Firewall Recommendations?

anomalous cohort asks: "The company that I work for is looking at upgrading to a proper firewall (sadly, we use only the MS-ISA server now). Our I.T. guy is ready to recommend Fortigate [45]00a. Ours is a small company with about a dozen employees and about 400 customers. Does anybody have any experiences, good or bad, with these two products or with the Fortinet company? Are there any recommended firewalls (outside of Cisco's) that we should seriously look at?"

OpenBSD PF

[akpoff]

OpenBSD makes for an awesome Firewall. Get whatever size machine you need, install OpenBSD, enable PF, follow the *very* well written configuration docs online and you'll have one or more firewalls up in no time.

I just set one up and it was easy. And best of all the PF syntax is very straight forward.

Re:OpenBSD PF

And thirded! (?) OpenBSD is a superb firewall solution. CARP and pfsync give you a high availability firewall solution that you would otherwise pay thousands for with commercial vendors. The O/S is clean, stable and the pf syntax is intuitive. Rule tables can be updated on the fly, which means that blocking naughty IM clients becomes a snap with some signatures in IDS->pf updating.

I've been using OpenBSD since early 2001 (at home and in corporate environments) - the quality is there, just make sure you read all of the excellent documentation and mailing lists for handy, practical pf examples!

Re:OpenBSD PF

[snowgirl]

I have to lend my support towards OpenBSD's PF. It is by far the clearest yet most powerful firewalling configuration setup I've seen.

I highly recommend it over IPTables at least.

Re:OpenBSD PF

I third this. I've been deploying OpenBSD firewalls for a few years now and I have zero complaints. I can't even recall the last software problem I had. Hardware has died, but as the parent poster pointed out, there's pfsync and carp for redundancy. Works flawlessly. Even at home I have a little Soekris 4801 running OpenBSD which has never let me down. Don't bother with the $$$ crap.

Re:OpenBSD PF

[pnutjam]

I recommend you look at Monowall for a boots from CD OpenBSD firewall router, or I prefer pfsense because it allows you to install to a hardrive and has more features.

3 things to look at

[georgewilliamherbert]

Cisco ASA 5505 (it's less than a thousand dollars), and the Nokia Checkpoint appliances (i350, etc).

Also the Juniper/Netscreen models (SSG 5, SSG 20, Netscreen 5 models)

The perfect firewall

[ernest.cunningham]

Well fairly good anyway. check out Smoothwall Linux Firewall. http://www.smoothwall.org/get/ SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. SmoothWall includes a hardened subset of the GNU/Linux operating system, so there is no separate OS to install. Designed for ease of use, SmoothWall is configured via a web-based GUI, and requires absolutely no knowledge of Linux to install or use. We use this in our business. VERY good.

Re:The perfect firewall

[skogs]

I second this vote for smoothwall.

The corporate friendly version with everything fully configured/implemented for you is a good decision. This requires some $$, and less time.

Or, you can roll your own with the smoothwall express 2.0. I run it with DanGuardian content filter - gets rid of ads and other pr()n and stuff. Also have several mods on it. Really, visit the homebrew forum and you can do anything with it. This of course, requires no $$, and more time.

Astaro

http://www.astaro.com./ 'nuff said.

Re:Astaro

[pookemon]

I'm curious as to why this was modded "Funny". One (maybe more) of our clients runs Astaro v6 and it seems to run fine. The only gripe I've had with it is that I couldn't do a port forward and translation at the same time (ie. If I want a client to connect on port 12345 and forward the traffic to machine x on port 1234 then it wouldn't do it) - mind you that was an older version and I haven't tried since. It's easy to configure and handles large amounts of traffic - but apparently it's funny...?

DISCLAIMER: I'm not the admin - I have simply used it on occasion when I needed to change/setup port forwarding...

We use one

[realmolo]

We have a Fortigate 400, and we love it. It's damn near perfect. I recommend them to EVERYONE who is in the market for a high-end firewall appliance.

Truly, it the best thing on the market, right now. Much better than a PIX, or Netscreen, or anything else. And cheaper. And it does more.

They really need better marketing, because few people even know they exist, which is too bad.

So yeah, you should get one.

Re:We use one

[CFrankBernard]

Fortinet was Founded in 2000 by Ken Xie, founder of NetScreen which later sold to Juniper for $3.5B.
Fortinet was accused of using Linux kernel in FortiOS w/o credit:
FORTINET VIOLATES GENERAL PUBLIC LICENSE IN SECURITY PRODUCTS

IPCOP

[brenddie]

IPCOP is a very secure and flexible firewall plus its open source. It runs on all kind of hardware like normal PCs , boards with CF cards , servers. A vanilla installation is full of features like VPN, QoS, IDS, web proxy and by using addons you can add stuff like detailed proxy reports, content filtering, traffic monitoring and a lot more.
You can find it at http://ipcop.org/
Their mailing list is pretty active and full of helpful people.
If you have a spare PC and some network cards give it a try.

We use Fortinet

We use 2 Fortinet 400's in HA mode in our production environment and a 300 in our corporate office. I've been fairly satisfied with them. The firewall functionality itself is great. The GUI makes managing rules simple. No complaints with the AV or IPS functionality, although the IPS isn't as good as any of the dedicated IPS appliances I've tested. I am not a fan of the web content filtering. I have never been able to get it to work even after repeated troubleshooting sessions with the support team. Never used the antispam functionality, so no opinion on that one.

The one thing I would say you definitely want to make sure you understand is the ongoing costs for the annual maintenance subscription. The web content filtering alone is $3k per year per device.

I'm afraid I got stung by that and it was definitely a lesson I've learned. Even without web content filtering, it costs $16k a year to renew my maintenance (8x5 phone support, NBD advance exchange replacement, AV and IPS signature updates, firmware upgrades). If you aren't comfortable rolling your own solution or, for whatever reason, need to use a commercial product, I think they're fine. But know that you're going to pay for it, literally.

OpenBSD + PF

[grub]

We run several PIXes (Cisco) at work and at branches across the country. They handle the VPNs well enough and are simple enough to work with but when you see shit like this (IPs removed):

Mar 28 14:45:25 x.x.x.x Mar 28 2007 14:46:16: %PIX-4-407001: Deny traffic for local-host inside:y.y.y.y, license limit of 50 exceeded

in your logs from units which cost thousands of dollars, you have to scratch your head. Yeah, they charge for how many machines you'll run through it. We have a few "unrestricted" ones but they're thousands of dollars. Thousands of dollars I can better spend on other stuff.

We let our contracts lapse and are working hard at moving everything to OpenBSD, PF and the native IPSEC although OpenVPN is a serious contender as we use that for the road warriors already.

It pisses me off to no fucking end that to get a firewall capable of gigabit (we're a bunch of research labs on CANARIE) from Cisco will each a big bite from my budget, just to have the "Cisco" brand on it.
nb: I do love their routers and switches. Their firewalls are overpriced and underwhelming.

Re:Some people can screw up anything

[Pedersen]

It's your IT department.

Checkpoint is stable, secure and has an excellent track record.

We have problems with the Checkpoint/Nokia combo as well. I'll admit it: It's at least partially because my training with the system has amounted to "I wonder what this button does?". However, it is mostly stable, mostly functional. But, when there is a problem, I get to make the call I dread the most: I call Checkpoint customer support.

Why do I dread this call? I have zero options. I'll get a call back. If I've got a severity 1 issue (my company is down, unable to access the internet, web site sales are shut down because of it, I need help fixing this now!), the best I can hope for is to get a call back within the hour. I've opened up lesser issues, and not even gotten a call back. Found the answer within a day of searching the net, and appended a note to my ticket that I appreciated their lack of response, but that the issue was now fixed, so they could close it. And the whole reply to that was a "heartfelt" apology.

The software may well be great. The devices may well be solid. But the customer support? I've gotten more (and more useful!) answers from Microsoft's web site than I have from the Checkpoint people. Based on that alone, I would never recommend buying their software.

Note: I have no problem with paying for software. I have no problem with paying for support. I have no problem with using software that is unsupported in any official manner (much FOSS stuff, for instance). I do have a problem with paying for software, then paying for support, and not being able to get it when I have to have it.

Re:Know what you need

[HeelToe]

How do multiple external ip addresses cause an issue? I've been able to successfully have plenty of external ip addresses, and more particularly, multiple internet connections each with its own WAN and or CIDR block.

The trick to the former (multiple ips, one internet connection) is really managing via subinterfaces. Firewall rules to deal with the packets associated are pretty easy. This lets you DNAT things into the appropriate place via iptables. If you want to actually build a DMZ, you could use a proxy arp setup like this: http://www.sjdjweis.com/linux/proxyarp/

As for multiple internet connections, look into multiple routing tables via the ip command. Example:
ip route add default via table 100

Then use ip rule statements to choose when to use the particular route tables:
ip rule add to table 100
ip rule add from table 100

You can also pretty simply setup multiple SNAT rules to SNAT traffic over each link for different purposes. This lets you do things like SNAT to a specific host (read: internet connection) based on protocol, internal source address or destination. Handy for lots of things.

One nice thing to do with multiple internet connections is to have verbs in your firewall script that will allow you to manually failover your internet connection if one goes down. This obviously doesn't help external entities trying to reach hosts that sit in your DMZ on a failed connection, but it can let you continue to work with outgoing traffic while the problem is resolved.

If you're slick, you have your DNS hosted externally and you can then use this to update DNS for the DMZ to an alternate zone which specifies those public facing hosts as existing on the internet connection you just did a failover to. Make sure your A record TTL values are low.

This leads to a reconfiguration of the DMZ unless you have done full SNAT/DNAT mappings for each DMZ host in the firewall. Doing so can be a lot more work, but you can build a set of symmetric (or controlled in a script by a variable) configurations that swap out the DMZ nat rules so that they exist for one specific internet connection or the other.

Re:Know what you need

The big wall we hit was multiple external IP addresses.

Depending on what you mean by "multiple" (Linux should handle a fair-sized network just fine, though I'm sure someone will pipe up about how he has an entire /8 running through a single box running FooOS and how Linux would have crashed and taken their billion dollar account with it and driven their company into bankruptcy, etc. etc.) and what you intend to do with all those IPs once you have them (load balancing/redundant connections over multiple service providers? NAT?) I'd say that Linux could probably have done what you were looking for, but that there wasn't an easy tool to set it all up other than to issue all of the ebtables/iptables/iproute2/openswan/quagga/etc. commands to get the box the way you wanted.

Not that much different from operating a Cisco, really, except that Cisco trains and certifies people to know their cryptic commands. I'd say that Linux's true weakness in the routing realm is the commodity hardware people would run it on... nobody's leftover x86 system would be able to handle routing multiple gigabit connections running at full speed with just a few PCI cards and a wish and a prayer

Those aren't OpenBSD

[RedBear]

I recommend you look at Monowall for a boots from CD OpenBSD firewall router, or I prefer pfsense because it allows you to install to a hardrive and has more features.

M0n0wall uses iptables and is based on FreeBSD. PfSense at least uses PF from OpenBSD but is also FreeBSD based. Unless there are other options out there I guess really nothing has changed. Everyone talks up OpenBSD as the most secure OS and the best possible choice for a firewall, but nobody wants to take the time to make a usable dedicated firewall/router variant for regular people. Surely it wouldn't be that difficult to make an OpenBSD-based distro just as featureful and easy to configure as a FreeBSD-based version. But what do I know.

Mikrotik's RouterOS

[zeenixus]

RouterOS is linux based with a very nice console interface as well as a windows client.

It does all the usual linux fw stuff, as well as traffic shaping, connection rate limiting, traffic identification, rip/ospf/bgp, vpns, lots more.

Unique features include a scripting host and cron-jobs. Very cool, indeed.

They also make their own hardware (expandable sbc's, wifi) with their routeros embedded in flash.

http://www.mikrotik.com/

Re:Mikrotik's RouterOS

[Anarke_Incarnate]

Funny that you mention RouterOS. My company (actually, I am leaving them very soon) uses routerboard routers with RouterOS on them in place of Cisco stuff because it is cheaper and far more functional (easier to use too). The boxes are small, very cheap and work well. I think we had to reboot ours recently, after almost 350 days of uptime, only because we had to move it.