Slashdot Mirror
Firewall Recommendations?
anomalous cohort asks: "The company that I work for is looking at upgrading to a proper firewall (sadly, we use only the MS-ISA server now). Our I.T. guy is ready to recommend Fortigate [45]00a. Ours is a small company with about a dozen employees and about 400 customers. Does anybody have any experiences, good or bad, with these two products or with the Fortinet company? Are there any recommended firewalls (outside of Cisco's) that we should seriously look at?"
Then run Debian, Firehol, and Squid (transparent).
"It ain't a war against drugs.it's a war against personal freedom" --Bill Hicks
I just set one up and it was easy. And best of all the PF syntax is very straight forward.
Cisco ASA 5505 (it's less than a thousand dollars), and the Nokia Checkpoint appliances (i350, etc).
Also the Juniper/Netscreen models (SSG 5, SSG 20, Netscreen 5 models)
Well fairly good anyway. check out Smoothwall Linux Firewall. http://www.smoothwall.org/get/ SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. SmoothWall includes a hardened subset of the GNU/Linux operating system, so there is no separate OS to install. Designed for ease of use, SmoothWall is configured via a web-based GUI, and requires absolutely no knowledge of Linux to install or use. We use this in our business. VERY good.
http://www.astaro.com./ 'nuff said.
Computers with Microsoft Vista make the best firewalls. Let's say you have a large boiler room, and you really want to keep the heat contained. A good thick layer of 3-4 PCs with Vista Home Premium (or 2-3 PCs with Vista Ultimate) will keep just about anything contained. Please note that Vista Home Basic isn't really suitable for this job in any thickness, as it will tend to burn and contribute to the problem.
Oh, and don't forget to apply a generous coat of anti-virus paint every morning!
We have a Fortigate 400, and we love it. It's damn near perfect. I recommend them to EVERYONE who is in the market for a high-end firewall appliance.
Truly, it the best thing on the market, right now. Much better than a PIX, or Netscreen, or anything else. And cheaper. And it does more.
They really need better marketing, because few people even know they exist, which is too bad.
So yeah, you should get one.
Even though it's carcinogenic, I recommend asbestos. It's one of the best thermal insulators known and if you don't rip your walls open you'll never breath it in.
More than one, with the firewalls all as different from each other as possible. Hackers do find and exploit bugs in commercial firewalls, so when they breach the one facing the internet there's another level of protection. Widely differing firewalls in series greatly reduce the change of anyone breaking in. The number of series firewalls depends on your security needs. Note well: if you're depending on one commercial firewall to protect your business - you will be hacked. You probably have been already. Equally critical is proper firewall configuration. Deny all traffic by default - only allow needed traffic. Always keep in mind that any program can use any (or all) port for communication. If you're not an expert in information security / firewall configuration, hire one to do it for you.
IPCOP is a very secure and flexible firewall plus its open source. It runs on all kind of hardware like normal PCs , boards with CF cards , servers. A vanilla installation is full of features like VPN, QoS, IDS, web proxy and by using addons you can add stuff like detailed proxy reports, content filtering, traffic monitoring and a lot more.
You can find it at http://ipcop.org/
Their mailing list is pretty active and full of helpful people.
If you have a spare PC and some network cards give it a try.
The best test environment is production. - Me
chrome://browser/content/browser.xul
We run several PIXes (Cisco) at work and at branches across the country. They handle the VPNs well enough and are simple enough to work with but when you see shit like this (IPs removed): in your logs from units which cost thousands of dollars, you have to scratch your head. Yeah, they charge for how many machines you'll run through it. We have a few "unrestricted" ones but they're thousands of dollars. Thousands of dollars I can better spend on other stuff.
We let our contracts lapse and are working hard at moving everything to OpenBSD, PF and the native IPSEC although OpenVPN is a serious contender as we use that for the road warriors already.
It pisses me off to no fucking end that to get a firewall capable of gigabit (we're a bunch of research labs on CANARIE) from Cisco will each a big bite from my budget, just to have the "Cisco" brand on it.
nb: I do love their routers and switches. Their firewalls are overpriced and underwhelming.
Trolling is a art,
It's your IT department.
Checkpoint is stable, secure and has an excellent track record. If you actually have to administer the firewall, the Checkpoint GUI is second to none. Simple, intuitive, everything you could want. SecuRemote isn't any more annoying than most other VPN clients. Of course, none of that comes cheap. Checkpoint (especially on Nokia hardware) is the most expensive choice by far.
Juniper seems to make a pretty good device. I've been running a Netscreen 208 and a Netscreen 50 for a while now and they haven't given me any grief. It was like going back in time to get used to the GUI, but Checkpoint pretty much spoils you for anything else. Logging is pretty good on the Netscreen, and permanent VPN tunnels (IPsec) seemed to be a little easier to build than with the Checkpoint FW.
Fortinet works well too, but it a pain in the ass to set up. When my last company migrated from Checkpoint to a Fortinet (as an asinine budget driven decision) it took 4 seperate "policies" to accomplish what could be done in one rule in Checkpoint.
If you have the budget, go with Checkpoint. Otherwise, Juniper is a solid choice.
How do multiple external ip addresses cause an issue? I've been able to successfully have plenty of external ip addresses, and more particularly, multiple internet connections each with its own WAN and or CIDR block.
The trick to the former (multiple ips, one internet connection) is really managing via subinterfaces. Firewall rules to deal with the packets associated are pretty easy. This lets you DNAT things into the appropriate place via iptables. If you want to actually build a DMZ, you could use a proxy arp setup like this: http://www.sjdjweis.com/linux/proxyarp/
As for multiple internet connections, look into multiple routing tables via the ip command. Example:
ip route add default via table 100
Then use ip rule statements to choose when to use the particular route tables:
ip rule add to table 100
ip rule add from table 100
You can also pretty simply setup multiple SNAT rules to SNAT traffic over each link for different purposes. This lets you do things like SNAT to a specific host (read: internet connection) based on protocol, internal source address or destination. Handy for lots of things.
One nice thing to do with multiple internet connections is to have verbs in your firewall script that will allow you to manually failover your internet connection if one goes down. This obviously doesn't help external entities trying to reach hosts that sit in your DMZ on a failed connection, but it can let you continue to work with outgoing traffic while the problem is resolved.
If you're slick, you have your DNS hosted externally and you can then use this to update DNS for the DMZ to an alternate zone which specifies those public facing hosts as existing on the internet connection you just did a failover to. Make sure your A record TTL values are low.
This leads to a reconfiguration of the DMZ unless you have done full SNAT/DNAT mappings for each DMZ host in the firewall. Doing so can be a lot more work, but you can build a set of symmetric (or controlled in a script by a variable) configurations that swap out the DMZ nat rules so that they exist for one specific internet connection or the other.
The big wall we hit was multiple external IP addresses.
/8 running through a single box running FooOS and how Linux would have crashed and taken their billion dollar account with it and driven their company into bankruptcy, etc. etc.) and what you intend to do with all those IPs once you have them (load balancing/redundant connections over multiple service providers? NAT?) I'd say that Linux could probably have done what you were looking for, but that there wasn't an easy tool to set it all up other than to issue all of the ebtables/iptables/iproute2/openswan/quagga/etc. commands to get the box the way you wanted.
Depending on what you mean by "multiple" (Linux should handle a fair-sized network just fine, though I'm sure someone will pipe up about how he has an entire
Not that much different from operating a Cisco, really, except that Cisco trains and certifies people to know their cryptic commands. I'd say that Linux's true weakness in the routing realm is the commodity hardware people would run it on... nobody's leftover x86 system would be able to handle routing multiple gigabit connections running at full speed with just a few PCI cards and a wish and a prayer
M0n0wall uses iptables and is based on FreeBSD. PfSense at least uses PF from OpenBSD but is also FreeBSD based. Unless there are other options out there I guess really nothing has changed. Everyone talks up OpenBSD as the most secure OS and the best possible choice for a firewall, but nobody wants to take the time to make a usable dedicated firewall/router variant for regular people. Surely it wouldn't be that difficult to make an OpenBSD-based distro just as featureful and easy to configure as a FreeBSD-based version. But what do I know.
RouterOS is linux based with a very nice console interface as well as a windows client.
It does all the usual linux fw stuff, as well as traffic shaping, connection rate limiting, traffic identification, rip/ospf/bgp, vpns, lots more.
Unique features include a scripting host and cron-jobs. Very cool, indeed.
They also make their own hardware (expandable sbc's, wifi) with their routeros embedded in flash.
http://www.mikrotik.com/
In Bob we trust.
Especially with firewalls it makes sense doing an Ask Slashdot. Google will give you myriads of possible solutions of all kind, and every vendor or consultant has some kind of firewall solution they are trying to push, often because they make shitloads of money selling broken or oversized commercial solutions.
Getting an impression of what works for whom is priceless, even/especially if you are already working with some kind of security consultant (I cannot count the ridiculously insecure, oversized/-priced and/or insane security setups I have seen that "security consultants" have sold some poor company).
I think there is almost no field of IT where that many totally incompetent people are trying to sell snakeoil than IT security.
Sure. The same as on Usenet, any kind of Web forum etc.pp. And you get all kind of astroturfers, trolls, self important idiots and fanbois, but also lots of people with real experience and know-how (ok, now who's who ?).
/. is just one source of information among many, and one that you have to take with a biiiig spoon of salt, but nevertheless it can be quite useful as a starter. Even if a lot of Ask Slashdots really can be solved with a simple Google search and do not give anyone the slightest insight about anything I think that in that case there is some value.
/. as your sole source of information on anything you deserve the beating you will get, but this is not different to most other sources of information today, I'm afraid. At least of /. noone expects that anything is unbiased, factually correct and up-to-date. ;-)
Perhaps I formulated it wrong in that you do not necessarily find out what works but rather what not. If enough people say "xyz does not work because blablabla" and not another hundred people come in screaming "wrong ! wrong!" or the other way round you get at least some idea about the merits of a product and its service and of possible problems (and their possible solutions, if there are any). In that
Certainly you are right in that if you use