Firewall recommendations for sync 10Mbps connection

Discussion in 'Networking & Security' started by sandmanx, Feb 8, 2006.

  1. sandmanx

    sandmanx [H]ardForum Junkie

    Messages:
    9,909
    Joined:
    Mar 22, 2001
    As the title says, I need a firewall for our new 10Mbps(up/down) connection for work. I'd like to get something that could cover us in the $1K area, but if we need to spend more, I can most likely get what I need. What I'm wondering is if something basic like a Pix 506E will work. Judging by the specs, I should be ok, but I wanted to check here and see what everyones option is.

    We will primarly be using the bandwidth to serve video, and I don't see it being used for VPN traffic. We might at some point increase data bandwidth, but it's not a concern to me now, because we will be getting all new equipment at that point.

    Any other suggestions at firewalls to look at? I'm only familiar with Cisco Pix, so I haven't looked around into other options.
     
  2. MorfiusX

    MorfiusX 2[H]4U

    Messages:
    3,007
    Joined:
    Feb 13, 2004
    ISA Server 2004. I wouldn't buy anything that won't do application layer filtering.
     
  3. Boscoh

    Boscoh [H]ard|Gawd

    Messages:
    1,161
    Joined:
    Nov 25, 2003
    506e will work fine.
     
  4. Asgorath

    Asgorath [H]ard|Gawd

    Messages:
    1,253
    Joined:
    Jul 12, 2004
    a WRAP based monowall. Should cost <$300.

    Might not be a bad idea to run a little snort box next to it to watch for intrusion, but that's another story all together.
     
  5. ZoT

    ZoT [H]Lite

    Messages:
    110
    Joined:
    Jan 27, 2006
    Not really in your price range, around 3k or so, but GTA GB-2000 is a great box.

    www.gta.com if you want to check them out.
     
  6. Boscoh

    Boscoh [H]ard|Gawd

    Messages:
    1,161
    Joined:
    Nov 25, 2003
    You could always just put FreeBSD on a box and stick it in there. I'd do that before monowall.

    If you dont need the bells and whistles and the support that comes with a PIX, then why pay all the money for just a basic firewall?
     
  7. Asgorath

    Asgorath [H]ard|Gawd

    Messages:
    1,253
    Joined:
    Jul 12, 2004
    why?
     
  8. Boscoh

    Boscoh [H]ard|Gawd

    Messages:
    1,161
    Joined:
    Nov 25, 2003
    Because if it is just a bare bones firewall, I wouldn't want all the other stuff on my FreeBSD installation. Keep it simple.
     
  9. Asgorath

    Asgorath [H]ard|Gawd

    Messages:
    1,253
    Joined:
    Jul 12, 2004
    True, but monowall has its security pretty locked down, is easy to administer, and can run from a CF card for superior reliability. Unless you do alot of tweaking, you're gonna need a hard drive to install BSD on, and the hard drive is one of the first points of failure.
     
  10. big daddy fatsacks

    big daddy fatsacks 2[H]4U

    Messages:
    2,312
    Joined:
    Aug 10, 2001
    personally, i'd use openBSD with pf. m0n0wall seems good too, but if you were going with just a barebones *BSD install i'd definitely use open not free. those guys are always a step ahead with the TCP/IP security enhancements.
     
  11. Asgorath

    Asgorath [H]ard|Gawd

    Messages:
    1,253
    Joined:
    Jul 12, 2004
    then use pfSense, unless you have the knowhow to properly lock down and configure an OpenBSD installation.

    but monowall is considered stable, pfsense is still in early dev (although most people consider it stable)

    monowall is just rock solid and you can depend on it.
     
  12. big daddy fatsacks

    big daddy fatsacks 2[H]4U

    Messages:
    2,312
    Joined:
    Aug 10, 2001
    if i didn't i wouldn't prefer using it ;) m0n0wall is fine, i'm not poo-pooing it at all. but this thread is a matter of personal preference. mine happens to be openBSD and pf. i have seen pfSense and it looks good, but at this point in my use of firewalls i'm a little turned off by any product that is managed through something other than vi over putty. i just like things to be simple.
     
  13. versello

    versello 2[H]4U

    Messages:
    2,062
    Joined:
    Nov 19, 2003
    I second that.
     
  14. sandmanx

    sandmanx [H]ardForum Junkie

    Messages:
    9,909
    Joined:
    Mar 22, 2001
    Thanks for the suggestions. I'm thinking of going with a 506e or 515e and a snort box behind it to see what is happening after it.

    ISA Server looks pretty good, but from what I've read, it's not a good first line of defense, it runs on Windows(and all it's security issues), and there is a hard drive in it(longer boot time, possible failure). The budget isn't going to cover for both, and from what I've read, the Pix 515e which runs IOS 7.x which does do application layer filtering. The 506e still runs an older version of IOS, which does some level of filtering on the app. layer, but I'm not sure which.

    m0n0wall looks like a decent solution, but I've rather have a purpose built appliance box over off the shelf pc parts. It wouldn't really save me much to get proper hardware and backups on hand. I know from past experience that you can get a new Pix in your hands in short order when there is a problem. As they say, you don't get fired for using Cisco. :p

    ZoT: the GTA is a bit out of the price range. I might be able to swing $2500, but $3000 is really pushing it. I'm not familiar with them, but I'll check up and see what I can find on them.
     
  15. DaturaX

    DaturaX [H]Lite

    Messages:
    80
    Joined:
    Jul 21, 2004
    I will go with Cisco PIX 515E.

    But you might want to take a look at Fortinet. Their offerings are getting impressive. SSL VPN out of the box, IPS, antivirus, content filtering.
     
  16. Boscoh

    Boscoh [H]ard|Gawd

    Messages:
    1,161
    Joined:
    Nov 25, 2003
    Get the ASA 5510 or 5510 Security Plus instead of the 515E. Go on Cisco's site and compare the specs between the units. Unless the 515E meets a requirement that the ASA does not, then get the ASA. The specs are similar, but there are some differences (they're all license-imposed...not hardware limitations).

    The ASA is basically a PIX with ASICs inside it and the ability to add in IPS or E-mail scanning via a module. The price point of the ASA 5510 is identical (or it was 3 months ago) to the 515E. Plus the ASA can do some stuff that the PIX cant. They both run the same 7.x code. Performance-wise, the ASA 5510 kicks dirt into the face of the 515E. It's a really sweet box.