Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firewall Recommendations?

Posted by Cliff on from the only-the-best-for-your-network dept.

anomalous cohort asks: "The company that I work for is looking at upgrading to a proper firewall (sadly, we use only the MS-ISA server now). Our I.T. guy is ready to recommend Fortigate [45]00a. Ours is a small company with about a dozen employees and about 400 customers. Does anybody have any experiences, good or bad, with these two products or with the Fortinet company? Are there any recommended firewalls (outside of Cisco's) that we should seriously look at?"

6 of 181 comments (clear)

  1. ug by Anonymous Coward · · Score: 1, Insightful

    we have Cisco PIX everywhere but would dump them for OpenBSD & PF in a heartbeat

  2. Firewall Recomendations by Whuffo · · Score: 2, Insightful

    More than one, with the firewalls all as different from each other as possible. Hackers do find and exploit bugs in commercial firewalls, so when they breach the one facing the internet there's another level of protection. Widely differing firewalls in series greatly reduce the change of anyone breaking in. The number of series firewalls depends on your security needs. Note well: if you're depending on one commercial firewall to protect your business - you will be hacked. You probably have been already. Equally critical is proper firewall configuration. Deny all traffic by default - only allow needed traffic. Always keep in mind that any program can use any (or all) port for communication. If you're not an expert in information security / firewall configuration, hire one to do it for you.

  3. Re:OpenBSD PF by Anonymous Coward · · Score: 2, Insightful

    There have been two remote exploits in the default configuration of OpenBSD in the last *TEN* years, that should say a lot. I've been using OpenBSD for nearly 10 years, and while I may not like, or agree with all of Theo's actions, I must say it is an excellent OS. Besides it's been a few years since Theo has ripped out the firewall software in a fit of rage and they released the a version of OpenBSD for the DEC Alpha without any Firewall software included. Yes, I'm still bitter, and any other product I would have dumped after getting burned like that, but OpenBSD is to good to dump.

    Warning, that is just one example of the problems that Theo has caused...

  4. Re:Some people can screw up anything by Kohath · · Score: 2, Insightful

    Is there any way to get internal DNS to work for VPN users? Our IT Dept. can't do it.
    Is there any way to get it to authenticate VPN to Windows Active Directory in a company with multiple Active Directory domains? Our IT Dept. can't do it.
    Also, Secure Remote pops up and asks for a password about 20 times an hour unless Auto Login is enabled. Any ideas?
    Not to mention the "if you tell Secure Remote to connect to site A, then you can't access systems at site C" problem. That's too complicated.

    Is there any way I can find out these answers myself so I can tell our IT Dept. how to do their jobs? That's one problem I have with the system is that there doesn't seem to be any readily-available documentation I can download and read.

    If it's such a good system, then these types of questions shouldn't be impossible to answer like they apparently are for us. Maybe there's an extra make it not completely suck option we decided to save money on? Because it completely sucks for us.

  5. Re:If you need this advice.... by Wudbaer · · Score: 2, Insightful

    Especially with firewalls it makes sense doing an Ask Slashdot. Google will give you myriads of possible solutions of all kind, and every vendor or consultant has some kind of firewall solution they are trying to push, often because they make shitloads of money selling broken or oversized commercial solutions.

    Getting an impression of what works for whom is priceless, even/especially if you are already working with some kind of security consultant (I cannot count the ridiculously insecure, oversized/-priced and/or insane security setups I have seen that "security consultants" have sold some poor company).

    I think there is almost no field of IT where that many totally incompetent people are trying to sell snakeoil than IT security.

  6. Re:If you need this advice.... by Wudbaer · · Score: 2, Insightful

    Sure. The same as on Usenet, any kind of Web forum etc.pp. And you get all kind of astroturfers, trolls, self important idiots and fanbois, but also lots of people with real experience and know-how (ok, now who's who ?).

    Perhaps I formulated it wrong in that you do not necessarily find out what works but rather what not. If enough people say "xyz does not work because blablabla" and not another hundred people come in screaming "wrong ! wrong!" or the other way round you get at least some idea about the merits of a product and its service and of possible problems (and their possible solutions, if there are any). In that /. is just one source of information among many, and one that you have to take with a biiiig spoon of salt, but nevertheless it can be quite useful as a starter. Even if a lot of Ask Slashdots really can be solved with a simple Google search and do not give anyone the slightest insight about anything I think that in that case there is some value.

    Certainly you are right in that if you use /. as your sole source of information on anything you deserve the beating you will get, but this is not different to most other sources of information today, I'm afraid. At least of /. noone expects that anything is unbiased, factually correct and up-to-date. ;-)