PDA

View Full Version : Firewall suggestion


bigmike82
05-09-2010, 11:01 PM
Gents,

I need to place a firewall on the edge of my network. I have a very limited budget to work with, so the cheaper the better. :D

My default choice is the ASA5510. All our networking equipment is Cisco, and all of my guys are conversant in the Cisco way of doing things. I'm not married to the idea, so I'm looking for alternatives. I intend to use a different box for IDS purposes, but I'm not oppossed to having the firewall handle the task as well.

What would you guys use for a small-scale ISP?

Satex
05-16-2010, 1:00 AM
Sonicwall

socalblue
05-16-2010, 2:32 AM
Cisco ASA, Juniper/Netscreen or Sonicwall are all fine. Depends on your goals & bandwidth.

Defense in depth is the key. Multiple layers, solid logging, NetFlow analyzer. IDS helps but event correlation is more important.

Bug Splat
05-16-2010, 2:10 PM
I have about 7 ASA's on my company network and to be honest I don't really like them. While they are solid devices they are not as simple to set up. Its not intuitive at all and a lot of setup is required just to do basic things. The plus side is it never assumes a task should be allowed such as passing port 80 traffic from the inside network to the outside but on the down side you have to tell it to do EVERYTHING. A lot of times things don't work because you forgot one little setting.

I've run a small ISP before and the best firewall I ever used hands down was a M0n0wall. Its free. All you need is the hardware. It could be just an old computer or you can do what most do and get a Soekris board and case. I ran this box for 7 years and only had to reboot it once and that was because I screwed a setting up. Not the routers fault. Easy to use and tons of settings and tools. The QOS and P2P filtering are great and are a lifesaver for smaller ISP's, trust me. You can limit all P2P traffic down to 1k if you wanted without completely blocking the service.

Check them. http://m0n0.ch/wall

bigmike82
05-16-2010, 4:42 PM
Hmmm.

Thanks for the input. The ASA is going to be the cheapest for me, since I've already got the box. I've heard great things about Mono...that's definitely an idea.

Sonicwall I've had a terrible experience with. I basically ended up DOSing the damn box for a good forty five minutes one evening as I ran a scan of my network. As the box was the gateway device, there was no external network access during that time. So yeah. Ever since I'm using Sonicwall on small networks if at all.

Juniper's a thought. I'll have to look into it some and see what kinda cost I'm looking at.

nick
05-16-2010, 4:44 PM
What are the requirements? Desired throughput (clear text/encrypted), number of interfaces, required features, etc.? Without that info, any advice here is pretty much meaningless.

So, my meaningless advice would be to avoid Sonicwall. They reliably produce a discovered vulnerability or two per month and have serious performance issues. At least, that was my experience when I had to deal with them.

jeffm223
05-16-2010, 5:25 PM
If you're looking for high performance on the cheap, it would be hard to beat monowall. Just be sure to use good NIC's, and don't be senselessly cheap with the rest of the hardware. I've used it for years in several applications and always been impressed with it's performance and features, even in comparison to Cisco and Juniper gear.

DiscoBayJoe
05-16-2010, 5:44 PM
Up until you said ISP, I was going to say the IOS Firewall feature Set. I used to default to PIX/ASA, but for SMB/SOHO a dedicated firewall isn't fully justified. You can do everything you need with IP INSPECT; however, performance isn't IOS/FW's strong suit. I've used 2811's successfully up to 10MB and 2911's feel like they'll go about twice that. I have the 1811w at home and its the perfect little box with WiFi and POE

Untangle makes a nice interface for the open-source tools crowd. Again, tailored to the SMB.

For an ISP type application, i'd lean back to an ASA w/ Snort so you could activily shun where/when needed.

odysseus
05-16-2010, 5:55 PM
What are the requirements? Desired throughput (clear text/encrypted), number of interfaces, required features, etc.? Without that info, any advice here is pretty much meaningless.

This.

You said ISP so that switches a bit the question too. Importantly, how many and what kind of native interfaces do you want? What required and forecast bandwidth? What exact features capable do you want? Redundancy? Active-Active?