A Dedicated Firewall for a Small Town?

Germ-X asks: "My city's IT Manager is proposing a dedicated firewall system to protect the IT infrastructure. The solution, that is going to be presented to the City Council, is based on Windows 2003 and Symantec Enterprise firewall. It will be running on an HP DL380 G4, and will cost the city about $13,000. Most of that amount will be going to software licenses. I don't know the features of Symantec Enterprise Firewall, I just think that the city could do much better going for an applicance kind of solution, even if they stay with Windows. What do you guys think? Any other ideas? Keep in mind that this is a small town and I don't think we can count on any big time sysadmins, like most of yourselves, being on staff."

OpenBSD?

[m0rph3us0]

I'd throw OpenBSD on there. And scale down the hardware a lot. You will run out of bandwidth on your bus before you run out of CPU. Get two boxes and run CARP for fail over. That way when you patch the box your whole network doesn't go down. Just get two uniprocessor boxes. Dual Dual cores is overkill, and Windows 2003 has a single TCP/IP stack so dual processors are almost pointless.

Re:OpenBSD?

[Noodlenose]

I can't commend this solution higher. There are 3 main reasons why OpenBSD should be your choice:

• Excellent hardware support
• Superb documentation
• With Carp and pf, you have the best firewall tools out there.

Did I mention it's free?

Cheers.

Re:Bunch of morons

[WhatAmIDoingHere]

Hold on, hold on, hold on.. Free AND costs nothing, you say? Sign me up! But first.. how much do I have to pay for it?

Maintenance policy - first

[dpilot]

Whether you're talking "Windows 2003 and Symantec Enterprise firewall. It will be running on an HP DL380 G4" or "OpenBSD on there. And scale down the hardware a lot" or even a heavy-duty appliance box, the cart is in front of the horse, here. Don't know if that's a reflection of the planning or your thinking.

Plan the maintenance policy, first. Even if you have a heavy-duty appliance box, which you'd like to think of as "install and forget", someone's got to keep on top of security alerts and firmware updates. Remember the good old security mantra, "Security is a process, not a product."

Keeping that in mind, it can affect a purchasing decision, too. "Windows 2003 and Symantec Enterprise firewall" is 2 products from 2 companies, and the OS is very complex, needs significant work to lock down to minimal function, and has had a steady feed of monthly updates. On the other hand, "OpenBSD on there" is 1 (Isn't pf part of the base?) product, has a much more proven security track record, a lower update rate, and comes configured more securely out of the box.

Normally, I don't believe the "Just let me put an OSS firewall in there on the cheap," argument. But in this particular case, and keeping in mind that ongoing maintenance should be part of ANY solution, I guess I'd have to side with OpenBSD + pf.

appliance

[austad]

I may be a little bit biased, but I've been working in the security industry for years. I've touched just about every firewall solution on the market, especially since the company I currently work for sells just about every firewall solution on the market.

Two reasons I do not like firewalls which run on top of an OS like Windows, Linux, or BSD:
1. They run a full OS. The device and software are Turing complete, which means that if someone cracks the box somehow, it would allow them to run scripts or compiled apps that do other nastiness (using it to scan your internal network, compromise other machines, etc). In addition, depending on the product, you are responsible for OS updates, not the firewall vendor.

2. Bringing up a device that is not an appliance is not just a quick "slap it in a rack and have it working in 5 minute" ordeal. It's usually something along the lines of procure a box, install the OS, make sure OS works with the hardware (NIC drivers, etc), install firewall software, possibly install management software on your machines which will be managing it, etc. This takes time. What if the box croaks and you need to replace it quickly?

My recommendations:
1. NetScreen. These are custom hardware running ScreenOS. There is no scripting capability on the device, and no compilers out there that would even let you compile apps that run on it. It's manageable via ssh, https, or through a management server called NSM if you like that sort of thing (useful in large deployments). They have options for web filtering and deep inspection for catching nastiness. Additionally, the policies are based not on on IP, but also on Zones. Each interface is dropped into a zone, and those zones are specified when creating rules. This both enhances security, and makes your policy base much simpler when using more than two interfaces.

2. Cisco PIX. While I don't really like the pix, it actually is a decent firewall. It doesn't offer much in the way of advanced features, but it's an appliance, it's straighforward, and quick to implement. On the downside, it's comparable in price to the NetScreen, so there's no real reason to use it unless you absolutely must use Cisco.

On a side note, I don't really like Checkpoint at all. Not only does it run on a full fledged general OS, their licensing is a pain to deal with, I've had major problems with bugs in advanced features, and you MUST install a separate management server and use a GUI to manage the thing. The GUI only runs under windows. I have more reasons I don't like it, but I think the above is reason enough to stay away from it.

Re:What city?

[MarkGriz]

"Hey, I presume that you guys use no firewall now. And you have Windows servers on the netowork! What kind of city is that?"

Troy?