Firewall Recommendations?

anomalous cohort asks: "The company that I work for is looking at upgrading to a proper firewall (sadly, we use only the MS-ISA server now). Our I.T. guy is ready to recommend Fortigate [45]00a. Ours is a small company with about a dozen employees and about 400 customers. Does anybody have any experiences, good or bad, with these two products or with the Fortinet company? Are there any recommended firewalls (outside of Cisco's) that we should seriously look at?"

Old computer+Linux

[Shawn+is+an+Asshole]

Then run Debian, Firehol, and Squid (transparent).

Re:Old computer+Linux

SME with Monowall. AKA esmith.

Re:Old computer+Linux

[itwerx]

SME with Monowall. AKA esmith.

Er, eSmith has a firewall, yes, but it also a ton of other stuff up to and including the kitchen sink. Only appropriate if you're a very small company that can only afford one box.
      Speaking of M0n0wall though, pfSense is M0n0Wall based but supports multiple redundant links with load-balancing and real-time hardware failover including session-state retention. (I.e. you can have not only redundant WAN links but also redundant firewall hardware so if one cheap x86 box dies the other takes over transparently).
      There's a ton of other features as well, the pfSense team is definitely aiming for the enterprise while keeping it accessible to SMBs.

Fortinet products are nice

Fortinet makes very good firewalls and routers, sadly I've never used one (cheap boss).

But whatever you do, stay away from Hotbrick. Stay far far away, trust me.

Re:Fortinet products are nice

Haha, HotBrick. Sounds like the pinnacle of bad naming choices for a firewall to me, considering that "brick" refers to a completely defective product and "hot" is usually not something you're looking for in the server room.

NetBSD and IPF

[spribyl]

I have been running NetBSD with IPF with great success.

OpenBSD PF

[akpoff]

OpenBSD makes for an awesome Firewall. Get whatever size machine you need, install OpenBSD, enable PF, follow the *very* well written configuration docs online and you'll have one or more firewalls up in no time.

I just set one up and it was easy. And best of all the PF syntax is very straight forward.

Re:OpenBSD PF

I second this. OpenBSD is an first class firewall and with pfsync/carp you can even have redundant firewalls to aid in maintenance.

Re:OpenBSD PF

And thirded! (?) OpenBSD is a superb firewall solution. CARP and pfsync give you a high availability firewall solution that you would otherwise pay thousands for with commercial vendors. The O/S is clean, stable and the pf syntax is intuitive. Rule tables can be updated on the fly, which means that blocking naughty IM clients becomes a snap with some signatures in IDS->pf updating.

I've been using OpenBSD since early 2001 (at home and in corporate environments) - the quality is there, just make sure you read all of the excellent documentation and mailing lists for handy, practical pf examples!

Re:OpenBSD PF

[snowgirl]

I have to lend my support towards OpenBSD's PF. It is by far the clearest yet most powerful firewalling configuration setup I've seen.

I highly recommend it over IPTables at least.

Re:OpenBSD PF

I third this. I've been deploying OpenBSD firewalls for a few years now and I have zero complaints. I can't even recall the last software problem I had. Hardware has died, but as the parent poster pointed out, there's pfsync and carp for redundancy. Works flawlessly. Even at home I have a little Soekris 4801 running OpenBSD which has never let me down. Don't bother with the $$$ crap.

Re:OpenBSD PF

[johnnys]

And fourthed. (sorry) I've deployed OpenBSD firewalls for VPNs, DMZs, network protection yadda yadda yadda. It just works.

Re:OpenBSD PF

[e9th]

Me too. Just be sure you track the -stable branch.

Re:OpenBSD PF

There have been two remote exploits in the default configuration of OpenBSD in the last *TEN* years, that should say a lot. I've been using OpenBSD for nearly 10 years, and while I may not like, or agree with all of Theo's actions, I must say it is an excellent OS. Besides it's been a few years since Theo has ripped out the firewall software in a fit of rage and they released the a version of OpenBSD for the DEC Alpha without any Firewall software included. Yes, I'm still bitter, and any other product I would have dumped after getting burned like that, but OpenBSD is to good to dump.

Warning, that is just one example of the problems that Theo has caused...

Re:OpenBSD PF

I totally agree with PP. We have been audited by major financial institutions as well as ISO for network security and they don't have any problems with our use of OpenBSD. In fact most of them applauded it and respected the open code.

Re:OpenBSD PF

[Blackknight]

Add CARP and you'll never even lose a packet if one of the systems dies.

Re:OpenBSD PF

[RedBear]

I have to lend my support towards OpenBSD's PF. It is by far the clearest yet most powerful firewalling configuration setup I've seen.

I highly recommend it over IPTables at least.

Which brings up a question I've been wanting to get a solid answer to for a long time now: Why hasn't anyone developed a simple-to-use, runs-from-CD, pre-configured, dedicated firewall/router variant of OpenBSD for turning old computers into firewall/routers? After all it is arguably the most secure operating system available and everybody and his brother seems to think pf is infinitely better than iptables, yet the only things out there that fit this description are Linux-based distros and often one or two kernels behind the mainstream. I'm speaking of IPCop, Smoothwall and such. You stick the disc in an old computer, boot it up, administer it through a web interface, often by just clicking some checkboxes. Simple, even for non-technical people.

Somebody here must know what the deal is. Even though everyone thinks OpenBSD is best for firewalls, nobody has taken the time to build one of these tools that can be used easily by non-network administrators. What the heck? Or has something changed in the last year or so?

Re:OpenBSD PF

[pnutjam]

I recommend you look at Monowall for a boots from CD OpenBSD firewall router, or I prefer pfsense because it allows you to install to a hardrive and has more features.

Re:OpenBSD PF

[Sancho]

Actually, both of those firewall solutions are based off of FreeBSD (which ported pf from OpenBSD some time ago). FreeBSD is, in my opinion, an easier to manage and slightly more robust OS, though it isn't audited for security quite as much as OpenBSD is.

Re:OpenBSD PF

[Sancho]

I agree 100%. PF is an excellent firewall. Running on commodity PC hardware, however, may not be the way to go (BUS issues).

Force10 is working on a firewall solution which implements PF. They claim line-rate for Gig and 10-Gig, and they also include Snort on the device. It sounds absolutely wonderful..the best of both worlds, basically, since most commercial firewall solutions that I've seen are (in my opinion) fairly unwieldy.

Re:OpenBSD PF

[paltemalte]

OpenBSD and its PF.

True redundancy? Check. Just add a 1 or 2 extra machines and setup CARP.
Load balancing? Check.
Most secure OS ever made? Check.

And OpenBSD 4.1 is just around the corner. Its going to have the new 'hoststated' daemon which will be able to monitor services on remote hosts, and automatically remove or add back their IPs into loadbalancing pools.

Just don't forget to show the OpenBSD folks your appreciation by purchasing a few copies of the OS, a few t-shirts or donations. They deserve it.

Re:OpenBSD PF

[jd]

OpenBSD is good, SonicWall is a *BSD derivative and therefore (assuming they didn't break anything) very likely good. NetBSD is supposed to have the fastest stack on the planet, which is important as a firewall is a significant bottleneck, but hasn't anything like the attention to external security. (Efforts to make a "Trusted" *BSD exist, but I know of none that have got much beyond the earliest stages. This is important even in a firewall - firewalls run proxies and a proxy is a potential point of attack. Firewalls also generally run VPN and Active NIDS packages. With Mandatory Access Controls, no big deal - the attacker can hose one thread of one application. It poses no wider risk. Without, you can assume that once any access is gained, TOTAL access will be gained a short time later.)

There are ways around this. The simplest is to place as much software off the firewall as physically possible. So, for example, you'd have a second machine in parallel to the firewall that is running the Active NIDS. This gives you the same level of containment if an attack is detected, but the NIDS machine is now in the DMZ and so a break-in there would pose no risk. You also want to have the main proxy software off the firewall and on a different machine. The firewall would only allow traffic through for the proxy. This eliminates a whole chunk of vulnerable logic on the firewall. It also accelerates internal accesses, as the proxy server now has reduced network logic so can spend more time doing something useful.

If you can find one, the best machine to use as a firewall would be an old DEC VAX. Why? Because nobody has (yet) broken the security of a correctly-configured VMS system. making it two exploits better than even OpenBSD. It makes no difference that porting to VMS is a nightmare, because you wouldn't want to do so. Nor does it matter that VMS kernel developers are about as common as honest lawyers - whatever holes exist are far beyond the capabilities of a sizable percentage of experts in the field. Unless you're keeping nuke missile codes, VMS or OpenVMS should be more than strong enough to keep anyone out.

(Besides, if you look at a VMS terminal screen for too long, you go blind. No cracker would risk it.)

Now that IRIX has been dropped by SGI, it might also be possible to find Trusted IRIX systems that are being replaced. Again, that's damn good security and SGI mostly made its name on making IRIX systems damn fast (for the time). They should easily have the power to handle being used in a firewall and certainly have the security.

Re:OpenBSD PF

[Short+Circuit]

Someone else already thirded and fourthed it.

Ironically, you're Taking the Fifth.

Re:OpenBSD PF

[wirelessbuzzers]

There have been two remote exploits in the default configuration of OpenBSD in the last *TEN* years, that should say a lot.

Yeah. It says the default configuration runs OpenSSH and that's it. Oh, and they only count root exploits.

Of course, firewalls should be running a Spartan OS. So OpenBSD is absolutely terrific for the task.

Re:OpenBSD PF

[kestasjk]

I've written an article on configuring PF, so I'm not speaking out of ignorance, and I really like PF and use it for my home firewall, so I don't speak out of spite..

But PF isn't really suitable for a firewall that will be moderately complex. Even in my home LAN I feel the strain of PF's simplicity. The syntax truly is elegant and readable, but it's also inflexible.

• You can't queue outgoing packets. This means to do outbound traffic shaping you need to queue upload speed on the incoming interface, which is a messy hack that can't queue packets addressed to the gateway itself.
• You can only tag packets with one label. If you're translating packets you can only tell what the translated packet is on the other interface using a single tag.
• You can't change rules on the fly with switches; you have to load new rulesets. I have to use cron to invoke sed to create PF rulesets for different times of the day from a template ruleset.

Don't let me turn you away from PF; it is perfect for simple cases, but as your needs get more complex you find yourself in the much feared situation of having to change to a different solution, but having to throw away a lot of time invested in good firewall rules to do so.

If you think your needs will scale I'd recommend IPFW. Instead of having a stream of packets come in, and passing through rules until it reaches the end (or a pass/block quick), it uses an elegant system whereby you channel packets into different chains of rules.
If you imagine a stream of packets coming in you can tell all TCP packets, say, to switch to a certain point in the rules, and UDP to go to another section. You might then break up the TCP stream into different ports heading to different services, and then into streams coming from different subnets. You can translate packets with NAT, and then the packet will continue in the ruleset at the point it left off.

This way can be more daunting at first, but as the complexity of your ruleset increases it becomes far more logical, practical and readable.
So I'd say choose between PF and IPFW depending on how complex you expect your ruleset to become.

Re:OpenBSD PF

[DrSkwid]

You have to enable SSH at install time too.

Re:OpenBSD PF

[DrSkwid]

I don't know why no-one's done a bootable CD version.

If you seriously need a diskless firewall you could buy 128Mb CF card for $10 & a cf-ide adapter for $10.

For a bit more cash and a SOHO setup something like the VIA EPIA MII 12000 is the ideal candidate, it's got a CF slot, a PCMCIA slot and a PCI slot for your extra nic. Why people bother with WRTG54s I really don't know.

Re:OpenBSD PF

[scottv67]

If you can find one, the best machine to use as a firewall would be an old DEC VAX. Why? Because nobody has (yet) broken the security of a correctly-configured VMS system. making it two exploits better than even OpenBSD. It makes no difference that porting to VMS is a nightmare, because you wouldn't want to do so. Nor does it matter that VMS kernel developers are about as common as honest lawyers - whatever holes exist are far beyond the capabilities of a sizable percentage of experts in the field. Unless you're keeping nuke missile codes, VMS or OpenVMS should be more than strong enough to keep anyone out

1. The name of the OS was officially changed to "OpenVMS" a while ago. There is no "VMS or OpenVMS" (unless you work in HR and you're putting a job posting on Monster.com).

2. You're advocating that a company with twelve employees buy a VAX? The maintenance contract alone on the hardware would suck-up all of their profits. Also, the VAX platforms were never known for their awesome number crunching power. I've got a Core 2 Duo E6600 (home PC) that would eat any VAX (or reasonable cluster of VAXen) for lunch. The fastest VAX systems were built by buying the motherboard from a third-party company and replacing the standard motherboard (http://www.nemonixengineering.com/). If you actually did buy a larger VAX (6000 or 7000-class), you'd find that the licensing costs would burn a whole in your IT budget. VMScluster licenses were especially expensive.

The same comments you made about OpenVMS on VAX being secure also apply to OpenVMS on Alpha. It's more realistic that you suggest a small company buy the smallest used Alpha they could find and run OpenVMS on there. But even then, you'd be hard-pressed to find a good firewall package to run on that OS. One other problem with the VAX line was that unless you are very fond of FDDI, you are going to have a hard time going above 10Mbit/sec on your LAN connections.

Your comment about fewer and fewer people being left that actually write code for or know VMS is true. There are less than ten good VMS admins left in the world (I used to be one of them ;) ).
I know that anyone with a seven-digit Slashdot ID is going to say "What's all this VAX and VMS stuff this dude is talking about?" The glory days for VMS have been gone for quite a while. Most of the old-timers (people my age) will say "I used a VAX to write Fortan programs when I was in college." and that's the last time they saw a VMS system. The OS was truly a work of art and you couldn't beat that platform when you needed serious uptime. I was managing VMSclusters when Microsoft was still trying to work the bugs out of two-node NT clusters that shared a few disks on a common SCSI bus. We had a cluster of systems all connected to the same shared storage bus (CI) to access disk storage that was available to all of the cluster members. This was ten years before the word "SAN" became popular.

Those were the good old days. But, alas, it has been three years since I logged into a VMS system, ran Autogen or used Eve to edit SYSTARTUP_VMS.COM. I miss those days. :)

Today, the fastest VAX systems are running in a VM on an Intel platform http://www.stanq.com/charon-vax.html.

Re:OpenBSD PF

[snowgirl]

If you read the first response to my post, you find out why. Theo causes a lot of headaches for many people. Often times working with him can get very very bothersome. (So I've heard)

Theo's autocratic rule over OpenBSD typically has let to very effective and quick decisions about what to do with OpenBSD, and his paranoia in the matter lends greatly to the security of OpenBSD.

But just because Cuba has never lost a life to a hurricane since Castro got into power, and Cuba's healthcare is the best in the world, does not mean that people are lining up to become citizens.

Re:OpenBSD PF

[itwerx]

I don't know why no-one's done a bootable CD version.

Check out pfSense for exactly what you're describing.

Re:OpenBSD PF

[DrSkwid]

And yet there in the first paragraph is "pfSense is a open source firewall derived from the m0n0wall operating system platform with radically different goals such as using OpenBSD's ported Packet Filter, FreeBSD 6.1 ALTQ (HFSC)".

Either my reading comprehension sucks or that sentence says that it is running FreeBSD.

Re:OpenBSD PF

[itwerx]

says that it is running FreeBSD.

Yep, sorry, I hadn't inferred that OpenBSD was a requirement as well. :/
      (Maybe somebody could back-port it to OpenBSD. :)

Re:OpenBSD PF

[DrSkwid]

Someone on the GSoc is hoping to do an OpenBSD 9p kernel extension. If they get it going then I'll be giving it a go (read only OpenBSD that is).

9p abstracts loads of things away for you so you could, for instance, use postgresql as your "file system" and boot from that, I have the code to do that bit already, although it's not listed here yet.

pfSense

[BKX]

Been using it for quite sometime now. Works great, never had any problems. I'm running it in front of two dedicated game servers (CS:Source, viewable on the public server browser), two other servers, a front desk comp, and twenty gaming machines. It has a 600MHz Celeron and handles all that traffic perfectly.

Re:pfSense

[rmm4pi8]

Second the pfsense vote. I am the IT Manager for nTAG Interactive and I ended up moving from our previous combinations of Firebox and Juniper Netscreen systems (depending on location) to pfsense. I'm handling 5 LAN networks and 3 WAN networks on a redundant pair of Dell PE1950's (about as low-end as you can get with a 1950, just one Core 2 Duo, but I chose the 1950 for the hot-swap HDDs and hot-swap power supplies for reliability's sake). Anyway, I'm also running squid transparently which works beautifully. I chose quad-port Intel gigabit PCI-X NICs and I can saturate a LAN-LAN connection (say office to QA network) with only about 20% CPU, which is spectacular when you consider how everyone says you really need hardware routing. Anyway, I am an EXTREMELY satisfied user, thrilled with the beautiful web-gui interface which makes everything drop-dead easy (I'm a Linux admin by background but routing tables are definitely easier to grasp in graphical form). And if I ever decide that I need more networks I can just set pfsense to do VLAN tagging and do the actual routing on my Dell managed switches. Really an amazing system, and if anyone wants to set up something similar do feel free to email me and I'll answer anything I can. Cost me $6k total ($2k per PE1950, $437/ea for the 4 NICs), so not the home-budget sorta thing, but we've now got enterprise-grade routing and firewall in one box which is much easier to manage than the Junipers (I think) and more capable at that.

3 things to look at

[georgewilliamherbert]

Cisco ASA 5505 (it's less than a thousand dollars), and the Nokia Checkpoint appliances (i350, etc).

Also the Juniper/Netscreen models (SSG 5, SSG 20, Netscreen 5 models)

Re:3 things to look at

[Kohath]

I wouldn't go with anything from Checkpoint. Maybe it's just our IT Dept, but we have never-ending problems. I think our total number of days in the last 2 years without firewall/VPN problems has been zero.

Re:3 things to look at

[georgewilliamherbert]

The Nokia boxes are appliances (1/2U rackmount) running the Checkpoint firewall software on top of an embedded OS.

Checkpoint is the single most popular longest lasting commercial Firewall product; you don't have to like it, but it's sort of silly to say that it's not a suitable product. It's outlasted many generations of competitors and done just fine for a huge client base.

Re:3 things to look at

[the_cowgod]

I haven't seen the latest Nokia boxes, but the ones we were running a few years back were just regular PC hardware running a BSD variant called IPSO. We had an awful lot of trouble with the Nokias and ended up dumping them in favor of PIX.

I can't say whether the Checkpoint software on other platforms is any good, but we had a lot of bad luck with the Nokia gear.

Re:3 things to look at

[Kohath]

I'm not complaining about the hardware.

I don't care how popular it is. In my end-user experience the software is terrible. It may just be our IT Dept. It's been a long, long series of outages, failures, annoyances, usability issues, limitations, and general dread. It has never worked well.

I've setup systems built out of stuff I knew was just complete junk, and it worked better than our Checkpoint system. But it may just be our IT Dept.

Re:3 things to look at

[drakaan]

Watchguard's gear is decent for the price (and I think bsd or linux-based)...does arp proxy, vpn, nat, etc. It's been 5-6 years since I've used one, but it was a good fw for a small network to hide behind.

Re:3 things to look at

[asdfghjklqwertyuiop]

and the Nokia Checkpoint appliances (i350, etc)

checkpoint is ok, but don't flush your time and money down the toilet running it on nokia hardware. The nokia "appliances" are just standard X86 hardware in a different case for 10X the price. They may be in a fancy case, but inside they're just standard multi-year-old CPUs (Intel, AMD or Cyrix on the lowest end ones) with standard intel (or ServerWorks) chipsets and regular non-RAID western digital ATA hard disks. They are even less reliable than PCs from other vendors in my experience. Plus with Nokia you get to run it all on Nokia's IPSO operating system, which is a stripped down, barely updated fork of FreeBSD 2.2.6.

Re:3 things to look at

[Short+Circuit]

Checkpoint is the single most popular longest lasting commercial Firewall product; you don't have to like it, but it's sort of silly to say that it's not a suitable product. Being a Slashdot reader, you should know better than to use that kind of logic. A product line's age or popularity has nothing to do with whether it's suitable for the task in question. If the software world ran on reputation, Windows would have been dropped ten years ago.

Re:3 things to look at

[Dadoo]

While I don't have any experience with the Checkpoint stuff, I certainly wouldn't recommend firewalls from Netscreen or Cisco (though I do like Cisco's switches and routers.) I inherited a few Netscreen boxes at my new job and, as far as I can tell, they're junk. I tried to replace a couple of them with a Cisco ASA box, but that didn't turn out well, either.

I've worked with a bunch of different firewalls - Gauntlet, Sonicwall, Cisco PIX and ASA, and Netscreen - and the best one by far, in my opinion, is Astaro. My next firewall will definitely be another one of those.

Re:3 things to look at

[itwerx]

Netscreens are okay, but Checkpoint? Eww... :/

Re:3 things to look at

[Bishop]

It is not just your IT dept. Checkpoint has issues. It has always had issues. Earlier versions would even fail into a wide open state.

The perfect firewall

[ernest.cunningham]

Well fairly good anyway. check out Smoothwall Linux Firewall. http://www.smoothwall.org/get/ SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. SmoothWall includes a hardened subset of the GNU/Linux operating system, so there is no separate OS to install. Designed for ease of use, SmoothWall is configured via a web-based GUI, and requires absolutely no knowledge of Linux to install or use. We use this in our business. VERY good.

Re:The perfect firewall

[skogs]

I second this vote for smoothwall.

The corporate friendly version with everything fully configured/implemented for you is a good decision. This requires some $$, and less time.

Or, you can roll your own with the smoothwall express 2.0. I run it with DanGuardian content filter - gets rid of ads and other pr()n and stuff. Also have several mods on it. Really, visit the homebrew forum and you can do anything with it. This of course, requires no $$, and more time.

Re:The perfect firewall

[xiao_haozi]

Yeah I agree as well... could also try monowall. I have been using monowall for a network of about a 15 or so machines and have had great success so far (over a year or so). As for the configuration, can easily be had by way of the gui just like smoothwall, and allows for access of a command line for more advanced configuration need be. And lastly, I have found the mailing list to be extremely helpful and one of the most prompt in terms of responses to questions and comments. Definitely worth a shot as it will cost next to nothing.

Re:The perfect firewall

[DigiShaman]

I've played around with Smoothwall a few times. It's got my vote.

Now only if someone could create a "smooth file server" to share and set permissions with ease via HTML GUI. If anyone knows of such an animal, please do tell!

Re:The perfect firewall

[lnx_daemon]

I also put a vote in for Smoothwall. I never used the commercial version, but the "Express" version did really well and was really easy to maintain.

Re:The perfect firewall

[the_crowbar]

I would also vote for SmoothWall. We have been testing their Advanced Firewall product at work. We were running an old PC with Debian and some custom IPTables rules I put together. Our company size has expanded and those that work for me lack the technical skills to understand how a firewall works. SmoothWall has an easy enough web gui that I can walk someone through what to change while I'm on the road.

The product does cost money, but we also have several SonicWALL firewall appliances and the SmoothWall I feel is a better value.

I just emailed the link on their website http://www.smoothwall.net/ and they had a reseller contact me. I was able to get a 30 day eval and then they even extended that for 15 days for me.

One nice thing about their licensing is they encourage you to have another install with the same license ready as a hot swap spare in case of hardware failure.

We run some unusual configurations (57 remote sites mesh vpn setup) and their support has been very helpful.

Thanks,
the_crowbar

Astaro

http://www.astaro.com./ 'nuff said.

Re:Astaro

[pookemon]

I'm curious as to why this was modded "Funny". One (maybe more) of our clients runs Astaro v6 and it seems to run fine. The only gripe I've had with it is that I couldn't do a port forward and translation at the same time (ie. If I want a client to connect on port 12345 and forward the traffic to machine x on port 1234 then it wouldn't do it) - mind you that was an older version and I haven't tried since. It's easy to configure and handles large amounts of traffic - but apparently it's funny...?

DISCLAIMER: I'm not the admin - I have simply used it on occasion when I needed to change/setup port forwarding...

Re:Astaro

[Atticka]

I second this.

I work for a large reseller and we recommend the Astaro firewalls to our clients. Their latest V7 is fantastic, I run their free (for personal use) at home.

Astaro is one of the few firewalls available with a built in hard drive, with this you can setup a proxy services and file/email quarantine (with a user web portal). Additionally, Astaro is almost completely open source running Linux (source code available for all open source packages).

For this number of users, probably looking at the Astaro 220 appliance.

Re:Astaro

[Atticka]

Version 7 allows you to do more advanced port forwarding/translation, also adds a lot more functionality in general.

Re:Astaro

[itwerx]

Watchguard is decent, though their low end boxes use a proprietary VPN protocol. And their LiveSecurity scanning isn't quite the cat's pajamas they present it to be, (but it doesn't hurt anything either).

Re:Astaro

[sheddd]

Ditto; using Astaro here for ~100 machines. Works pretty good; isn't free. It needs some horsepower if you're using a lot of the antispam features. Ours needs ~2GB of ram.

On some other networks I'm pretty happy with ipcop (free).

I , for one, endorse Mcaffee

'Nuff Said.

Windows Computers

Computers with Microsoft Vista make the best firewalls. Let's say you have a large boiler room, and you really want to keep the heat contained. A good thick layer of 3-4 PCs with Vista Home Premium (or 2-3 PCs with Vista Ultimate) will keep just about anything contained. Please note that Vista Home Basic isn't really suitable for this job in any thickness, as it will tend to burn and contribute to the problem.

Oh, and don't forget to apply a generous coat of anti-virus paint every morning!

Re:Windows Computers

[nacturation]

Computers with Microsoft Vista make the best firewalls. The network interface received an incoming packet.

[Cancel] or [Allow]

We use one

[realmolo]

We have a Fortigate 400, and we love it. It's damn near perfect. I recommend them to EVERYONE who is in the market for a high-end firewall appliance.

Truly, it the best thing on the market, right now. Much better than a PIX, or Netscreen, or anything else. And cheaper. And it does more.

They really need better marketing, because few people even know they exist, which is too bad.

So yeah, you should get one.

Re:We use one

[NetJunkie]

What does it do that a PIX or NetScreen doesn't?

Re:We use one

The Fortigate units are faster, easier to use, support more functionality, and cost less than the equivalent PIX. In fact, the Cisco PIX series lags behind pretty much everything else in any metric I can think of.

I can't speak for the Netscreen, as I've never used them, but I've been very please with Fortinet.

Re:We use one

ISS offers some great firewalls, and some of their routines block viruses and hacks that don't have sigs yet (that's read heuristics)... just my 2 cents :)

Re:We use one

[CFrankBernard]

Fortinet was Founded in 2000 by Ken Xie, founder of NetScreen which later sold to Juniper for $3.5B.
Fortinet was accused of using Linux kernel in FortiOS w/o credit:
FORTINET VIOLATES GENERAL PUBLIC LICENSE IN SECURITY PRODUCTS

Re:We use one

[curiosity]

It does A/V in a hardware chip at line speed, and they don't nickle and dime you for the services. Everything just comes with the box without per-seat license fees.

They're also a great company to work with, compared to you Cisco or Juniper sales/SE teams, which in my experience tend to suck.

We use Fortigates throughout our large managed services network.

Re:We use one

[AlphaSys]

Yes, they were, and they re-wrote most of their stack to deal with it. They're still one of the best of breed. You just can't match their features for the money. I deploy about 50-60 of their units a year.

Firewall

http://www.snapgear.com/

It might be carcinogenic

[andy314159pi]

Even though it's carcinogenic, I recommend asbestos. It's one of the best thermal insulators known and if you don't rip your walls open you'll never breath it in.

Quick and easy, or take you time?

If you needed something setup rather quickly, I would go with some thing like mOn0wall (http://www.m0n0.ch/wall/). Or, if you wanted to take your time, build a custom firewall off of openBSD (you know, only two remote exploits found in 10 years ;-) ).

~Alan

pfsense

[linuxtelephony]

pair of computers with extra nics and you can have redundant firewall

Air Gap

[Carnildo]

I've always favored an Air-Gap brand firewall.

Re:Air Gap

Security as a disabler. Nice.

ug

we have Cisco PIX everywhere but would dump them for OpenBSD & PF in a heartbeat

Firewall Recomendations

[Whuffo]

More than one, with the firewalls all as different from each other as possible. Hackers do find and exploit bugs in commercial firewalls, so when they breach the one facing the internet there's another level of protection. Widely differing firewalls in series greatly reduce the change of anyone breaking in. The number of series firewalls depends on your security needs. Note well: if you're depending on one commercial firewall to protect your business - you will be hacked. You probably have been already. Equally critical is proper firewall configuration. Deny all traffic by default - only allow needed traffic. Always keep in mind that any program can use any (or all) port for communication. If you're not an expert in information security / firewall configuration, hire one to do it for you.

IPCOP

[brenddie]

IPCOP is a very secure and flexible firewall plus its open source. It runs on all kind of hardware like normal PCs , boards with CF cards , servers. A vanilla installation is full of features like VPN, QoS, IDS, web proxy and by using addons you can add stuff like detailed proxy reports, content filtering, traffic monitoring and a lot more.
You can find it at http://ipcop.org/
Their mailing list is pretty active and full of helpful people.
If you have a spare PC and some network cards give it a try.

Re:IPCOP

Their site runs PostNuke. I highly question their competence in regards to security.

MCP.

"Are there any recommended firewalls (outside of Cisco's) that we should seriously look at?""

I'd recommend the one in Tron 2.0

We use Fortinet

We use 2 Fortinet 400's in HA mode in our production environment and a 300 in our corporate office. I've been fairly satisfied with them. The firewall functionality itself is great. The GUI makes managing rules simple. No complaints with the AV or IPS functionality, although the IPS isn't as good as any of the dedicated IPS appliances I've tested. I am not a fan of the web content filtering. I have never been able to get it to work even after repeated troubleshooting sessions with the support team. Never used the antispam functionality, so no opinion on that one.

The one thing I would say you definitely want to make sure you understand is the ongoing costs for the annual maintenance subscription. The web content filtering alone is $3k per year per device.

I'm afraid I got stung by that and it was definitely a lesson I've learned. Even without web content filtering, it costs $16k a year to renew my maintenance (8x5 phone support, NBD advance exchange replacement, AV and IPS signature updates, firmware upgrades). If you aren't comfortable rolling your own solution or, for whatever reason, need to use a commercial product, I think they're fine. But know that you're going to pay for it, literally.

OpenBSD + PF

[grub]

We run several PIXes (Cisco) at work and at branches across the country. They handle the VPNs well enough and are simple enough to work with but when you see shit like this (IPs removed):

Mar 28 14:45:25 x.x.x.x Mar 28 2007 14:46:16: %PIX-4-407001: Deny traffic for local-host inside:y.y.y.y, license limit of 50 exceeded

in your logs from units which cost thousands of dollars, you have to scratch your head. Yeah, they charge for how many machines you'll run through it. We have a few "unrestricted" ones but they're thousands of dollars. Thousands of dollars I can better spend on other stuff.

We let our contracts lapse and are working hard at moving everything to OpenBSD, PF and the native IPSEC although OpenVPN is a serious contender as we use that for the road warriors already.

It pisses me off to no fucking end that to get a firewall capable of gigabit (we're a bunch of research labs on CANARIE) from Cisco will each a big bite from my budget, just to have the "Cisco" brand on it.
nb: I do love their routers and switches. Their firewalls are overpriced and underwhelming.

Re:OpenBSD + PF

I don't know about OBSD though. When you start talking gigabit (especially multiple gigabit networks) then OpenBSD doesn't seem that attractive. It's fairly slow considering what's available nowadays. I don't know if you will get maximum throughput on OpenBSD.

Re:OpenBSD + PF

[Sancho]

You won't get those kinds of speeds on any PC platform without some sort of dedicated firewall on your NIC (so that you can avoid the PC's BUS.) In practice, you might get as much as 300Mbps.

Basically, once you start getting into those speed ranges, you need an appliance.

Re:OpenBSD + PF

You won't get those kinds of speeds on any PC platform without some sort of dedicated firewall on your NIC (so that you can avoid the PC's BUS.) In practice, you might get as much as 300Mbps. Basically, once you start getting into those speed ranges, you need an appliance. I think you need to read the throughput capabilities of PCI-X and PCI-Express. They can easily sustain a few Gbps of network traffic if you use multiple NICs on dedicated/separate buses. The vast majority of security "appliances" are usually a modified PC platform (with the exception of Fortinet) and may have limited ASIC assistance (Cisco -- sucks, btw). You are generally better off using software firewalls on a fast PC server if you want unbeatable throughput).

Re:OpenBSD + PF

[tom1974]

We had a couple of Pixs which I upgraded from maximum 10 connections to unlimited, and never did it cost me more than £200 to £300.

Mostly 506e and 501 though.

Re:OpenBSD + PF

[slick]

That is so much bull that I have to reply to it.. We use a Linux distribution called Bifrost (http://bifrost.slu.se) and with our new server (a xeon 2 ghz) with 4GB ethernets we do easily push 800Mbps and thats with a lot of iptable rules..

Re:OpenBSD + PF

[Sancho]

Can you give me more details on your hardware, then? All my tests have indicated that the bus was our limitation, so if you've overcome that limitation, it would be useful for me to know more.

Also, I assme that is bridging, not routing?

Re:OpenBSD + PF

[slick]

Its nothing special

this is the motherboard specifications

1. Xeon® 3000 Series, Core2 Extreme,
        Core2 Duo, Pentium® D, Pentium 4,
        Pentium Extreme Edition & Celeron D
        in LGA775 Package
        (FSB 1066/800/533)
2. Intel® 3000 (Mukilteo-2) Chipset
3. Up to 8GB unbuffered ECC / non-ECC
        DDR2 667/533 SDRAM
4. 4x Intel® 82573V/L PCI-e Gigabit
        LAN Ports
5. Built-in SATA ICH7R Controller
        4x SATA (3 Gbps) Drive with
        RAID 0, 1, 5, 10 Support
6. 1x 64-bit 133MHz PCI-X,
        1x 32-bit 33MHz PCI
7. On board XGI Volari Z7 Graphics 8. IPMI 2.0 Support (AOC-IPMI20

It is routing and doing address translation.

Re:OpenBSD + PF

[scottv67]

We run several PIXes (Cisco) at work and at branches across the country. They handle the VPNs well enough and are simple enough to work with but when you see shit like this (IPs removed):

Mar 28 14:45:25 x.x.x.x Mar 28 2007 14:46:16: %PIX-4-407001: Deny traffic for local-host inside:y.y.y.y, license limit of 50 exceeded

in your logs from units which cost thousands of dollars, you have to scratch your head. Yeah, they charge for how many machines you'll run through it. We have a few "unrestricted" ones but they're thousands of dollars. Thousands of dollars I can better spend on other stuff.

I laughed when I read your message. You spent THOUSANDS of dollars and you wonder why you don't have unlimited users allowed through your firewall. I've never seen the PIX syslog message that you listed above (and I've worked with a lot of PIX firewalls). I've never deployed a firewall with a limited user count (unless you count the 10-user Netscreen 5GT and PIX 501 in my home network). Step up to the big leagues and pay for the unlimited platforms. When you say "THOUSANDS of dollars" in a firewall conversation, the first thing that comes to mind is that I think that's a pretty good deal for annual maintenance, not the total cost of purchasing the firewall hardware itself. You'd wet yourself if you saw our annual Secure Computing support cost (Sidewinder G2s).

Re:OpenBSD + PF

Prob something like this, perfect for firewalls:
http://www.supermicro.com/products/motherboard/PD/ E7230/PDSMi-LN4.cfm

Re:OpenBSD + PF

[grub]

Straight goods: I inherited most of the hardware and licenses, the limited versions are ones at smaller labs which have grown. I was quite taken back when I saw that in the syslogs. To get an unlimited user license isn't a lot more money but, come on, that's just an arbitrary limit to suck more money out of the end user. An unlimited 525 will set you back several $K.

That all said, on our test bench we've had great luck with connecting OpenBSD's IPSEC to Cisco's IPSEC. There were a few warts but overall it's painless so a transition should be simple. (I won't go on a limb and say "nothing could possibly go wrong!" though ;))

Re:OpenBSD + PF

[grub]

Sorry, I may have written that in a confusing way. What I meant was it was nuts that a PIX 525, 535, blade module, whatever, that was thousands of dollars needed even more cash to handle unlimited users.

My mistake.

Perhaps FreeSCO?

[Xiph1980]

Well, it may be a bit ghetto, but you could take a look at FreeSCO and assorted add-ons.
I used it as a firewall/router for a small network (6 users using p2p, ftp, ssh, web etc, the whole shebang) on a pentium 75 with 16MB memory for quite some time and never had any issues with it.

FreeSCO: http://www.freesco.org/
FreeSCO add-ons: http://www.freescosoft.org/

Re:Perhaps FreeSCO?

[couchslug]

Runs well off a CF card, as does m0n0wall, etc.

You can also Ghost or dd an image of the CF card to load more systems or as backup.

I partitioned my CF card so I could Ghost the OS partition easily.
The CF card adapter is mounted in an old IDE swap rack. Pull rack, pull card, copy Ghost image using a card reader in another box.

Sonicwall?

[Southpaw018]

Anyone have experience with the Sonicwall PRO series?

Re:Sonicwall?

Sonicwall is ok, but not great. Buy one a size bigger than you think you need and they work really well.

Re:Sonicwall?

[afidel]

Love em, especially with the Advanced OS, without it I would take a PIX but the advanced OS gives me all the flexibility I need with a MUCH easier to manage interface. Managing a large number of them is easy with the Global Management System. For a small office the AV subscription service is nice because it enforces client updates without the need for an IT person to hound the users or checkup on them.

Re:Sonicwall?

[Custard]

I have managed a couple Sonicwalls. I generally use them since I have been using them since the beginning. Support sucks beyond recognition but you generally don't need them.

I played with Fortigate when they first came out. Back then the sales story was that they were using a ASIC to do malware scanning. They were aggressive getting into the market and were more than happy to loan me gear. Of course being local and having been referred by their investors probably helped.

I set up some on my home cable modem and pumped bit torrent traffic through them. They crashed pretty regularly. I'm sure that has changed but they really didn't like heavy loads. I put in a SonicWall for comparison and it had no trouble with the traffic.

The low end SonicWall (TZ170?) feels underpowered to me, the UI is slow, but seems to work well as a firewall.

I always like to buy the antimalware package and I haven't had a spyware infection at a client where they have purchased it. The antivirus has as many false positives as it does hits but generally it doesn't block anything I care about. They claim to use the clam database but clam blocks things that they don't. Still, having *all* streams scanned, not just email, is reassuring. I also have them block java, ActiveX and packed executables. It blocks IRC by signature as well as port which should throw alerts if a client gets a typical bot.

I have not used the standard OS in years. No experience, sorry.

You are probably OK with any of them. PIX, Fortigate, WatchGuard, NetScreen (do they still exist?), SonicWall, or whatever. Each has quirks so once you choose a brand you should stick to it but they are all appliances. None are head and shoulders above the others.

I love CheckPoint (I used to be certified but I let it lapse) but if you don't know why you need CheckPoint you don't need CheckPoint. Back in the day it was a lot more reliable, in my experience, running on Sun than on the Nokia appliance. I liked the idea of the appliance but the three I worked with were all a little flaky.

Have fun and don't put too much trust in your firewall.

Dan

Re:Sonicwall?

Pros:
- simple!
- wireless AP's.. simple!
- all the features a SO/HO needs, incl VPN and AD integration

Cons:
- expect about 2-3 years of life before upgrading or being forced to
- not a packet shaper

Recommendations:
- avoid TZ series completely; even in a small office, spring for at least the PRO 2040
- I second the advice: buy one model up from what you think you'd need
- pay the money for the Enhanced firmware; Std is slower and not granular enough with NAT and firewall policies

Re:Sonicwall?

[Dadoo]

I'd have to agree with the guy above, who said to get a bigger one than you think you need. The thing that really pissed us off is that you can only define a limited number of custom services (TCP ports). If you run out, you have to buy a new firewall.

More info needed...

[WK2]

You didn't really say anything about your networking needs. Is this firewall just to allow the 12 employees to search the internet and communicate with customers? Will you be running web and ftp and game servers behind this firewall? How do your 400 customers factor in? Will they be using your network? How many of them will be accessing it? Are they tech customers, or do you sell something non-computer related?

When asking for a recommendation on a network product, it is important to specifiy your networking needs.

"Air" Gap

Is that why you're wearing headphones?

3com Tippingpoint X505 or X506

[mdboyd]

We have a Tipping Point X505 at work and so far it has been doing very well for us. Keep in mind, our traffic is less than or equal to our T3 (about 40Mb/s max)? In addition to firewall features, this is also an Intrusion Prevention System. The only snags we've run into have been with the setup. We've had very few issues besides that. We even used its VPN capabilities to connect to the network from home.

But what exactly?

[kosmosik]

Firewall technically speaking was always simply a filter for lowend network traffic. Like open this port for this IP and DROP else etc. Right now I see the term "firewall" has evolved to meaning - everything that does border security (firewall, proxy filtering, NIDS, monitoring etc.). So I guess you should be asking about security appliance...

According to their description here - http://www.fortinet.com/products/telesoho.html - it does lots more than a firewall:

"These [...] systems deliver [...] security services - including *firewall*, VPN, intrusion prevention, antivirus, web filtering, and traffic shaping [...]"

I've cut the marketing shit with square brackets. As for pure firewall I think it would be better with Linux box and iptables or BSD ipfw - more flexible. But as entire appliance this is probably OK.

Anyway as always the basis of security is that you understand what it does - not just put on a big switch signed SECURITY ON and hope it does what you think it is doing.

IPCop again

[taustin]

I would also recommend IPCop (http://www.ipcop.org/) It has been rock solid for me, with eleven locations, and it's actively supported. It runs on nearly anything (I believe you actually need a Pentium now, but 1.3 ran on 486s), and best of all, it's free. That means you can experiment with it on an old PC at no cost other than time (and maybe a cheap-ass network card or two). At the very least, it's a great way to evaluate the idea of a Linux based firewall, even if you end up going with something else.

gentoo linux

[stratjakt]

seriously, i made my firewall out of that shit

what kind of an asshole am i?

you know, squid, openvpn, old emachine with an extra nic

lool :) smiley face

Brazil Firewall and router

[bobbonomo]

Brazil Firewall and Router is Linux based with a front end similar to any commercial firewall/router box bought in stores. It is free and supported in many languages from a forum portal http://www.brazilfw.com.br/forum/portal.php

It is similar to IPcop and can run from a floppy or HD. For a 12 employee shop it is perfect. There are numerous addons provided in the forum download area.

Does this sound like commercial?

Some people can screw up anything

[mungtor]

It's your IT department.

Checkpoint is stable, secure and has an excellent track record. If you actually have to administer the firewall, the Checkpoint GUI is second to none. Simple, intuitive, everything you could want. SecuRemote isn't any more annoying than most other VPN clients. Of course, none of that comes cheap. Checkpoint (especially on Nokia hardware) is the most expensive choice by far.

Juniper seems to make a pretty good device. I've been running a Netscreen 208 and a Netscreen 50 for a while now and they haven't given me any grief. It was like going back in time to get used to the GUI, but Checkpoint pretty much spoils you for anything else. Logging is pretty good on the Netscreen, and permanent VPN tunnels (IPsec) seemed to be a little easier to build than with the Checkpoint FW.

Fortinet works well too, but it a pain in the ass to set up. When my last company migrated from Checkpoint to a Fortinet (as an asinine budget driven decision) it took 4 seperate "policies" to accomplish what could be done in one rule in Checkpoint.

If you have the budget, go with Checkpoint. Otherwise, Juniper is a solid choice.

Re:Some people can screw up anything

[Pedersen]

It's your IT department.

Checkpoint is stable, secure and has an excellent track record.

We have problems with the Checkpoint/Nokia combo as well. I'll admit it: It's at least partially because my training with the system has amounted to "I wonder what this button does?". However, it is mostly stable, mostly functional. But, when there is a problem, I get to make the call I dread the most: I call Checkpoint customer support.

Why do I dread this call? I have zero options. I'll get a call back. If I've got a severity 1 issue (my company is down, unable to access the internet, web site sales are shut down because of it, I need help fixing this now!), the best I can hope for is to get a call back within the hour. I've opened up lesser issues, and not even gotten a call back. Found the answer within a day of searching the net, and appended a note to my ticket that I appreciated their lack of response, but that the issue was now fixed, so they could close it. And the whole reply to that was a "heartfelt" apology.

The software may well be great. The devices may well be solid. But the customer support? I've gotten more (and more useful!) answers from Microsoft's web site than I have from the Checkpoint people. Based on that alone, I would never recommend buying their software.

Note: I have no problem with paying for software. I have no problem with paying for support. I have no problem with using software that is unsupported in any official manner (much FOSS stuff, for instance). I do have a problem with paying for software, then paying for support, and not being able to get it when I have to have it.

Re:Some people can screw up anything

[Kohath]

Is there any way to get internal DNS to work for VPN users? Our IT Dept. can't do it.
Is there any way to get it to authenticate VPN to Windows Active Directory in a company with multiple Active Directory domains? Our IT Dept. can't do it.
Also, Secure Remote pops up and asks for a password about 20 times an hour unless Auto Login is enabled. Any ideas?
Not to mention the "if you tell Secure Remote to connect to site A, then you can't access systems at site C" problem. That's too complicated.

Is there any way I can find out these answers myself so I can tell our IT Dept. how to do their jobs? That's one problem I have with the system is that there doesn't seem to be any readily-available documentation I can download and read.

If it's such a good system, then these types of questions shouldn't be impossible to answer like they apparently are for us. Maybe there's an extra make it not completely suck option we decided to save money on? Because it completely sucks for us.

Re:Some people can screw up anything

[Anarke_Incarnate]

SecuRemote/SecureClient sucks hard big balls. My company still uses CP for our firewall, but we have replaced that horrid VPN client (constantly broke remote user's network settings) with a Juniper SSL VPN. However, the Cisco VPN clients we have used sucked harder, so perhaps you were right in saying that they were not worse than others.

Re:Some people can screw up anything

[Anarke_Incarnate]

Split tunnels do that. My company uses a Juniper/netscreen/Neoteris SSL VPN (they were progressively bought out, originating as Neoteris, then Netscreen, then Juniper IVE SA series. They ROCK. You have a "clientless" VPN that can support multiple users without having to configure a client on the remote machine. They log into a web portal and then can launch (or your policy can auto launch) Network Connect. It is unobtrusive, and very friendly (except a minor bug that can cause problems if you lose your connection and the IVE box thinks the connection is active. Then you won't get another connection, but that is rare). It supports Mac OSX, Linux, Windows 2000/XP etc. All you need is a browser with either ActiveX (bleh) or Java. You could even send the user the small binaries that the IVE installs and they don't have to run to the webpage. It is very granular and plugs in with other directory services (Active Directory, etc) or RADIUS, local users, whatever.

Re:Some people can screw up anything

[lactose99]

If you actually have to administer the firewall, the Checkpoint GUI is second to none.

I find that Firewall Builder, while having an interface similar to the CheckPoint GUI, is more robust. Plus it gives the added benefit multiple firewall backends including pf, ipf, ipfw, iptables, and Cisco PIX. The new queuing and rule options available with the 2.1.x series alone are worth taking a look at. Plus the file format is an open XML-based format and the output rule files are actually quite readable.

Re:Some people can screw up anything

[Cybersonic]

I second this - Juniper's Secure Access SSL VPN is one kick ass device. The web GUI takes a bit of getting used to (not as intuitive as I would have liked it to be). As far as feature sets are concerned it really is a market leader. (I work for a VAR and I deal with about 80 vendor's products)

The Java processes create VPN tunnels that work. Active-X 'W-SAM and Java 'J-SAM' for TCP only applications and 'Network Connect' for true IPSEC like emulation (emulates a point to point tunnel and gives the client an internal ip address).

It is not cheap, but worth the price.

Re:Some people can screw up anything

[mvdwege]

I have used Checkpoint on Nokia IPSO, under Provider-1.

The good:

• Central management for a lot of firewalls works great. P-1 makes it really easy to push out multiple updates, and using global objects makes it easy to manage large environments with multiple DMZs.
• The interface for actual policy editing is pretty decent. The thorough support of drag&drop is nice.
• VPN setup integrates nicely in the policy editor.
• The log viewer is pretty good, and the next best thing to grepping the logs yourself.

The bad:

• Provider-1 is a resource hog. 64 Customer Management Agents will strain a Sun V880 to the limit, and if you're doing any kind of logging, be prepared to invest in some serious SAN architecture, because the logging will saturate your I/O bandwidth and fill your disks.
• Capacity. As a pure software solution, Checkpoint will be sore strained when doing a lot of VPN traffic. Fortigate really wins with its custom encryption/decryption hardware.
• Cost. Not just the licensing of Checkpoint itself, you really need a decent infrastructure to run Provider-1, unless you want to manage each of your firewalls individually. But in the latter case, Checkpoint has no Unique Selling Points over Fortinet.
• Support. If you want any access to documentation, you must splurge out to get at least your CCSA certificate.

Overall, Checkpoint has its good points, and in a large enterprise setting where manageability is a selling point, it certainly has the edge over Fortinet. However, in SME settings, the management systems are overkill, and the performance/price ratio of the firewalls themselves do not justify the outlay, IMO.

Netscreen is the interesting solution. In performance it blows away Checkpoint, while coming close to it in manageability. NSM is a real nice piece of software. If central management of multiple firewalls is a major issue for you, and you don't want to do the outlay for a Checkpoint infrastructure, I'd say go with Netscreen. If all you need is a single firewall, it's a toss-up between a Netscreen and a Fortigate. Depending on your capacity needs, you may want to go for the Fortigate for its hardware acceleration. I'd say, find a good consulting service and have them look at your needs and infrastructure, and based on their advice go with what is best for you.

As for rule complexity, I've seen things in Checkpoint that were hard to set up that are easy in a Fortigate, mostly because network setup is not done from the Checkpoint policy editor, but must be done on the OS level on the box. Setting up a DMZ using VLANs is a pain in the arse on a Checkpoint/Nokia solution, but easy as pie on a Fortigate. It all depends on what you are used to.

Mart

Re:Some people can screw up anything

[scottv67]

If you have the budget, go with Checkpoint. Otherwise, Juniper is a solid choice.

The budget is a big factor. Checkpoint is known for their bend-you-over-the-rail annual maintenance costs. Comparable products from other vendors will not consume so much of your budget when it comes time to renew the support contract.

Re:Some people can screw up anything

[itwerx]

Checkpoint is stable, secure and has an excellent track record.

Er, no, sorry. I won't argue that Fortinet is great (it's about the same level as Checkpoint in my book) but if you've truly never had any problems with Checkpoint then you're the only installation of it I know of that can make that claim. (And I've been consulting for over 15 years for many hundreds of companies of all sizes including some Fortune-100 with really outstanding IT people).

Know what you need

Linux firewalls are great for some things, not so great for others. The big wall we hit was multiple external IP addresses. Take some time to figure out what you need & want; if you buy anything before you know this you will be disappointed.

Re:Know what you need

[HeelToe]

How do multiple external ip addresses cause an issue? I've been able to successfully have plenty of external ip addresses, and more particularly, multiple internet connections each with its own WAN and or CIDR block.

The trick to the former (multiple ips, one internet connection) is really managing via subinterfaces. Firewall rules to deal with the packets associated are pretty easy. This lets you DNAT things into the appropriate place via iptables. If you want to actually build a DMZ, you could use a proxy arp setup like this: http://www.sjdjweis.com/linux/proxyarp/

As for multiple internet connections, look into multiple routing tables via the ip command. Example:
ip route add default via table 100

Then use ip rule statements to choose when to use the particular route tables:
ip rule add to table 100
ip rule add from table 100

You can also pretty simply setup multiple SNAT rules to SNAT traffic over each link for different purposes. This lets you do things like SNAT to a specific host (read: internet connection) based on protocol, internal source address or destination. Handy for lots of things.

One nice thing to do with multiple internet connections is to have verbs in your firewall script that will allow you to manually failover your internet connection if one goes down. This obviously doesn't help external entities trying to reach hosts that sit in your DMZ on a failed connection, but it can let you continue to work with outgoing traffic while the problem is resolved.

If you're slick, you have your DNS hosted externally and you can then use this to update DNS for the DMZ to an alternate zone which specifies those public facing hosts as existing on the internet connection you just did a failover to. Make sure your A record TTL values are low.

This leads to a reconfiguration of the DMZ unless you have done full SNAT/DNAT mappings for each DMZ host in the firewall. Doing so can be a lot more work, but you can build a set of symmetric (or controlled in a script by a variable) configurations that swap out the DMZ nat rules so that they exist for one specific internet connection or the other.

Re:Know what you need

The big wall we hit was multiple external IP addresses.

Depending on what you mean by "multiple" (Linux should handle a fair-sized network just fine, though I'm sure someone will pipe up about how he has an entire /8 running through a single box running FooOS and how Linux would have crashed and taken their billion dollar account with it and driven their company into bankruptcy, etc. etc.) and what you intend to do with all those IPs once you have them (load balancing/redundant connections over multiple service providers? NAT?) I'd say that Linux could probably have done what you were looking for, but that there wasn't an easy tool to set it all up other than to issue all of the ebtables/iptables/iproute2/openswan/quagga/etc. commands to get the box the way you wanted.

Not that much different from operating a Cisco, really, except that Cisco trains and certifies people to know their cryptic commands. I'd say that Linux's true weakness in the routing realm is the commodity hardware people would run it on... nobody's leftover x86 system would be able to handle routing multiple gigabit connections running at full speed with just a few PCI cards and a wish and a prayer

Re:Know what you need

[karnal]

This obviously doesn't help external entities trying to reach hosts that sit in your DMZ on a failed connection,

Routing protocols (namely BGP) should provide assistance with this. In fact, BGP could also handle the outbound traffic unless you have a specific reason to route to a specific destination; even then, you could specify metrics to do that and let the routing protocol take care of fail-over....

Fortinet and Nokia/Checkpoint

[jcortez13]

We use a Fortigate 200 for the general use internet access (400 users) as you can get AV, IPS and web content filtering. I must say it woks well and it's fairly cheap. But for the real work we use the Nokia IP260's with checkpoint to deploy all of our 3des VPN tunnels to remote sites. The GUI interface in Checkpoint is just so easy to configure and use. But it is expensive.

So if all you need is internet access protection than I say go with the Fortigate. If you plan on doing VPN's to remote sites and easier rule configuration then Checkpoint is the way to go.

my .02

Sidewinder

[lcruzrlvr]

Sidewinder from Secure Computing is the only commercially available sidewinder to never have a CERT. http://www.securecomputing.com/index.cfm?skey=20&l ang=en You get anti-virus, anti-spam, and the strongest firewall in the world on a single appliance. Hook it into Secure Computing's TrustedSource solution and you will not only have an incredible firewall but you will also stop 99% of Spam (including image spam) from hitting your network.

Re:Sidewinder

[scottv67]

Sidewinder from Secure Computing is the only commercially available sidewinder to never have a CERT. http://www.securecomputing.com/index.cfm?skey=20&l ang=en [securecomputing.com] You get anti-virus, anti-spam, and the strongest firewall in the world on a single appliance. Hook it into Secure Computing's TrustedSource solution and you will not only have an incredible firewall but you will also stop 99% of Spam (including image spam) from hitting your network.

ACK! Secure Computing Sidewinders suck! I know first-hand. I have two G2s (in an active/passive cluster) at work. I have a long list of problems that I've encountered with those beasts over the last year. They are going to be replaced soon by a very fast, very capable product from Juniper.

I am currently running Sidewinder G2 version 6. A few of my problems:

1. Slow. The Sidewinders (specifically the "proxy" part) are a significant bottleneck in our network.
2. Email. For a while, certain inbound email messages were being dropped due to "feature" in Sendmail. The only was to fix the problem was for me to get into the guts of the Sendmail config files and edit things by hand.
3. Traceroute. Is it too much to ask to be able to run a traceroute *through* a firewall? The Sidewinder G2s do not allow this to happen.
4. HA: Failover is slow and clumsy. There is no "state table" shared between the Sidewinders so any active TCP connections will get terminated when the failover happens.
5. Reboot: Certain operations require the firewalls to be rebooted. What???? My PIX or Juniper Netscreen firewalls never pop-up a message saying "That change will go into effect after the next reboot."
6. The whole "proxy" thing is a pain in the neck. I can't tell you how many IPtables-style rules I have had to create to get around problems caused by the Secure Computing "tcp proxies".
7. The admin GUI is really nothing to write home about.
8. Logging. Logging is really, really sucky. Compared to the syslog messages that come from a PIX, the difference between the Sidewinders and a PIX is like night and day.
9. "Application Defense". Yeah, had to disable that is most places because, believe it or not, every single website on the Internet is not RFC-compliant.
10. I ran into a situation recently where I wanted to create a tcp proxy for ports 2000-2010. I couldn't do that because earlier I had created a proxy for the single tcp port 2001. What's up with that? I left the tcp proxy in place and then opened tcp 2000-2010 using an IPTables rule.
That's enough for now. I do have more.

The Sidewinder G2s will be removed from our network and replaced by high performance firewalls from Juniper. I'm very familiar with ScreenOS and I've seen the Juniper Netscreen HA feature in action. The failover time between two firewalls in an active/passive NSRP cluster is amazing.

So, we are going to cease being a Secure Computing customer and the Sidewinders (which are really Dell servers running some flavor of BSD) will get turned into test servers (probably get Win2003 server loaded onto them). I will say this for Secure Computing, we have a LOT of RSA tokens and we are taking a very serious look at Secure Computing's Safeword tokens. S.C. has a very nice product in that market.

Re:Sidewinder

[lcruzrlvr]

Scott, Ping me offline at troy.rech at gmail dot com. Would like to discuss these Sidewinder issues with you directly. Troy

Re:Sidewinder

[Dadoo]

Wait... You're going to replace your Sidewinder with a Netscreen box? Are you crazy? I inherited a few Netscreen boxes at my new job and I'm trying to get rid of them as soon as I can. As far as I can tell, they're junk. Sadly, I already replaced a couple of them with a Cisco ASA box, which turned out to be a big mistake... Yuck.

My next firewall will be an Astaro, like I had at my old job.

Re:Sidewinder

[kalmite]

Rule number 1 about proxy firewalls, they are slow! With that said they are are also the most secure option for the network. Of course a pure iptables firewall will be faster (or a Cisco Pix) because it doesn't have to tear down each packet layer by layer, inspect the packet contents, and then rebuild it on the other side. The only time I have had to reboot a Sidewinder is during software updates, and that is because of the trusted OS (role based OS, think LinuxSE on steroids) it is built on (security by design). If a config setting needed a reboot it is probably due to this same reason. If the log for a PIX is mentioned in another post here, then I far prefer the Sidewinder logs to the standard PIX logs. Sidewinders can send their logs out via syslog if you want them to. As far as state tables go, I don't run HA yet, but from the training I got, they are suppose to share the state table or else HA would be worthless... is the heart beat link setup right? Traceroute should be able to be made to work, never tried though so I can't tell you for certain.

Re:Sidewinder

[Vacuum]

I've got a couple of points to add.

First is a comment about the stability, we go through periods where we're sending core files to them every other day. So maybe that's what makes them so secure, you can't get through the firewall if it's not up.

Second point has to do with the level of support. In order to get adequate attention, it frequently requires it starting an email thread (screaming bloody murder), with our account manager cc'd.

I've extensive experience with Check Point Firewall-1 (over-priced and over-hyped) and rarely saw these types of issues.

I also have moderate experience with Fortinet devices, and that's what I'd lean towards making the choice again...

Fortigates ROCK

[Bretski]

Ok, enough with the "set up a Pentium II and run Linux+IPChains" or whatever. That's fine for your home, but for a business, spend some money and buy a reliable firewall product with warranty, support and maintenance. Dedicated hardware firewalls will always be my choice for many reasons.

Fortigates are simply awesome. I've set up and maintained Pix, Checkpoint, Juniper/Netscreen and others, but Fortigate wins hands down in almost category you choose.

Re:Fortigates ROCK

[SanityInAnarchy]

Dedicated hardware firewalls will always be my choice for many reasons.

Care to enumerate them?

I've seen plenty of small businesses (and 400-plus users is still relatively small) run off a similar setup to what you described. Maybe not a Pentium 2, but maybe some stock Dell (couple gigahertz) is still going to be cheaper than a Cisco box. It also doesn't stop you from buying a Cisco box later, if you really want it, but this would be more flexible, cheaper, potentially easier to admin.

Regarding warranty, support and maintenance: That P2 will run for years and years, and when it finally does break, you can pay some kid $50 to build you a brand new one. Again, probably still cheaper.

But, I'm not making a judgment -- not really -- I'm still waiting to hear what your reasons are.

Re:Fortigates ROCK

[KingDaveRa]

I have a few reasons:

Appliances are always good because they are simple. Say for example, your network guy goes under a bus. Assuming he's at least documented the passwords for the system, somebody will be able to get in, and work on the system. Plus, in the case of Fortinets, they come with a full manual all about the firewall. A custom system (which I personally also have nothing against) based on OpenBSD or something would be much harder for anybody to administer. In that respect, M0n0wall helps though as it is quite similar to the Fortinet stuff.

Support is a major thing too. If your Firewall appliance starts acting screwy, assuming you bought the support contracts, you can phone somebody and they'll send you a fix quickly. Support for many open solutions is much harder to find. You could mail a mailing list, but you'll get the following replies:

* Three saying 'check the FAQ'
* Four or five belittling you for not knowing in the first palce
* A handful of replies with no relevance to your problem.

This has been my experience with all the *BSDs. There's a lot of pre-written support online, but you have to really go looking for it, and translate what is Unix stuff into networking stuff. I know a few people who know a lot about either one, but not both.

Appliance solutions can be good for producing complex solutions. It's all point and click, and so you can have a pretty complex system up and running in no time. It's a lot harder to do that with a non-dedicated solution.

Depending on whose kit you buy also, you get many performance increases from their custom ASIC solutions, which DO make a difference I've noticed. I've had other oddities, in that a linux box running as a L2 bridge inline with the internet connection (it was running ntop), would work perfectly, except it liked to block Amazon. I still don't know why.

Many of these paid-for solutions also have 'additional' proprietary features I've yet to see elsewhere. Things like Layer-7 firewalling (URL filtering), mail scanning, AV, VPN, etc. It's all there, ready to go. You can do VPNs with OpenSwan and FreeSWAN and the like, but it's damn hard! Appliances have it all set up for you, and I refer you to my first point about it being supportable.

Also, an appliance firewall is rack-mountable in standard Telco racks, so easier to integrate. Plus, many of them have failovers and redundancy built right in, which an old P2 PC certainly doesn't have!

So there's some reasons!

BUT, I still think there's a place for an old P2 running OpenBSD. If I wanted a simple firewall, I'd use one of those, but on my perimeter, world-facing connection, I'd still have a Fortinet.

PS, just for the record, the low-end Sonicwalls ain't great. They don't support proper L2 firewalling.

Re:Fortigates ROCK

[Bretski]

Reason #1 - Fortigates do AntiVirus, AntiSpam, Intrusion Prevention, VPN, high availability/failover, WAN load balancing/failover, plus basic firewalling out of the box. You can set up and configure them to do all this in about an hour. I'd like to see someone try to do all this on a Linux/*BSD PC, and see how long it would take to set up , and see what kind of throughput they could get with all the packet processing going on here. Good luck with that.

Reason #2 - When you're running a business, you don't want to waste time looking for some high school kid to fix your firewall or rebuild you one every time something goes wrong. Support contracts mean that your issue will be solved by professionals within hours - guaranteed. You don't have to stop what your doing and manage the "fix the firewall" project.

Yes, it's certainly possible to build a basic firewall for a small company from PC hardware, but I'd only recommend this if the company was severely budget-constrained and had Linux expertise in-house.

Re:Fortigates ROCK

[SanityInAnarchy]

Support: Plenty of commercial support options for Linux. That's assuming you ever need it. Like I said -- if it's set up properly, it should run itself. I'm actually thinking of starting a business managing things like this, where I ssh in to fix them if there's a problem...

Pretty interface: You described it yourself (monowall and others).

Mail: Postfix. AV: Clamav + Postfix. Easy to do. URL Filtering: Squid. Probably not as easy.

VPNs can be done with OpenVPN -- you have to install it on the clients, but there are point-and-click ports to everywhere.

If I wanted a simple firewall, I'd grab a Linksys box -- that way, I get wireless, too. But the Linux box is nice for doing more interesting things -- DMZs, VPNs between sites, etc -- without paying for more than the hardware.

Fortigates

[NiTr|c]

We have at least two dozen of the lower end (50, 60) Fortigates deployed to a majority of our clients. We love them! Support from Fortinet is top notch (if you're paying for the 8x5 or 24x7). We've had to replace a few units, but some of our clients are in, shall we say, less-than-ideal environments. Though, in those cases we get very prompt service, usually overnight of a new unit to put back into place.

The configuration can be done via web, or command prompt which is nice, and of course fully remote admin capable. We also use them to create secure VPN tunnels between the units themselves to tie networks together that are in multiple states. They work very well for that.

If you pay for the catagory filtering, they offer a very comprehensive database of catagorized websites for you to allow/deny to the network. The products themselves are able to log almost any activity across the network, though they get you here because to retain and properly analyze the logs you need to purchase another piece of hardware. Still, the logging is quite nice.

If you have a smaller business, like you say, perhaps going with the Fortigate 60 might be a good choice. $650 for the unit, and about $200 for the "Pro Protect" service, if I recall properly.

I hope this helps. I don't work for Fortinet, and I'm not affiliated with them. We've been using their product almost since inception and they've come quite a ways. We've loved them from the get go.

Re:Fortigates

[lt_dysan]

We have bought several fortigates from Fortinet. I have very mixed feelings about them. The AV file scanning was the only firewall at the time to proxy a file, scan it completely, and pass it on to the user. We wanted this over scanning a stream. Cisco's new ASA could not due this. They could not even get the ASA to work with AV. We at one point had the development engineer on the phone and 3 engineers in the office and could not get it to work. The firewalls supported a VPN partner network to our companies specs that the cisco pix could not do. Fortinet wrote custom code for us just to make this work. That was very nice of them. Support calls are difficult to deal with at times. Like any small company, YOU will find the bugs first. Or they will ask you to upgrade to the newest OS every time to see if that fixes the problem. This is not acceptable in my line of work. If the bug is not documented and fixed and added to the release notes, I'm not risking and upgrade to code that may have NEW bugs to plague me. For the recent DST updates, it took fortinet 3 weeks to tell me what code version supported the new DST changes. This meant we had to upgrade our OS. The upgrade crashed our 1000a's as they were build with not enough Flash disk to support the new OS. We asked for RMA replacements to find out that they had only 1 in stock. What if I had a disk or power supply failure? Only ONE in stock for RMA's??? We had to RMA 8 boxes to get the larger flash disks for the DST upgrade. It took over a month to accomplish this! In fact I just completed the upgrades this last monday! We had 40 of the 60's. They worked well, but if you left them running over 9 months without a reboot, the config would disapear from SAVED memory and on a reboot it only booted to default config mode. This was a problem with the memory, the 60 does not have enough. Though it took me 3 months to get an answer from fortinet on this problem. It happened 4 times on me in 1.5 years of using them. The fortimanager was so terrible we powered it down. It was not helpful, it made no sense, and it slowed down my management of 40+ firewalls. Not to mention, support would always suggest I upgrade the fortigate OS code, but fortimanager code was 3 months behind the firewall code, so it would not support the firewalls durin I helped sell 100 fortigates to the California DMV, and got a personal wifi60 from them. The wireless would constantly disconnect my laptop. My SE said this was a known problem. :( I run a few of the fortigates in transparent mode to proxy and monitor corporate traffic as well as content block web sites. This has caused 6 network loops in our network and taken us down 6 times. The support for spanning tree and other technologies to prevent this is terrible. Dang, why do I keep buying these?

Re:Fortigates

[scottv67]

The firewalls supported a VPN partner network to our companies specs that the cisco pix could not do. Fortinet wrote custom code for us just to make this work.

That sentence caught my eye. Can you provide more details on what you were trying to do with VPN that the PIX could not handle? I do a lot of work with IPSec tunnels and it sounds like you were pushing the VPN feature pretty hard. I don't doubt what you said. I am simply asking for further technical detail into the issue you uncovered with the PIX and IPSec. Please share as many details as you can without posting something that would cause security issues for the sites that deployed your solution. Thanks.

Re:Fortigates

[lt_dysan]

Mind you this was 2 1/2 years ago. I was just hired by the company and they had already been testing the VPN design. The problem had to do with source and destination NATing. All I can remember is we had our cisco reps setup two pix's in a row to get the NATing to work the way we wanted. Fortinet had to do the same thing, until they changed their code.

The new ASA routers probably do not have this problem today, or pix version 7 code might work too. Although we no longer use this VPN design and in the future I would have designed it a bit different anyhow. :)

shorewall or sonicwall

[gonk]

Nobody seems to have mentioned it, so I will... check out Shorewall: http://www.shorewall.net/

If you want a hardware solution, SonicWall firewalls are pretty nice these days. And I would avoid the PIX, personally.

robert

Re:shorewall or sonicwall

[grimmfarmer]

I would second that: my company builds firewalls exclusively on CentOS using Shorewall. Shorewall...

• ...is a great abstraction layer for iptables, so writing your firewall policies and rules is more like writing them in English* than straight iptables (although you'll still want to understand iptables enough to debug problems);
• ...uses a modular config, including "macros" for commonly-used rulesets;
• ...allows you to set arbitrary variables, like $WEBSERVER or $ALL_PRIVATE_NETWORKS, which make your rules all the more natural-language-like;
• ...gives you an elegant "did I just compose a firewall that's going to lock me out of the box?" sanity check ('shorewall safe-start' or 'shorewall safe-restart');
• ...offers excellent advanced features like multi-ISP use and integration of bandwidth shaping (using 'tc') in a satisfyingly-straightforward way;
• ...and manages to put firewall admins "on rails" without sacrificing advanced capabilities (see above).

* I have no experience with its internationalization.

No, I'm not on the Shorewall devel team. ;-)

It's just a set of scripts, so it should run on any system that offers iptables and an sh-compatible shell. There are prebuilt packages ("noarch" RPMs, for instance) maintained for most major distros.

Coupled with Webmin (for which there is a Shorewall module available) and add-ons like OpenVPN, Squid, and DansGuardian, this makes for a pretty capable "edge box" that even "non-Unixy types" can manage, provided they understand the OS-independent aspects of firewall management...

(No, I'm not on any of those devel teams, either.)

Those aren't OpenBSD

[RedBear]

I recommend you look at Monowall for a boots from CD OpenBSD firewall router, or I prefer pfsense because it allows you to install to a hardrive and has more features.

M0n0wall uses iptables and is based on FreeBSD. PfSense at least uses PF from OpenBSD but is also FreeBSD based. Unless there are other options out there I guess really nothing has changed. Everyone talks up OpenBSD as the most secure OS and the best possible choice for a firewall, but nobody wants to take the time to make a usable dedicated firewall/router variant for regular people. Surely it wouldn't be that difficult to make an OpenBSD-based distro just as featureful and easy to configure as a FreeBSD-based version. But what do I know.

Re:Those aren't OpenBSD

[lactose99]

M0n0wall uses iptables and is based on FreeBSD.

It is FreeBSD, but it uses ipf (similar to pf), not iptables. I believe the beta version, being based on FreeBSD 6, uses pf as Pfsense does.

Re:Those aren't OpenBSD

[Reziac]

Dunno about that, but here's one based on NetBSD:

http://firewall.dubbele.com/

I haven't tried it, but I did read the instructions, and it looks like it's relatively a no-brainer.

Well....

[cbiltcliffe]

Pretty much anything, as long as it's running on a Dell laptop......

Plenty to check out

[Sycraft-fu]

I'd probably most recommend the Cisco ASAs. Pricey, but worth it. They really are top notch. You can also look at Juniper's NEtscreen boxes (Juniper bought Netscreen). We have one at work and it does quite a good job. Easier to set up for simple things than the Cisco, but it's web based config means that come of the complex stuff is tricky or impossible. No complaints in general though.

When money is involved, I really recommend sticking with commercial solutions, however if you want something cheap, look at M0n0wall. It's built on FreeBSD's stuff. I use one it home. It works.... ok. Basically the problem is that not all of the features work like they should. Some things work great, some are flaky and you don't always know which is which. I'd shy away from it in corporate environments for that reason, but you can try it for very little. Just get a computer with a reasonable processor (highend P3 or low end P4 should be fine), two or more NICs, and load it up. Should handle a fair bit of traffic (the embedded 233mhz 486 box I use does like 30mbps or more).

But really, give the ASA's a look. They do a whole lot. I'd say their feature set is as good or better than m0n0wall's, even at the low end, but they all work. Of course if you have nobody with any Cisco experience you might want to give preference to Netscreen since they are easier to configure for simple things at least.

Here are some good ones you won't have to homegrow

[Anarke_Incarnate]

Netscreen (By Juniper Networks), Astaro Firewall, and a relative newcomer, ZyWall by ZyXel. They should all work REALLY well.

Astaro

[LordEd]

We are considering upgrading to a firewall system with high-availability capabilities. Astaro is on the top of our list right now. Its Linux based and is reasonably priced considering the features. I believe they have a "home" edition that you can install on your own machine and use for a limited network for demonstration purposes. Maybe somebody else has used it here and could provide better commenting.

We currently have some old Watchguard fireboxes which have mostly worked well, minus a lockup incident which we believe was related to a dead fan.

Mikrotik's RouterOS

[zeenixus]

RouterOS is linux based with a very nice console interface as well as a windows client.

It does all the usual linux fw stuff, as well as traffic shaping, connection rate limiting, traffic identification, rip/ospf/bgp, vpns, lots more.

Unique features include a scripting host and cron-jobs. Very cool, indeed.

They also make their own hardware (expandable sbc's, wifi) with their routeros embedded in flash.

http://www.mikrotik.com/

Re:Mikrotik's RouterOS

[Anarke_Incarnate]

Funny that you mention RouterOS. My company (actually, I am leaving them very soon) uses routerboard routers with RouterOS on them in place of Cisco stuff because it is cheaper and far more functional (easier to use too). The boxes are small, very cheap and work well. I think we had to reboot ours recently, after almost 350 days of uptime, only because we had to move it.

Many choices

[Pathway]

There are a ton of firewalls out there. Depending on what you're looking for, you will have plenty of choices.

Basicaly, you can split firewalls into two camps: Those which are installed onto a computer with multiple network cards, and Those which are a pre-build appliance.

I don't use the pre-built appliances (too expensive) but I can recommend a few of the linux-based installed types:

ClarkConnect.com - This is a very flexible and inexpensive firewall. Can do just about everything. There is a free community edition and a few pay-for editions. Very flexible, very reasonable.

Astaro.com - Another very powerful firewall with plenty of features. Again, a free version is available... and the company offers hardware appliances with their firewall as well.

Smoothwall.org - I used to use Smoothwall. I only moved from it to ClarkConnect when I found that CC did all the features of Smoothwall that I used... plus lots more. I would say that Smoothwall was easier to install and run, but harder to modify and expand.

These are just a few, and they may not be what you're looking for. Good luck!

--Pathway

Re:Many choices

I have to second the clark connect. We have gone through several "appliance" type firewalls (netscreen, sonicwall, cisco) and they work ok but are severely over hyped and over priced (both in purchase and in support/maintenance contracts). Since you're dealing with a smaller company cost and cash flow is probably a factor and pretty much eliminates the "appliance" type firewall unless you get the soho types (linksys, netgear).

The clark connect is a byoh (bring your own hardware) firewall, so for the cost a reasonable PC ($400-$600) and about 80 dollars a year (for software AND support) you have a full fledged Linux based powerful firewall.
You can buy two computers and have the other one sitting collecting dust in case the other one breaks and have nearly zero downtime, AND still come out saving money over the appliances.

CC has (among other things):
DMZ
1 to 1 NAT
IPSEC and PPTP VPN (works seamlessly with built in windows clients. No software for road warriors to buy or learn)
Proxy (transparent and traditional) Transparent proxy's are especially great in a mixed environment (laptops, mac's, pc's, vendor boxes like printers or POS systems) sine they don't require any proxy configuration on the client users.
Content filter (HR departments and business owners LOVE this)
P2P manager
Fancy bar charts and line graph reports.

Why not Cisco?

[Rudolf]

Are there any recommended firewalls (outside of Cisco's) that we should seriously look at?"

OK, I'll bite: why not Cisco?

Re:Why not Cisco?

[Dadoo]

Want a list? Okay, of the top of my head:

Crappy user interface. (You may as well learn the command line interface, which is what I did.)
Outrageously expensive.
Stupid hardware configuration. (Seperate interface for the IPS.)

That's enough for me.

A Phoenix Shield

Even Chloe O'Brian wont be able to get through your it. Poison pill firewalls rocks.

Too bad I don't know where you can buy it or download it :(

You're right

[RedBear]

My mistake. I dyslexically misread "ipfilter" on the website as "iptables". It's nice that the next version will use pf, but I'm still wondering why everyone is basing these important security-focused products on FreeBSD instead of OpenBSD. It's just odd.

Meh, firewalls.

[Khyber]

two years now, Windows XP + router + internet connection + firefox + java/flash/unnecessary services disabled. Haven't had a problem for a while now (minus MS Updates screwing my stuff up,) and most exploits require user intervention anyways. I'm not that stupid, but then again not everyone is me. That being said, good luck getting past my secondary BeOS box which manages my micro-network (three computers in my room, which then go thru that box to the router.) Enjoy trying to get anywhere NEAR my computer remotely.

Re:Meh, firewalls.

[Ash-Fox]

...Windows XP ... unnecessary services disabled...

Dcom wasn't unnecessary, didn't help in the past.

Re:Meh, firewalls.

I just did. Haha!

My recommendations

[Cybersonic]

I deploy, teach, and troubleshoot firewalls for a living. It seems most of the responses point to various open source technologies. If it were my company, I would use a custom built Linux box with a sick NetFilter rulebase. If you just need something that works with a slick interface, however, I would recommend a commercial solution.

It seems all of the security vendors are moving to the appliance model. I like this model and recommend it. It gives the vendor the ability to properly support the device as the environment is controlled. Over the past 10 years, I cannot count how many times I have had to deal with various hardware / software issues with Check Point firewalls (they used to be a software only solution, as in you picked the OS and installed Check Point on top of it - fingers get pointed everywhere... sigh...) Here are the ones I would recommend:

Secure Computing SG565 - This device is actually a Linux box with a slick web interface to iptables. Has tons of features and is in the under $1000 price range. Onboard snort and web filtering. Support is decent as well.

Juniper NetScreen SSG-5 - This firewall is quite nice as well. Supports stateful inspection, advanced routing (with a license upgrade), all kinds of crazy NAT scenarios, etc... Price range is around $1000 with a bit more for yearly support. I have been teaching a LOT of Juniper classes lately, so I know a lot of these are in production now. OS is Juniper proprietary ScreenOS, with the firewall built into the OS.

Check Point UTM appliance - This one is the more expensive of the options. The new Check Point appliance is OEM'ed from Crossbeam, and if rock solid hardware. It runs a Check Point sponsored Linux distribution, but if you do everything 'the Check Point way' you never need to play with the OS directly. Pretty management GUI. Will set ya back a few thousand with support...

If you want more information feel free to email me at ralph@ralph.cx . I can reply between breaks all week. (going to the embedded systems conference in san jose, and I cant wait! - gonna be fun)

Re:My recommendations

[mvdwege]

I cannot count how many times I have had to deal with various hardware / software issues with Check Point firewalls (they used to be a software only solution, as in you picked the OS and installed Check Point on top of it - fingers get pointed everywhere... sigh...)

This has not changed. I quit my job supporting Checkpoint on Nokia just a few months ago, and the fingerpointing still happens.

Mart

"Me, too!"

[NerveGas]

      I'll vote for a Linux firewall, like many of the other persons here - with one conditional. *If* your administrator is as comfortable administering a Linux firewall as he is the other products. If he's uncomfortable and unwilling to learn, it would be a poor choice.

      You haven't mentioned how much traffic you handle, but even a very low-end server-class machine with Linux can handle some very impressive firewalling loads. On my core router, I used a dual-CPU machine simply because it's hard to find single-CPU machines with ECC memory. With stateful packet inspection and some fairly extensive rulesets, it's still rare to see it spend more than about 2% in system, or to see the load go above about 0.03. That's just for a "measly" 40 megabit line, which sees 10-20 megabits of HTTP and email serving, so even with relatively small packet sizes and high connection rates, it does a terrific job.

      I don't know how much the other implementations might cost, but compared to what we were looking at, this was cheap enough that we bought another identical machine just to sit beneath it in case of catastrophic failure.

steve

Overkill?

[mvdwege]

Unless you're doing a lot of VPN, a Fortigate 400/500 is overkill. Go talk to your local Fortinet reseller to see if you can do with a smaller one.

I can recommend Fortigates for small businesses. Their hardware acceleration may be sold in marketeers' language, but it does work. For a price comparable to similar devices, you do get a lot more throughput.

In general, mere firewalling doesn't require a lot of throughput, so you could settle for a smaller firewall, or a software-only solution, but if you start doing things like AV-scanning or VPN, you are going to need the capacity.

Again, if you do want to settle for a Fortigate (and its not a bad choice), go talk to a reseller, and if your budget allows, buy some consulting time to have your needs properly defined and the appliance installed for you.

Mart

Isn't Fortinet the firm behind China's firewall?

I guess that could mean they're good at tech but poor at ethics. Doesn't sound like a good business partner to me.

Don't get a good firewall but a guy who can handle good firewalls.

Re:If you need this advice....

[Wudbaer]

Especially with firewalls it makes sense doing an Ask Slashdot. Google will give you myriads of possible solutions of all kind, and every vendor or consultant has some kind of firewall solution they are trying to push, often because they make shitloads of money selling broken or oversized commercial solutions.

Getting an impression of what works for whom is priceless, even/especially if you are already working with some kind of security consultant (I cannot count the ridiculously insecure, oversized/-priced and/or insane security setups I have seen that "security consultants" have sold some poor company).

I think there is almost no field of IT where that many totally incompetent people are trying to sell snakeoil than IT security.

Re:Sidewinder - Most Definitately

[kalmite]

I will agree with this one. The Sindwinder runs on SecureOS (a BSD variant), and is the equivalent of Trusted Solaris in terms of hardening. My brain is drawing a blank as to the term that is used for the design of the OS, but each NIC has its own separate network stack, each service is run in the equivalent of a chroot jail. I believe SANS even recommends the firewall. It is mentioned in their GSEC training as an application layer firewall/proxy.

Plus configuring it is extremely easy.

Lucent Brick

[Paul+Carver]

We've had good luck with Lucent Bricks. Very easy to use, a wide range of models with absolutely identical interface. Just choose a model based on how many ports you need or how much throughput. They run the Inferno operating system which is based on Bell Labs' uber-geek Plan 9 OS.

In particular, active-standby is brilliant. Need high availability? Just buy a second Brick of the same model and plug it into all the same switches/vlans as the first. The entire configuration of the backup consists of exactly one checkbox, that's literally all. In the user interface it looks like you're configuring one device but if that checkbox is checked and you have a second Brick then every change you make automatically gets made to both the active and standby.

Need more firewalls? They're all managed through the same management station. They can share host group definitions, service group definitions, and rulesets. Very powerful and very easy to use. Very flexible reporting is also integrated into the same interface.

Checkpoint firewalls

I have used the checkpoint vpn platform, which runs on a special hardened version of linux (the installation comes as RPM files) and can be installed on a dedicated server; it works quite well, although, it being quite expensive, I prefer open source solutions. At home I rely on linux 2.6 ipfilter using the shorewall scripts, which are very versatile.

Easy, Cheap, Effective

[Paracelcus]

NetMax firewall suite on an old whitebox, a highschool kid can setup and administer it.

No I have no interest in or friends at this company, but I have deployed it several times.

Are you serious?

[Dadoo]

'd probably most recommend the Cisco ASAs. Pricey, but worth it. They really are top notch. You can also look at Juniper's NEtscreen boxes (Juniper bought Netscreen).

Are you serious? I inherited a few Netscreen boxes at my new job, and as far as I can tell, they're junk. Unfortunately, I replaced a couple of them with a Cisco ASA... big mistake. I have yet to find a firewall better than the Astaro appliances I had at my old job.

Re:Are you serious?

[Sycraft-fu]

Yes, I am serious. I'm going to guess that you either bought firewalls too small to do the job, don't know what your doing particularly with the Ciscos since IOS is complicated, or both. I work for a university and our border firewalls are Cisco ASAs. They deal with all the traffic from about 70,000 computers to 5 different off campus links (3 to the Internet, 1 to I2, 1 to our sister university in state). In our department we use a Netscreen. Not nearly as big a job, only has about 1,000 computers to deal with. Also we don't use it for much complex, it is mainly "allow these ports, deny these ports" kind of stuff.

I'm not going to speak to the circumstances of your environment, but where I work, which is a fairly large, complex and session intensive network, Cisco gets the job done, and so does Netscreen.

I know it's kinda popular to hate on Cisco and Juniper (Netscreen is Juniper) on ./ but when you get down to it, between the two of them they almost totally own the high end network market. There is a reason for this, and it isn't because they don't get the job done.

Re:If you need this advice....

[Anonymous+MadCoe]

"I think there is almost no field of IT where that many totally incompetent people are trying to sell snakeoil than IT security."

Which is no less on /. if you're not able to filter that stuff out yourself, the /. crowd will present you with some good advice but mainly crap.

The crap on /. is possibly worse than in the commercial world. The commercial world still has an incentive (most of the time) to make the customer happy. The /. crowd's avice is maily driver my personal prefrence and zealotry...

I think you assume that advice on /. in the area of security is of good quality. I tend to disagree.

Re:If you need this advice....

[Wudbaer]

Sure. The same as on Usenet, any kind of Web forum etc.pp. And you get all kind of astroturfers, trolls, self important idiots and fanbois, but also lots of people with real experience and know-how (ok, now who's who ?).

Perhaps I formulated it wrong in that you do not necessarily find out what works but rather what not. If enough people say "xyz does not work because blablabla" and not another hundred people come in screaming "wrong ! wrong!" or the other way round you get at least some idea about the merits of a product and its service and of possible problems (and their possible solutions, if there are any). In that /. is just one source of information among many, and one that you have to take with a biiiig spoon of salt, but nevertheless it can be quite useful as a starter. Even if a lot of Ask Slashdots really can be solved with a simple Google search and do not give anyone the slightest insight about anything I think that in that case there is some value.

Certainly you are right in that if you use /. as your sole source of information on anything you deserve the beating you will get, but this is not different to most other sources of information today, I'm afraid. At least of /. noone expects that anything is unbiased, factually correct and up-to-date. ;-)

Two Words: Check Point

[Gothmolly]

They, in fact, own the trademark on the phrase Stateful Inspection.

or, if you're a small company, just buy a Linksys like the rest of them, colo or outsource your email and website, and be done with it.

Did you try Google?

[Joseph_Daniel_Zukige]

http://www.google.com/search?q=openbsd+live+CD+fir ewall
First result: http://www.alti.at/knowhow/obsdlivecd/fw.php

I have memories of threads on the subject in @misc . But I don't see them in marc, even searching from google.

Hmm. New format and url for marc -- marc.info.

Astaro

[pretoris]

Astaro is an awesome firewall I use for about 80 users. Forget messing around with building your own on linux like everyone here is suggesting - I don't have that much free time and I'm sure your IT guy doesn't either. It's an excellent linux based appliance OS w/ a cross platform web based interface. You can either buy on astaro hardware or you can put it on an old server you own. When I was evaluating it compared really well with CheckPoint. Check it out at www.astaro.com

Re:Sonicwall? [Yes]

[JayBat]

Yes, at a small (50 employee) startup I was at for about 4 years.

It was painless and reliable. We had zero DOS or intrusion events.

Not super-flexible, but I could always find a way to get things done once I stopped trying to do things *my* way. :-)

Jay

ASA, Netscreen, or go home

Fortinet sounds good, has lots of features, but hasn't been proven yet. It will probably work fine in a SOHO environment. Real manly men run ASA or Netscreen in the Enterprise or SP environment. ASA is a little faster and more robust and cheaper than the Netscreen, but Netscreen is easier to live with. Firewall appliances are faster, more secure and easier to manage than anything loaded onto a general purpose OS (Linux, BSD, etc.). If you run a Windows machine on your perimeter, you deserve to be hacked, and you will. Checkpoint is an bloated, overpriced, overrated, insecure, flaming bag of poo. Checkpoint zealots can reach me at blowit@outyourass.com

Stonesoft

[mainmain]

...if you really want a sophisticated firewall. Leading edge stuff. Appliance-based and very, very powerful.

Not for kids with laptops. Scalable in a very significant way. I've worked with Checkpoint, Cisco, Juniper, and a few others. Stonesoft has passed these guys.

Otherwise, openbsd with pf. But, it's a PITA to configure, and you have to be careful or you'll open up holes you didn't intend to.

Or, any good gui-based ipfilter package like the ones mentioned here, if you just want something installed, up and running, and cheap, without needing a doctorate in networking.

In the end, remember that a firewall is only as good as its ruleset, and design your network around the principle of defense in depth.

Rules of thumb:

proxy all connections in and out, no direct connections from outside to internal LAN, run multiple DMZs, and use multiple firewalls for different assets.

Avoid using the same vendor for all of your security products, so if there's an exploit in the wild and a patch is forthcoming, you're entire infrastructure isn't vulnerable, only a part.

Run a commercial IDS. Snort sucks (sorry, snort fans, I'm just not that impressed, having been forced to use it for several years now). But at least it's free, except for the hundreds of manhours you'll spend debugging and tuning.

Install access rules on your routers. Use port security. Avoid any Microsoft OS on your DMZ.

You get the picture...