Re: Firewall Info/Recommendations?
From: Paul Hutchings (paul.hutchings@gmx.netNOSPAM)Date: 06/15/02
- Next message: : "Re: Do I really need NETBEUI for file and print sharing?"
- Previous message: : "Re: Free Firewalls: ZoneAlarm vs Tiny Personal Firewall"
- In reply to: x y: "Re: Firewall Info/Recommendations?"
- Next in thread: x y: "Re: Firewall Info/Recommendations?"
- Reply: x y: "Re: Firewall Info/Recommendations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Paul Hutchings <paul.hutchings@gmx.netNOSPAM> Date: Sat, 15 Jun 2002 10:03:32 -0000
"x y" <jamescagney90210@excite.com> wrote in
news:u1MMiSAFCHA.1812@cpimsnntpa03:
Thanks for the detailed reply,
> Having a third interface for DMZ capability is going to cost you a
> heap of money no matter what product you go with [unless you go with a
> free OpenBSD, FreeBSD or a Linux product with free firewall on an old
> 486 or 586 PC. Steep learning curve but fairly easy installation,
> extra nic cards are free, hot or cold spare backup or redundant
> firewalls in case of system failure are free, and there are tons of
> freeware add-ons like reporting, vpn, etc.]
Hmm... I'd be prepared to have a play with that sort of thing, my current
*nix knowledge is nil, however whilst I'm the "hand-on" admin my boss and a
collegue would need to be able to operate it if I'm not about, we're not a
*nix shop so I doubt they'd go for it, plus I don't think I'd feel
comfortable having something at our perimeter that I don't know that much
about.
> If you're keeping your ISA server, you don't really 100% need a
> firewall with 3 interfaces or "DMZ capability" listed. It is an
> acceptable DMZ architecture for a small network to have two firewalls
> in front of your private network with the DMZ in between the two
> firewalls. You'll save a lot of money if you settle for a device with
> only 2 interfaces and keep your ISA server. One issue with doing this
> is that if someone was able to hack into one of your servers in the
> DMZ, they could set up a sniffer and sniff all the traffic from your
> internal network to the internet... although on the other hand,
> internet-bound traffic like your internet email and web browsing
> should be considered somewhat of a public conversation anyways.
Well, the ISA is staying, that's definate as it's the best way we've found
to easily control outbound access, plus I like the idea of the second line
of defence just incase someone gets through the perimeter firewall.
Our primary website and FTP server is currently run off a DMZ off the FW-1,
in a couple months the website will move to a hosting/design company who
are being tasked with a proper "corporate" website.
We will be left needing inbound SMTP/POP3/IMAP connectivity to our internal
mailservers, http/https to some servers on the internal LAN that are
published through ISA, so the only thing that would stay on the current DMZ
is the FTP site, so I guess as you say it could go on the DMZ leg between
ISA and FW-1.
My suspicion nowadays is that firewalls aren't so much the weak link as the
various holes in the services that you need to make publically available.
>
> I would recommend looking into the Netscreen 5XP. It has a lot of
> features, all the features of their high end firewalls, including VPN
> and traffic shaping and reporting that you don't even fully get with
> the Checkpoing product at that price, and it's probably easy enough
> for you to learn to configure it. Starts at $500, check ebay for
> prices on new and used models. And for VPN connections at the remote
> offices, you could consider getting two more Netscreen 5XPs. Some
> people here like Watchguard, but I have read negative things about
> their tech support.
I'm not familiar with Netscreen, but will def take a look. Am I right in
thinking that for the levels of Internet bandwidth were talking about,
throughput and simulataneous connections isn't an issue, other than on low
end devices that have deliberately low limits to appeal to small offices?
> Cisco Pix 501 or 506 is another option also for a few hundred dollars,
> but the gui is reportedly not the best and there is a learning curve
> if you want to manage it yourself using IOS. On the other hand, Cisco
> has tons of free support documentation on their web site, unlike other
> vendors. Nortel Contivity is another firewall appliance starting
> around $1000 that reportedly has good VPN.
I've been looking for somewhere that has a demo/example of the PIX web
interface, as with the *nix options I'm not against learning, but I have
other people to consider. At present the ruleset we have isn't exactly
complex, so when you say the GUI isn't the best, what area do you mean?
> If you like Checkpoint, there are appliances listed on the
> checkpoint.com web page such as intrusion.com and nokia, some as low
> as $600 dollars.
I don't particularly like or dislike them, it's been there the last four
years and has worked soundly, which is good, but it is out of date.
Having seen the costs of the software upgrade (we don't currently have a
support contract) and maintenence costs, plus a basic server to run it,
plus the time to install and configure it I suspect we can replace it with
a small brick that we unbox, plug in, switch on, setup some rules and it
will do exactly what we currently want for maybe less than the cost of a
years Checkpoint maintenence - that way if it lasts a year and we outgrow
it's capabilities it's not the end of the world.
What I haven't found much on is the Cisco support options, like what
happens if it breaks, and what happens when a new firmware/software is
released?
TIA
Paul
-- Paul Hutchings ****Remove NOSPAM when replying****
- Next message: : "Re: Do I really need NETBEUI for file and print sharing?"
- Previous message: : "Re: Free Firewalls: ZoneAlarm vs Tiny Personal Firewall"
- In reply to: x y: "Re: Firewall Info/Recommendations?"
- Next in thread: x y: "Re: Firewall Info/Recommendations?"
- Reply: x y: "Re: Firewall Info/Recommendations?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
