Perimeter Hardware Firewall Suggestions?

Discussion in 'other firewalls' started by hutchingsp, Aug 19, 2007.

Thread Status:
Not open for further replies.
  1. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    Appreciate the forum is geared towards software, but I'm struggling to find more suitable forums tbh. Anyway..

    I'm looking for a device to put at the edge of our network.

    I would want it to do the following:

    Act as a basic source/dest/protocol/action firewall to allow packets in and out to/from our servers.
    Have a minimum of 2 DMZ ports.
    Allow the internal and DMZ interfaces to work in either NAT or Route mode (selectable per interface).
    Have some sort of URL filtering via an external database i.e. Surfcontrol CPA/ISS
    Have the means to add/exclude entire domains from this filtering.
    Some level of IDS.
    A/V would be nice but not essential.
    Hardware appliance.

    The basic scenario is that outbound access for our LAN users would be handled by a proxy server on the LAN, so for outbound traffic (i.e. concurrent users) all this device would ever see would be the external IP of the proxy, as well as any traffic coming from our DMZ's.

    The internet connection will be 100mbps, though I anticipate average usage to be low, and bursty i.e. low average but when someone wants to download a large file it'll burst to as fast as we can get it.

    Because of this, and the fact that it won't have to handle connections from hundreds of of LAN machines I'm hoping to be able to look at a fairly low end box.

    So far I've been looking (on paper) at:

    Juniper SSG 140
    Sonicwall 2040 and 3060
    Checkpoint VPN-1 Edge
    ISS Proventia MX1004
    Secure Computing Sidewinder 110

    But of course there are many manufacturers out there.

    I'd appreciate comments and suggestions.
     
  2. hutchingsp

    hutchingsp Registered Member

    Joined:
    Aug 2, 2007
    Posts:
    174
    Guess that's a no then!

    Any suggestions on suitable forums? I'm struggling to find anywhere vendor neutral specializing in this sort of stuff.
     
  3. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    3x linux distro's I've mentioned here a few times....

    First...IPCop with the Copfilter add-on...
    You start with the very popular IPCop distro....
    http://ipcop.org/
    Very popular, large support and add-on base. You then add Copfilter to it, which is an add-on
    http://www.copfilter.org
    You can add proxy features with other add-ons like Squid of DansGuardian

    Another great distro which I've used at some clients..it's a pre-build all in one package, called Endian
    http://www.endian.it/
    It's built on top of IPCop WITH the Copfilter add-on...all wrapped up in one smooth tidy package.
    ISO is free to download and install on your own hardware.

    A recent entry to this growing field...is Untangle
    http://www.untangle.com/
    VERY robust...I built on a few weeks ago which I'm running at the office. They are aggressively going after the small business market, even stepping into enterprise territory. Integration with active directory, and they're fast building reporting to various management tools like Kaseya.
    I'm signing up to become a VAR with them, very impressed with the package.
    Free ISO to download and install on your own hardware, you only lose a couple of the "Pro" features. Spend some time looking at this one...very impressive package.
     
  4. Nubiatech

    Nubiatech Registered Member

    Joined:
    Aug 19, 2007
    Posts:
    50
    Location:
    IL, USA
    High end solution:
    Cisco PIX515 firewall or newer ASA5505, with a dedicated url filtering server (e.g Websense).
    I have experience with Cisco products, so I can't vouch for others, and mentioning this because you already considered similar products from Juniper and Checkpoint.


    Low end solution, open source:
    OpenWRT/X-WRT, with a decent Broadcom based home router (e.g Linksys WRT350N or WRTSL54GS)
    For URL filtering, a package like DansGuardian could do the trick. And Snort for IDS.

    -----
     
Loading...
Thread Status:
Not open for further replies.