Re: [fw-wiz] Recommendation needed for a firewall appliance
From: Mark Tinberg (mtinberg_at_securepipe.com)
Date: 10/21/03
- Previous message: Stephen D. B. Wolthusen: "[fw-wiz] Final call for full papers: IWIA 2004"
- In reply to: Christopher L. Everett: "[fw-wiz] Recommendation needed for a firewall appliance"
- Next in thread: Christopher L. Everett: "Re: [fw-wiz] Recommendation needed for a firewall appliance"
- Reply: Christopher L. Everett: "Re: [fw-wiz] Recommendation needed for a firewall appliance"
- Reply: Julian Gomez: "Re: [fw-wiz] Recommendation needed for a firewall appliance"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Christopher L. Everett" <ceverett@ceverett.com> Date: Mon, 20 Oct 2003 21:37:27 -0500 (CDT)
On Fri, 17 Oct 2003, Christopher L. Everett wrote:
> I'm a web programm/system admin for a small company in the
> medical advertising space. We operate on a pretty low budget,
> but I can get anything I can demonstrate a need for, within
> reason. In this case, within reason is $500 or less.
I don't know that there's a lot of hardware in this range, except for SOHO
stuff.
> Id set up a Linux based Firewall/VPN server, but I just don't
> have the time to mess with setting up such a box from scratch;
> the last time I played with FreeSWAN a little over a year ago
> I was unsuccessful in getting an IPSec VPN going with a Win2K
> box despite following detailed instructions verbatim.
There are several firewall specific linux distros, Astaro, Coyote
Linux and Devil Linx appear to be a few examples. More can assuredly be
found in the Freshmeat listing at
http://freshmeat.net/browse/151/?topic_id=151
> After looking around and seeing what's happening in the firewall
> appliance market, and thinking about what I'd like to be able to
> do, I've come up with these requirements:
There are some small firewall units, and there are small Managed Security
companies as well.
> 1) > 50 Mbps LAN-to-WAN throughput (needs a 10/100 WAN port)
?? Do you have a 50Mbps connection to the internet ??
> 2) a 10/100 DMZ port
So you need three interfaces, inside, outside, dmz.
> 3) enough VPN speed for 3 to 5 broadband users, 10Mbps or more
?? You're going to have 30-50Mbps of VPN (IPSec) traffic ??
?? do your clients have 10Mbps links to the internet ??
> 4) client to VPN connectivity without needing special software,
> for Windows, OSX and Linux.
I believe Windows comes with an IPSec stack, although I don't know if its
functional (it wasn't on W2K last I looked, and clients ended up buying
SafeNet SoftPK) Linux has FreeSWAN (and USAGI) ahd I believe OSX ships
with KAME from *BSD.
There is OpenVPN as well, which has generally decent crypto (links against
libssl) and also runs on all of the abovementioned platforms.
http://openvpn.sourceforge.net/
> 5) maker has a good record on security & releasing patches
Always important, and a too often overlooked requirement. The other thing
to look for is how often they _haven't_ had to release patches, but this
is a lot harder to determine.
> 6) The firewall/VPN runs in hardware as much as possible.
All software runs on hardware, I doubt this is a sensible requirement for
your network setup. A few of your other requirements don't seem to really
make sense either.
> As far as new, currently manufactured equipment that looks
> good to my inexperienced eye are:
>
> 1) Netgear FVL328
> 2) Hotbrick 600/2
>
> The Symantec 200R and Sonicwall stuff seems to need special VPN
> software so that's out.
>
I'm pretty sure that both support IPSec, in face I think that the Symantec
is using Linux and FreeSWAN as their IPSec implementation underneath
anyway. At least judging from all the Symantic hits I received when
searching for FreeSWAN error messages.
> But I've also been checking out used equipment on Ebay hoping
> toget lucky and stretch our budget into something a little more
> deluxe such as an older Nokia (IP440?) or Watchguard box.
>
> One thing that I don't understand are the licensing issues
> with used Nokia boxes: do the Checkpoint licenses travel with
> the box or will I have to buy new licenses?
I think this question was answered on the list about Cisco hardware, and
in that case the licenses are not transferrable. You buy the hardware on
eBay, and you've still got to buy a maintenance contract to get access to
legit firmware and any firmware updates. If you really want to know,
there's no substitute for calling the vendor and asking, I'm sure they'd
be happy to talk to you.
> Another thing I'd like to know about are the risks involved
> in running an older, possibly unsupported firewall/VPN box:
> is it riskier than just running straight NAT access? Are
> there some of these older boxes I should stay away from?
Well, in that case you're on your own, flapping in the wind with no
parachute. IMHO you want to have either A) a maintenance contract with a
very responsive and active vendor or B) the source and at least the will
to pay someone to help you when you need helping.
-- Mark Tinberg Network Security Engineer SecurePipe, Inc. _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Stephen D. B. Wolthusen: "[fw-wiz] Final call for full papers: IWIA 2004"
- In reply to: Christopher L. Everett: "[fw-wiz] Recommendation needed for a firewall appliance"
- Next in thread: Christopher L. Everett: "Re: [fw-wiz] Recommendation needed for a firewall appliance"
- Reply: Christopher L. Everett: "Re: [fw-wiz] Recommendation needed for a firewall appliance"
- Reply: Julian Gomez: "Re: [fw-wiz] Recommendation needed for a firewall appliance"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
