Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Dedicated Firewall for a Small Town?

Posted by Cliff on from the any-better-ideas dept.

Germ-X asks: "My city's IT Manager is proposing a dedicated firewall system to protect the IT infrastructure. The solution, that is going to be presented to the City Council, is based on Windows 2003 and Symantec Enterprise firewall. It will be running on an HP DL380 G4, and will cost the city about $13,000. Most of that amount will be going to software licenses. I don't know the features of Symantec Enterprise Firewall, I just think that the city could do much better going for an applicance kind of solution, even if they stay with Windows. What do you guys think? Any other ideas? Keep in mind that this is a small town and I don't think we can count on any big time sysadmins, like most of yourselves, being on staff."

7 of 75 comments (clear)

  1. Bunch of morons by Pig+Hogger · · Score: 2, Informative

    Spending money on proprietary closed-source solutions. Get IP cop! It's free, costs nothing and works.

  2. OpenBSD? by m0rph3us0 · · Score: 5, Informative

    I'd throw OpenBSD on there. And scale down the hardware a lot. You will run out of bandwidth on your bus before you run out of CPU. Get two boxes and run CARP for fail over. That way when you patch the box your whole network doesn't go down. Just get two uniprocessor boxes. Dual Dual cores is overkill, and Windows 2003 has a single TCP/IP stack so dual processors are almost pointless.

  3. How small is your town? by Marxist+Hacker+42 · · Score: 2, Informative

    Give us a number of workstations and servers currently in operation and we'd give you a better answer. Are you small like Salem, OR? If so the solutions suggested so far are reasonable. But if you're small like Condon, OR (three full time employees, two part time, and about 20 volunteers, all centered in a single building) then I'd suggest something more along the lines of a Linksys or Netgear router is more what you should be looking at; both in terms of stability and ease of remote managment.

    --
    SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
  4. Uh huh. by Anonymous Coward · · Score: 1, Informative

    So it's a small city or town. Like Minneapolis is a small city or are you talking Hickville Arkansas?

    Come on, you need to be far more specific in your question than that if you want a helpful answer. How big is the network? How many workstations and servers and what operating systems are they all. How much internet traffic is going out and how much is coming in? What type of traffic, is it all http or do you run a lot of h.323 video conferences?

    Do you need to provide protection for 10 Windows workstations that surf the web and get email via Hotmail accounts sharing a DSL line or, do you need to firewall several hundred workstations and have 50 servers in a DMZ all connected to the internet via dual OC-3's and running BGP4?

    Additionally, what sort of firewalling are you looking for? Do you want a simple packet filter like IP Tables can provide or are you looking for a stateful, deep inspection, application layer gateway with two-way content filtering, proxy service, ids/ips and activity logging/recording based on user/group/ip address/url?

    Based on the information that you provided, it is impossible for anyone to accurately answer whether the solution is the right one or if they should instead buy a Linksys cable router or a $100,000 Nokia system.

  5. ipcop and smoothwall by tacocat · · Score: 3, Informative

    are both free and capable.

  6. appliance by austad · · Score: 4, Informative

    I may be a little bit biased, but I've been working in the security industry for years. I've touched just about every firewall solution on the market, especially since the company I currently work for sells just about every firewall solution on the market.

    Two reasons I do not like firewalls which run on top of an OS like Windows, Linux, or BSD:
    1. They run a full OS. The device and software are Turing complete, which means that if someone cracks the box somehow, it would allow them to run scripts or compiled apps that do other nastiness (using it to scan your internal network, compromise other machines, etc). In addition, depending on the product, you are responsible for OS updates, not the firewall vendor.

    2. Bringing up a device that is not an appliance is not just a quick "slap it in a rack and have it working in 5 minute" ordeal. It's usually something along the lines of procure a box, install the OS, make sure OS works with the hardware (NIC drivers, etc), install firewall software, possibly install management software on your machines which will be managing it, etc. This takes time. What if the box croaks and you need to replace it quickly?

    My recommendations:
    1. NetScreen. These are custom hardware running ScreenOS. There is no scripting capability on the device, and no compilers out there that would even let you compile apps that run on it. It's manageable via ssh, https, or through a management server called NSM if you like that sort of thing (useful in large deployments). They have options for web filtering and deep inspection for catching nastiness. Additionally, the policies are based not on on IP, but also on Zones. Each interface is dropped into a zone, and those zones are specified when creating rules. This both enhances security, and makes your policy base much simpler when using more than two interfaces.

    2. Cisco PIX. While I don't really like the pix, it actually is a decent firewall. It doesn't offer much in the way of advanced features, but it's an appliance, it's straighforward, and quick to implement. On the downside, it's comparable in price to the NetScreen, so there's no real reason to use it unless you absolutely must use Cisco.

    On a side note, I don't really like Checkpoint at all. Not only does it run on a full fledged general OS, their licensing is a pain to deal with, I've had major problems with bugs in advanced features, and you MUST install a separate management server and use a GUI to manage the thing. The GUI only runs under windows. I have more reasons I don't like it, but I think the above is reason enough to stay away from it.

    --
    Need Free Juniper/NetScreen Support? JuniperForum
  7. One software firewall? by artifex2004 · · Score: 3, Informative

    Is there absolutely only one entry point into the network? Or do you have local LAN users, plus remote dialup users, plus maybe a remote building or two, plus an internet gateway?

    Draw a network diagram, including all possible entry points. Now, where is that single firewall going to sit, to cover all of them?

    Personally, I'd go with a mixed router and hardware firewall configuration, probably with some IDS capability, but "small" doesn't tell me much of anything. So in lieu of something that doesn't fit, I'm going to say, if you do go with software instead, you really need coverage on every entry point you can afford to cover. You also should be running host intrusion detection on the most important database and command servers, if at all possible.

    Oh, and don't forget, you need to have a written security policy before doing a lot of configuration, to keep things consistent and to save yourself a lot of grief. It also helps when you have to figure out if someone is getting through, and how.

    Tell you what, go poke around on Cisco's website for their SAFE blueprint, and you can start with this. You can learn the basic conceptual stuff for free, and then implement scalable design choices using their stuff or someone else's.