best router/firewall $1k.

J

JediFonger

2[H]4U
Joined
Jan 2, 2003
Messages
2,777
my company needs one, they got dsl 2 months ago...but still w/o firewall (dumbarses). so what's the best one? budget=$1k. IDS, etc.

they have dsl cause they have a branch that VPNs into our server. all that is between Internet and our sensitive company info is the win2k3's "basic firewall" thingy checked.

once i get this router/firewall thing can i block ALL incoming traffic save one IP address? is this possible? how? can it be done with l2tp?
 
How many users? What VPN?

Cisco has a little PIX that is an excellent firewall, vpn, access-list box. I use them all over the world, literally and they are top notch.

Configuration is a bit complex if you do more than just plug it in and run the GUI but it is not too difficult if you care to work with it. They are capable of so much more than just a Linksys or DLink type thing. I can help if you post here.

A PIX 501, unlimited users, 3DES, VPN-capable is probably less than $600 after any kind of discount.
 
two win2k3 server, one with sql 2k one with exchange 2k3. roughly 20 users right now. most of them don't need internet access. only about 4 or 5 do. the rest will use a custom ERP clientside to access sql+exchange stuff on server side locally. the only reason why we have internet is cause there is a branch that needs to access our dbase. hence.. i have VPN setup. right now it's pptp but with all the sec. problems i've been reading about i'm really cautious and i really need a GOOD hardware fw+router. i'm connected to internet via verizon's DSL w/static IP.
 
I think I could do that with a Cisco PIX in about 30 minutes, give or take minor things.

That might be simple enough a config you could use something else but I'd still go Cisco PIX.
 
I have a 1U phoenix adaptive firewall with unlimited user liscense and unlimited VPN that I am trying to sell for $400.

Nothing pleases bosses more than being underbudget!!
 
Depends on the company but NOT spending money is bad. There's nobody to blame/sue, only people to fire/scapegoat.

I've tried Linux solutions for several things and, frankly, until Oracle came in and pitched a 6-figure project and said they develop for Linux first and use Linux to "eat their own dogfood" it never really carried any weight.

We'll never be Linux desktop but I keep hoping for some progress.
 
i keep hearing about *nix setup... but i'm afraid i don't have much experience in *nix anything.
 
Ive bene playing with Mikrotik of late, www.mikrotik.com DEFINTIALY has Cisco on the ropes imho. it IS linux based but dont let that put you off 'cause you never see the shell. It works a lot like cisco has a VERY VERY nice windows based GUI, and very comprihensive documentation.
 
Good firewalls for under $1,000:

Sonicwall TZ170

Watchguard Soho6 or Soho6tc

Symantec VPN Appliances (several models)

Netgear FVS328 or FVL328 VPN Firewall routers

Fortigate firewalls with real-time antivirus screening

A lot depends on what you want to do. If you want to have a remote branch office connected via site-to-site VPN, put two compatible VPN-capable firewalls at each end. If you also want remote-user VPN connections, remember to check if there is additional software required (Sonicwall, Watchguard, and Netgear for example) and figure the license costs into your budget.

If this is for a business, I really suggest you pay someone who knows what they're doing to set it up for you. Or else download the manuals and read up on how to configure it yourself before you buy.
 
I know if you are a company, not spending money is instantly a bad thing :/
and I also know that if you are a good sized company, you have to have someone who is very knowledgeable about your unix systems if you are going to implement them.

I don't think that this company is super huge, so I was thinking hey, something thats simple to setup and free might be good.

didn't mean to sound like I was putting down any of the pix/watchgaurd stuff. I like those products alot, but I don't like to see money go to waste on features that may possibly never get used. feh. its late.
 
prob is i dunno *nix that well and we are UNPROTECTED completely at this moment. i don't feel v. safe about it. i need somn that i buy plug in no extra software, just the FW itself. is it possible?
 
I'd go with a Cisco PIX unit. Even a PIX 501 with a 10 or 50 user licence would do what you need to do, and they run about $500-600 ish new I beleive. I use a PIX 501 at home using its routing capabilites, VPN, etc and it's a awesome unit, feature packed and worth every penny.
 
I've seen sonicwalls be implemented exactly as you describe. Get two - one for each office and then set them up to do the VPN. The web interface is easy to use and the cost for both boxes will be pretty close to $1000.
 
PS i'm a bit confused on the licenses re FW. i want to use win2k3's VPN. couldn't i just let the FW do its own job as a dedicated FW and then let win2k3 handle the VPN part? do i STILL need to pay license?
 
you should be able to simply forward traffic to the windows vpn server. i think you'll need a spare IP address just to dedicate to the VPN box and use a second one for NAT. VPN doesn't work very well through NAT. i'm pretty sure you can make it work, but i don't think it's easy.
 
Use the firewall itself as a VPN endpoint. Hardware based VPN is always better than software based, at least from a reliability standpoint. If your server goes down, you are out one VPN. If you are using the firewall appliance as a VPN endpoint, and your server goes down, people can still have access to the rest of the network resources.

I vote PIX, they make me very happy, I've been deploying them for years, and I haven't had an unsatisfied customer yet.
 
I think it's interesting that no one mentioned Netscreen.

At this point in the game, the Netscreen offers more bang for the buck than the PIX 501 does. That will change at the end of this year with the PIX OS 7.0, but as of the moment, the PIX hasnt really seen any new major features since about this time last year. Netscreen is kicking butt in the firewall features department when compared to Cisco.

Believe me, I'm all about Cisco, thats just about all I support - that and Dell. But I got my hands on a demo unit of the Netscreen 5GT and crap was I impressed. I wanted a couple features of the Netscreen devices on MY network so bad that I talked to Cisco and told em a little lie that I would consider switching to Netscreen as my primary firewall vendor if they werent going to include some of these features, so I ended up getting some inside info on some of the features that are going to be included in the new 7.0 OS coming out at the end of this year. Of course, at this point I wouldn't redeploy Netscreen's and get rid of all my PIX firewalls, that would be stupid. But if a situation demanded these extra features, Netscreen would be the one to go in instead of Cisco.

Take a look at Netscreen, if they dont fit your bill, then Cisco is a kickass product too. You cant lose with either one.
 
CLOCKWORKS, the branch is accessing data only from the server. so if the server goes down... the branch computer doesn't need to VPN into our co. network...
 
folx i just thought of another thing... if i get the sonicwall, crisco, popular stuff... wouldn't i be MORE susceptible to MORE attacks? since these are supposedly "the standard" and very popular amongst you fine folx or from exterior influences wouldn't it make sense that MOST hax are targeted at these types of machines since a lot of people have it? yet when you get a machine that ha><ors dunno about you can protect yourself more since they don't know what you're using?
 
PIX is pretty solid. Cisco literally bets on it. The worst hack I've ever seen for a PIX is to crash it. No intrusion that I'm aware of has been found.
 
I would say check out Netscreen. I am in charge o 3 of them and love them. I have used Pix and Checkpoint before but find the Netscreen a much better product for the price.

The ScreenOS is so easy to use and configure. Much easier then Pix and Checkpoint. So if you are looking for an All-in-One box I say go Netscreen.

One more thing about them is there throughput is second to none in the All-in-One area. Last time I looked it was kicking the Pix's ass at the same price point.

Check out the 5GT if your looking for something little or check out the 505 if you want something a little bigger with more interfaces.
 
Originally posted by computadorka
so whats the diff between the pix and a router?

hmmmm
Click to expand...

First of all, a PIX is not a router. TAC tells me that every time I try to do something "interesting" that would work on a router.

A PIX is a filter, a firewall, an access control device. It can also direct packets from one network to another but that is just because it happens when you filter.

A router is a packet forwarder. It can filter, firewall and control access, but those are secondary to the packet forwarding business.
 
The PIX is a firewall with limited routing capabilities.

Example:
A particular Cisco router with IOS can do EIGRP, IGRP, BGP, OSPF, RIP, IS-IS, etc
Even the PIX 535 is limited to doing OSPF and RIP.

PIX cannot do "router on a stick".

PIX cannot terminate a WAN link such as T1 over Frame-Relay (unless the 535 can).

I could go on and on.

Computadorka: If you're asking is the PIX layer 7 aware? Yes it is, it can recognize specific applications and perform specific tasks tailored to those applications (these are the fixup commands). The PIX cannot do layer 7 access-control if that's what you're talking about. At least not yet. That *might* happen to be one of the things in PIX 7.0.
 
There was a good article in this month's Information Security in regards to the age old argument between application layer proxies and Stateful inspection firewalls.

Either way, i think for most folks, the pix/netscreen, stateful inspection fw should be fine (including most enterprises). Fw's like the sidewinder, raptor/sef/sgs, and etc are still needed if you want granular control for certain protocols (SIP, http, ftp, smtp, pop3, cifs)
 
Originally posted by Darthkim
There was a good article in this month's Information Security in regards to the age old argument between application layer proxies and Stateful inspection firewalls.

Either way, i think for most folks, the pix/netscreen, stateful inspection fw should be fine (including most enterprises). Fw's like the sidewinder, raptor/sef/sgs, and etc are still needed if you want granular control for certain protocols (SIP, http, ftp, smtp, pop3, cifs)
Click to expand...

thats what im talkin about.
Thx for the education, Boscoh and knucklebusted. I am 'beginner' level familiar with pix.

I guess im just a sidewinder fan
 
You must log in or register to reply here.
Back
Top