernel and support is excellent. I'm not sure on your functional requirements, but something like an x1000 will set you back only about $2800. I've supported at least a 2-3 dozen over the years and they are a joy to work with.
I may be a little bit biased, but I've been working in the security industry for years. I've touched just about every firewall solution on the market, especially since the company I currently work for sells just about every firewall solution on the market.
Two reasons I do not like firewalls which run on top of an OS like Windows, Linux, or BSD:
1. They run a full OS. The device and software are Turing complete, which means that if someone cracks the box somehow, it would allow them to run scripts or compiled apps that do other nastiness (using it to scan your internal network, compromise other machines, etc). In addition, depending on the product, you are responsible for OS updates, not the firewall vendor.
2. Bringing up a device that is not an appliance is not just a quick "slap it in a rack and have it working in 5 minute" ordeal. It's usually something along the lines of procure a box, install the OS, make sure OS works with the hardware (NIC drivers, etc), install firewall software, possibly install management software on your machines which will be managing it, etc. This takes time. What if the box croaks and you need to replace it quickly?
My recommendations:
1. NetScreen. These are custom hardware running ScreenOS. There is no scripting capability on the device, and no compilers out there that would even let you compile apps that run on it. It's manageable via ssh, https, or through a management server called NSM if you like that sort of thing (useful in large deployments). They have options for web filtering and deep inspection for catching nastiness. Additionally, the policies are based not on on IP, but also on Zones. Each interface is dropped into a zone, and those zones are specified when creating rules. This both enhances security, and makes your policy base much simpler when using more than two interfaces.
2. Cisco PIX. While I don't really like the pix, it actually is a decent firewall. It doesn't offer much in the way of advanced features, but it's an appliance, it's straighforward, and quick to implement. On the downside, it's comparable in price to the NetScreen, so there's no real reason to use it unless you absolutely must use Cisco.
On a side note, I don't really like Checkpoint at all. Not only does it run on a full fledged general OS, their licensing is a pain to deal with, I've had major problems with bugs in advanced features, and you MUST install a separate management server and use a GUI to manage the thing. The GUI only runs under windows. I have more reasons I don't like it, but I think the above is reason enough to stay away from it.
Need Free Juniper/NetScreen Support? JuniperForum
I'll throw out my recommendation for m0n0wall. It's a livecd-based firewall package which is based on FreeBSD. Boot off of the CD, and config is held on a floppy, flash drive, etc. It has all the benefits of the FreeBSD network stack w/ the addition of a very robust web administration page. It's a snap to set up, and given decent hardware (fairly recent PC, Intel NICs, half-gig of RAM, etc), it'll outperform Symantec's offerring by several orders of magnitude, both in terms of feature set and network throughput.
Lucent's Brick firewall is a dedicated appliance that's very easy to use and manage. Throughput is terrific and the price is reasonable. The Brick runs Inferno, an operating system which traces its roots back to Bell Labs, the birthplace of Unix.
0 17-STID+10080-SOID+1649-LOCL+1,00.html
The bricks are managed using an easy to use GUI that is Java based and runs on Windows or Unix. The management station is separate from the Brick hardware, but can be anything, even just your desktop Win2K Pro box. The managment station is not in the path of traffic, it's just a computer behind the firewall.
Configuration is simple and the reporting functions are easy to use. The learning curve is very shallow, but the Brick is capable of quite advanced functions.
Failover is incredibly simple, just buy a second identical brick and check one checkbox in the managment GUI.
http://www.lucent.com/products/solution/0,,CTID+2
This link is to the model 150, but there are lots of models. They all work the same way, what you pay just determines the amount of throughput and number of interfaces.
A 500-person company I know uses a Sidewinder firewall for enterprise use, and Checkpoint FW-1 appliances from Nortel for a serverfarm. Both are very stable, capable, and fast. To my understanding, the Sidewinder is used by a lot of DoD installations.
They no longer have a software only gateway firewall solution. They expect everyone to upgrade or purchase the SGS hardware(which is based off of SEF).
Just get two uniprocessor boxes. Dual Dual cores is overkill, and Windows 2003 has a single TCP/IP stack so dual processors are almost pointless.
Correct me if I'm wrong, but I thought the NT "kernel" [or whatever you call it - it's not a monolithic "kernel" per se, but rather a microkernel surrounded by services] had had a multi-threaded TCP/IP stack since at least Windows 2000.
So what do you mean by "a single TCP/IP stack"?
Is this some sort of a "process" -vs- "thread" kinduva thang? Or maybe a Hurd-ish "offload the process to a different box" kinduva thang?
A few people in this thread have enthusiastically recommended watchguard, and it looked like the clear winner with its appliance like simplicity, at least until I read your post. What do you think about that one, just for comparison's sake?
Is there absolutely only one entry point into the network? Or do you have local LAN users, plus remote dialup users, plus maybe a remote building or two, plus an internet gateway?
Draw a network diagram, including all possible entry points. Now, where is that single firewall going to sit, to cover all of them?
Personally, I'd go with a mixed router and hardware firewall configuration, probably with some IDS capability, but "small" doesn't tell me much of anything. So in lieu of something that doesn't fit, I'm going to say, if you do go with software instead, you really need coverage on every entry point you can afford to cover. You also should be running host intrusion detection on the most important database and command servers, if at all possible.
Oh, and don't forget, you need to have a written security policy before doing a lot of configuration, to keep things consistent and to save yourself a lot of grief. It also helps when you have to figure out if someone is getting through, and how.
Tell you what, go poke around on Cisco's website for their SAFE blueprint, and you can start with this. You can learn the basic conceptual stuff for free, and then implement scalable design choices using their stuff or someone else's.
You mention what you plan on buying, but not what you're buying it for.
How many concurrent connections? How many VPN tunnels? How much bandwidth do you have? Most importantly, as others have mentioned, who is your admin? A firewall is only implimenting a set of access rules, the hard part is crafting those rules. Don't buy a Cisco firewall if your security guy only knows checkpoint. If you don't have a security guy, get one.
I'll assume if you have no firewall at all right now, and you're not talking about a lot of stuff, so my WAG would be to grab a PIX 515E unrestricted firewall. The PIX is pretty reliable, but if reliability is key, get 2 with the failover option. They're about 4 grand. 2 of them with failover will be 10.
Make sure you have a security policy (with teeth!!) for your employees, and that it's enforced. That policy will change as they discover more uses for their new firewall/Internet connection. Make sure management understands there is a security policy and that any changes involving the firewall need to be evaluted and added to the plan.
I'm appalled. You will firewall off an entire town and check every packet for viruses???
A few things why this is a terrible idea:
A single firewall like this will really make things slow.
You are playing big brother. Expect to be asked to block P2P and games even.
The performance will be terrible. VoIP will be unusable.
Cost will rise, it will not scale. Dont allow immigrants.
See, if you want to provide an Internet connection, just buy some fat cisco or juniper switches. Divide the bandwidth fairly at level 2 and leave it at that. Some will use VPN, some will use P2P software, others will just browse and email. Leave the computers in their own hands. Setup a service whereby you'd re-image their computers for free, but apart from that, let them be. OpenBSD is awesome for a company where everyone should be working and computers are all owned by the company (IT department responsible for fixups). A town sounds like a place where people live in their homes doing whatever they want to do.
Youre not a part of the new homeland security are you?
"Give orange me give eat orange me eat orange give me eat orange give me you." -Nim Chimpsky
We've been beta testing a new product from 3Com that was announced last week. It's their TippingPoint X505. So far it's been a very robust hardware network appliance firewall and quite stable. The prie should be much less (probably half of what you are showing) and is pretty feature laden. It's got intrusion prevention, VPN access, full firewall, and even content management and filtering so you can block questionable content.
Also someone else mentioned it but running on a network box that runs a hardened OS is going to be more secure out of the box than running on a standard OS with the security software on top of that. You've still got to go through the OS before you hit your security software and there will be problems with the OS.
Check it out here http://www.tippingpoint.com/products_X505.html
blah, blah, blah
Sounds like the wrong person is driving this. Non-technical people seem to think that a firewall is the Grand Ultimate Answer to Security Problems. When you phrase your requirements in terms of a specific solution (i.e. We need to protect our IT infrastructure with a firewall) then you've got trouble.
Start by getting an IT security expert to review your infrastructure and identify potential threats, and discuss what protection can be used to mitigate various threats.
You will almost certainly find that "a firewall" is not going to provide the protection currently envisaged. You will also find that ongoing maintenance of your security solution is essential -- security without maintenance is useless.
If a firewall makes up part of that solution, it would be sensible to go for an appliance or a custom firewall distribution. Cisco PIX or M0n0wall are good choices. When you put a software package on a generic OS you have to spend more time maintaining the OS (patches, etc) and admins have a tendency to put other software and services on the machine because its there (which, obviously, are bad for security).
Remember that the majority of threats to your infrastructure are internal, and a firewall won't protect you. "External" threats like viruses tend to penetrate firewalls easily via e-mail. Many organisations (large and small) adopt a DMZ configuration (two firewalls with a limited number of machines between them, that are the only machines that can accept connections from outside the outer firewall, e.g. mail and web servers) with an additional firewall protecting the application servers (by which I mean whatever servers your business needs to do its stuff) from the desktop PCs.
i-name =twylite [http://public.xdi.org/=twylite], see idcommons.net
Firstly why is an IT manager proposing to firewall a city that isnt going to protect any end users, Probably not going to filter that much incoming traffic. TBH my intrest wouldnt be in firewalling the entire city rather just firewalling the computers that need to be protected e.g. govornment data and leaving end user firewalling to the end user. Even then i wouldnt have a single windows based firewall i agree with previous posts i'd get dual Watchguard x1000's (graciously dubed the 'x box' by my work) with the same config and 1 for failover. and it'd probably come to less overall.
How can there be no mention yet of monowall? Its an excellent tool for simple reliable firewalling. We're running it off an old P2 class machine. The system software is on CD with our config file on a floppy. Its been completely reliable for going on a year and even this old machine happily keeps our T1 maxed out without blinking an eye. We actually replaced a failing WatchGuard box ($$) with monowall, increasing the feature set at near zero cost. The actaul hardware is a retired desktop (free) and we just added 3 PCI NICs (~$20 each). Eventually, we'll probably buy a rackmount system built for monowall, but even that only runs $500-$800.
If there are a lot of machines behind the firewall, all it takes is one dufus to open the gates (see Troy).
Get an appliance and convert all internal systems to a nice safe OS.
You might want to take a look at Mikrotik router OS. We are just now taking a look at it. It seems reasonably priced and well supported running on either a special mother board or an old Intel system. www.mikrotik.com
Anybody out there had an significant experience with Mikrotik?
Regards, Ed
Consider outsourcing the project. $13,000 will get you an appliance and someone to support and monitor the device for at least a year. The consultant/company will be more than happy any answers you have and will also be more than willing to deal with any firewall issues/headaches that arise.
I would not say that the solution proposed is a bad choice at all. I am guessing that it is more than a firewall but rather a gateway protecter stopping not only the things a normal firewall would but also viruses/spam and who knows what. For "small" companies looking for many of those features I often point them to the sonicwall brand of products as the cost is trivial compared to most products and once it is setup there is very little to do ever.
I've got it running on a PIII-1Ghz machine routing 4 different subnets (1/internet 1/production 1/DMZ 1/Wireless). Very easy to setup using out-of-box configuration. Best thing about slack is that Pat doesn't patch the shit out of everything so everything stays very stable. You probablly need more bandwidth than what I've got, but that's just hardware. This will run on just about anything.
"When I want your opinion, I'll give it to you." --leonstryker
If you wish to have Windows 2003 and Symantec... you're going to need to employ a dedicated Systems Administrator. Together with this the number of holes and security that Microsoft continually need to patch in the OS would be a real problem and it'd be a rediculous expense you need to fork out every year to 'renew your subscription' to Symantec. A dedicated appliance based box beats a server hands down. Particularly a device such as a Cisco. Why not sign up for a managed Cisco router with a service provider? I don't know of any other companies that do it, bar one company in Sydney called Bulletproof Networks that do that kind of thing. They configure up a 3DES security router which includes firewalling (stateful packet inspection) which is equivalent to the high end Cisco firewalls but it includes the routing capabilities as well and it's reasonable pricing as well. Honestly, I cringe at the thought of a Windows (AND Symantec!) box providing firewalling to anyone. The cost would be outrageous for the task that you're requesting it to do. And like any other pc's, they break. Appliance boxes tend to last a lot longer. DON'T DO IT!
People are the weakest link in security. I'm just a junior workin on dual Bachelor's and then going for my master's and one thing that has remained constant, the human factor.
ya'll can argue over the best products all day long, but those products won't be as effictive or as efficient as their potential states them to be without someone at the helm who knows what they're doing.
I just thought I'd remind ya'll of the human factor in security, as this section was starting to look like a metaphorical cock fight between firewalls and such.
may the source be with you