Firewalls

Xisdibik

Weaksauce
Joined
Jun 14, 2008
Messages
95
My boss has asked me to hunt around for a router that is inexpensive yet good for a professional environment (Financial Company), It must have a WAN, DMZ, and LAN port. She was wondering if there is any professional router out there that is supported by DD-WRT as she very much likes that firmware. I have been searching around with not much success so thought I might ask you experts here.

Thanks in advance.
 
I've not seen anything more powerful than the home grade routers that DD-WRT runs on. For a business network..you'd want something more powerful.

Consider the next step up, the Linksys/Cisco RV0 series such as the RV082. Quite inexpensive, and in my quite widespread experience with them...very stable....I've used a lot of them for clients.
 
I don't know if it's in the budget, but a Cisco 800 Series SoHo Router with or without built in wireless might do the trick. I had one at home for a while and it had the built in firewall, vpn access.. the works
 
Thanks for the input, I will check out those ones listed to see if they are within our price range. Anymore input would help greatly as it is still a bit off when we will actualy do the purchasing we are just looking up possibilities early on.
 
How many PCs?
Any server services hosted behind the firewall? If so, what?
What sized internet pipe?
VPN involved?
 
There are maybe 20-30 computers.
There are mail servers, and other servers whose names I can't think of right now this morning.
There are 3 T1 lines coming into the office. Two are paired for internet services. The third is for bloomberg

Yes a VPN would be involved.
 
My boss has asked me to hunt around for a router that is inexpensive yet good for a professional environment (Financial Company), It must have a WAN, DMZ, and LAN port. She was wondering if there is any professional router out there that is supported by DD-WRT as she very much likes that firmware. I have been searching around with not much success so thought I might ask you experts here.

Thanks in advance.

Juniper SSG5 + Support contract from Juniper. DD-WRT does NOT belong in a "professional" company.

I can't comment on the Cisco/Linksys RV0 as I have no experience with them. YeOldeStonecat knows what he's doing though so I'd definitely think it was worth checking out his recommendation.
 
wow, a financial company is looking for DD-WRT? Damn. That is scary.


You should look at least to something like a Juniper SSG-5
 
Juniper SSG5 + Support contract from Juniper.

I'd definitely second that....I love Junipers...love 'em...love 'em!

I just didn't go right to recommending something that nice..'n pricey...since I figured anything over 300 bucks would scare 'em away based on hoping to use DD.
 
I was telling my boss that I didn't think DD-WRT was a work thing. I think what my boss was really trying to say is they want a more open-sourceish firewall instead of the expensive Cisco ones. I will take a look at the examples you have given me when im in work tomorrow.
 
you could also get a nice Cisco ASA5505 for around $500 that would cover all those computers. Nice VPN and other features...
 
I was telling my boss that I didn't think DD-WRT was a work thing. I think what my boss was really trying to say is they want a more open-sourceish firewall instead of the expensive Cisco ones. I will take a look at the examples you have given me when im in work tomorrow.

If you want to look at some open source firewalls...I encourage you to look at some UTM distros. Unified Threat Management....which adds features such as content filtering, antivirus scanning of traffic, and some have anti-spyware modules also.

2 good choices I'd recommend...
http://www.endian.com/en/community/download/ (I used to use this on a few clients a couple of years ago
http://www.untangle.com (my favorite..I have quite a few clients using this)
 
another shout for the ssg range. feature rich and cost effective. i work with juniper kit day in day out and i dont really have a bad thing to say about them! (apart from nsm can be a bit of a pita from time to time!)
 
you could also get a nice Cisco ASA5505 for around $500 that would cover all those computers. Nice VPN and other features...

Sorry, but for the SMB, a SonicWALL Total Secure package pwns an ASA5505. Both in ease of use, support, and practical features that an SMB would be looking for.

I actually had Cisco from Jax come down for me to show them why we are choosing SonicWALL over Cisco for the SMB. I spent an hour going over it. They simply left at the end going "yup, we need to start doing some of that".

And I honestly can't understand all the peeps recommending untangle for an SMB over a real SonicWALL. How about reliability? Support? Power Savings? Having to use a damn server with spinning disks? You add the entire cost of the product over it's lifecycle and I just don't see Untangle beating SonicWALL on the lowend (<50 Users).
 
And I honestly can't understand all the peeps recommending untangle for an SMB over a real SonicWALL. How about reliability? Support? Power Savings? Having to use a damn server with spinning disks? You add the entire cost of the product over it's lifecycle and I just don't see Untangle beating SonicWALL on the lowend (<50 Users).

Because I have quite a bit of personal experience in managing clients with both? Soooo....I get to see both sides of the fence?

Every_single_time I call Sonicwall support...it's a absolute excruciatingly painful, long...often several days...experience. It's at the point where I absolutely dread...DREAD...having to call them, when I have to. Untangle support? Within 15 seconds you have a live body...IN AMERICA...that has quickly gotten my issue fixed, very painless.

The arguement about power consumption cracks me up. Most businesses leave their computers on, have huge fat old laserjet printers and massive multi-function machines they leave on, tons of stuff in the office. 1x more small form factor computer running 24x7 that will add .05% to their electrical bill is like a grain of sand on the beach.

Cost-wise...even the free opensource version of Untangle is great, for clients that I've installed that at...I see a much noticed drop in malware infections..specifically the Vundu rogue antivirus buggers that are the rage these days. Savings to them? Less bills from their IT guy from having to go clean 'em up. Right there...they come out ahead...if it steps 4-5 rogue infections per year..it pays for itself if you compare to the "Pro" package, if they have the open source package..they're waaaaaay ahead of the curve.

You don't need a server for many SMBs...matter of fact quite a few clients I have it running on are slim form factors, don't need some dual quad core Xeon, just a P4 with 2 gigs of RAM and you're good.

Reliability? Use quality hardware and they run rock solid 24x7, the only..ONLY..time I've had to reboot them...was when performing program version upgrades to Untangle. Else...24x7x365...they run smooth as buttah. As long as you use quality hardware, not el cheapo motherboard of the month crap.
 
Because I have quite a bit of personal experience in managing clients with both? Soooo....I get to see both sides of the fence?

Every_single_time I call Sonicwall support...it's a absolute excruciatingly painful, long...often several days...experience. It's at the point where I absolutely dread...DREAD...having to call them, when I have to. Untangle support? Within 15 seconds you have a live body...IN AMERICA...that has quickly gotten my issue fixed, very painless.

The arguement about power consumption cracks me up. Most businesses leave their computers on, have huge fat old laserjet printers and massive multi-function machines they leave on, tons of stuff in the office. 1x more small form factor computer running 24x7 that will add .05% to their electrical bill is like a grain of sand on the beach.

Cost-wise...even the free opensource version of Untangle is great, for clients that I've installed that at...I see a much noticed drop in malware infections..specifically the Vundu rogue antivirus buggers that are the rage these days. Savings to them? Less bills from their IT guy from having to go clean 'em up. Right there...they come out ahead...if it steps 4-5 rogue infections per year..it pays for itself if you compare to the "Pro" package, if they have the open source package..they're waaaaaay ahead of the curve.

You don't need a server for many SMBs...matter of fact quite a few clients I have it running on are slim form factors, don't need some dual quad core Xeon, just a P4 with 2 gigs of RAM and you're good.

Reliability? Use quality hardware and they run rock solid 24x7, the only..ONLY..time I've had to reboot them...was when performing program version upgrades to Untangle. Else...24x7x365...they run smooth as buttah. As long as you use quality hardware, not el cheapo motherboard of the month crap.

word. I can't stand SonicWall support.
 
My boss was telling me the Firewall should have at least 3 ports


LAN
WAN
and DMZ, on the juniper ones i see

Console, Aux, and then the LAN ports

what do the console and aux correspond to

and do the junipers support SSL? if so which ones.
 
on the ssg... the con port is the console port for direct access to the device for configuration purposes. i think the aux port allows you to connect a modem up for dial-in access to the unit, again for configuration purposes. the ethernet ports can be used however you wish - you could have each interface in its own security zone, multiple ports within several security zones, or you can even put ports in bridge-groups to give you virtual switches - really handy if you only have a small number of pc's since you dont then need an external switch. in short - they are extremely flexible units. unfourtunately, however, they do not provide ssl vpn capability, you would need to look to junipers sa product line for that sort of functionality. hope this helps.
 
My boss was telling me the Firewall should have at least 3 ports

Just out of curiosity, what is your role in this? Is your boss the head IT guy or are you the IT guy? If you report to someone who's not technical they shouldn't be telling you what a firewall should/shouldn't have. If they are technical and you're learning, great- I'm sure we would all be happy to share our knowledge. A word of caution however, if you're boss isn't a true IT pro and you don't have much experience with this seriously think about engaging someone to come help you implement this... doing it wrong can leave you wide open to the world as well as cause instability, etc. That translates in to less security which is certainly not the objective.
 
Because I have quite a bit of personal experience in managing clients with both? Soooo....I get to see both sides of the fence?

Every_single_time I call Sonicwall support...it's a absolute excruciatingly painful, long...often several days...experience. It's at the point where I absolutely dread...DREAD...having to call them, when I have to. Untangle support? Within 15 seconds you have a live body...IN AMERICA...that has quickly gotten my issue fixed, very painless.

The arguement about power consumption cracks me up. Most businesses leave their computers on, have huge fat old laserjet printers and massive multi-function machines they leave on, tons of stuff in the office. 1x more small form factor computer running 24x7 that will add .05% to their electrical bill is like a grain of sand on the beach.

Cost-wise...even the free opensource version of Untangle is great, for clients that I've installed that at...I see a much noticed drop in malware infections..specifically the Vundu rogue antivirus buggers that are the rage these days. Savings to them? Less bills from their IT guy from having to go clean 'em up. Right there...they come out ahead...if it steps 4-5 rogue infections per year..it pays for itself if you compare to the "Pro" package, if they have the open source package..they're waaaaaay ahead of the curve.

You don't need a server for many SMBs...matter of fact quite a few clients I have it running on are slim form factors, don't need some dual quad core Xeon, just a P4 with 2 gigs of RAM and you're good.

Reliability? Use quality hardware and they run rock solid 24x7, the only..ONLY..time I've had to reboot them...was when performing program version upgrades to Untangle. Else...24x7x365...they run smooth as buttah. As long as you use quality hardware, not el cheapo motherboard of the month crap.

I don't know. We literally never have to call support with SonicWALL. It just works. We called them once or twice when we first became a partner, but I honestly can't think of a time where any of my guys has had to call them since.

I'm well aware of what most businesses do with power. That doesn't negate the fact that it does use twice as much power if not more. Laugh all you want, it's true.

Almost all of our clients are on our Managed Services plans. With CounterSpy and Spybot scanning daily (all automated) and Symantec Endpoint Protection in place and deep scanning weekly, along with a SonicWALL with UTM in front, we don't have spyware problems. Across ~450 managed desktops and ~100 managed servers I think we've cleaned up a small amount of spyware on a PC once in the past 6 months.

SonicWALL is cheap. I can get a TZ180 25 user with full UTM services and 1 year of support for under $500 (just a quick google). Looking at the support options for untangle, the middle of the road Pro Package for 1-10 users is $270 a year, plus you have to buy the hardware. I still have no idea how you think Untangle is cheaper when properly deployed at a business.

In order to keep costs down you are most likely going to deploy Untangle on a SATA drive with no RAID. There's your reliability problem. Even if you throw in RAID, your costs go up, and now you've got another node to manage and monitor spinning disks.

I'm not saying Untangle doesn't seem cool, or have it's place. But at the border of an SMB with no inhouse IT support as their only firewall, I just don't think that's it.
 
I've had to call them I think 3 times in the past 8-10 years or so I've been working with their stuff...yes they work when in place, rarely need reboots. But to deal with Habu @ 7-11 support for those 3 times...bah, pure hell.

For SMB that I have them at, ranging from about 5x PCs to almost 100x PCs...with the majority of the Untangle protects networks above 50x PCs...1x more little small form factor PC isn't going to send them crying. Nursing homes, small schools, large nursing facility with a stack of servers....1 more little box...bah.

Many users use the Opensource package....esp when they have a consultant that takes care of their setup. "Free". All you need is a small PC to run it on. What I've been using is a spare PC that they often have a few extras of, so there are spare parts. I pick up a new enterprise grade (5 year 1.2million hours MTBF rating hard drive)...so the reliability is pretty darned good. If for some reason it tanks....slap in a new drive, install UT, restore settings...BAM, back up in under 30 minutes. Cost? About 85 bucks for a new hard drive. Excellent free spam filtering for their Exchange, it works and it works well. I've had to replace a Sonicwall for a client once, had it warrantied, that took...well..lets just say...a LOT longer..there was another day involved.

Spinning disks? What is one of the best..top of the line SSL VPN appliances out there? Many would say Juniper. Guess what their SA boxes have in there? PATA drives.

Other clients I've sold it to....all but 1 are non profits...which the Pro package has attractive pricing for.

I have 1x client left on Sonicwalls...looking forward to the day I replace those and piss in the garbage can that I throw them in. And replace 'em with Junipers!

I'm never saying UT is better than manybig name mid-range to enterprise level UTM solutions...but for entry level or less as far as cost, for SMB, it is a viable alternative, I've been using it for a while with clients, it does its job very well.


I don't know. We literally never have to call support with SonicWALL. It just works. We called them once or twice when we first became a partner, but I honestly can't think of a time where any of my guys has had to call them since.

I'm well aware of what most businesses do with power. That doesn't negate the fact that it does use twice as much power if not more. Laugh all you want, it's true.

Almost all of our clients are on our Managed Services plans. With CounterSpy and Spybot scanning daily (all automated) and Symantec Endpoint Protection in place and deep scanning weekly, along with a SonicWALL with UTM in front, we don't have spyware problems. Across ~450 managed desktops and ~100 managed servers I think we've cleaned up a small amount of spyware on a PC once in the past 6 months.

SonicWALL is cheap. I can get a TZ180 25 user with full UTM services and 1 year of support for under $500 (just a quick google). Looking at the support options for untangle, the middle of the road Pro Package for 1-10 users is $270 a year, plus you have to buy the hardware. I still have no idea how you think Untangle is cheaper when properly deployed at a business.

In order to keep costs down you are most likely going to deploy Untangle on a SATA drive with no RAID. There's your reliability problem. Even if you throw in RAID, your costs go up, and now you've got another node to manage and monitor spinning disks.

I'm not saying Untangle doesn't seem cool, or have it's place. But at the border of an SMB with no inhouse IT support as their only firewall, I just don't think that's it.
 
Last edited:
I haven't messed with Juniper stuff in a long time so I can't comment on that.

YeOlds recommendation on the linksys router is well placed. The business series is a better good product. Going with a cisco 870, csci asa5000, sonicwall tz-190, etc would be a better choice if you can go with the added price.

I've had to call sonicwall a few times and haven't had that many issues with their support. It is better then the support I've gotten from cisco although that isn't saying much. Licensing was less of a hassle as well.

Untangle is another good solution. Personally I would put it on a new machine with a good warranty.
 
Another suggestion for you could be a Fortigate appliance. For your size org a Fortigate 50B or 60B would suffice. Just for reference, here is a link to newegg.com to give you an idea of the devices. http://www.newegg.com/Product/Product.aspx?Item=N82E16833269001

They support SSL VPN, have multiple ports, UNLIMITED USER LICENSES, Linux based, good support and are really nice devices. We use them at several locations since 06 with great results.

http://www.fortinet.com
 
A very big second recommendation for FortiGate. FortGate 60B w/ all subscription services and off you go. But do yourself a favor and call a Fortinet Partner.

Although, I do love Palo Alto, they are not made/priced for the small business network, yet.......
 
Another suggestion for you could be a Fortigate appliance. For your size org a Fortigate 50B or 60B would suffice. Just for reference, here is a link to newegg.com to give you an idea of the devices. http://www.newegg.com/Product/Product.aspx?Item=N82E16833269001

They support SSL VPN, have multiple ports, UNLIMITED USER LICENSES, Linux based, good support and are really nice devices. We use them at several locations since 06 with great results.

http://www.fortinet.com

For that price you are landing in Juniper/Cisco territory.
 
Just out of curiosity, what is your role in this? Is your boss the head IT guy or are you the IT guy? If you report to someone who's not technical they shouldn't be telling you what a firewall should/shouldn't have. If they are technical and you're learning, great- I'm sure we would all be happy to share our knowledge. A word of caution however, if you're boss isn't a true IT pro and you don't have much experience with this seriously think about engaging someone to come help you implement this... doing it wrong can leave you wide open to the world as well as cause instability, etc. That translates in to less security which is certainly not the objective.

My boss is the IT Woman ;), and im the Assistant leanring the ropes. Ive never actualy done any IT classes, but ive known my boss for 9 years or more. Ive build computers, taken computers apart, and done alot of hardware based things (which is mainly what has me around for). I free her up from having to setup computers, build computers, upgrade them, but she is slowly teaching me more advanced stuff so she can take a vacation in the future.
 
Someone above mentioned a UTM device, I'm a fan of Untangle.

For something that just works and has all the features you need I'd recommend monowall - it's open source(y) as you put it. My monowall box has been running for 2 years and only rebooted for firmware updates.

VPN, Wireless support, Traffic management, etc.
 
Someone above mentioned a UTM device, I'm a fan of Untangle.

For something that just works and has all the features you need I'd recommend monowall - it's open source(y) as you put it. My monowall box has been running for 2 years and only rebooted for firmware updates.

VPN, Wireless support, Traffic management, etc.

and SSL support?
 
negative, supports IPSec or PPTP VPN (out of the box)

THere might be some hack to get it working outside the default image
 
Actually none of the above, it has OpenVPN.

The community has been strong to push the addition of IPSec VPN...but it's not included yet. Hopefully coming soon.
 
I was refering to monowall's VPN capabilities, which I don't think have changed.
 
Thanks for all the useful information, ill check all this stuff out and talk to my boss about it.
 
If your boss insists on open-source and free, I'd suggest SmoothWall.
As for solid hardware based with full customer support, I'd suggest Watchguard. I don't know Juniper or Cisco's products. SonicWall I've heard good reviews, but never used them.

But from a professional standpoint, You should always go name brand and well recognized in the industry. Also its a good idea to make sure they are Homeland Security certified.
 
Last edited:
Ill take a look at smoothwall. My boss seemed interested by Untangle, She hates SonicWall, has dealt with Juniper and likes them, and hasnt gone with Cisco before due to price.
 
this was almost a cock fight!

why doesn't untangle have IPSEC? licensing or something? How many more updates before it?

honestly im not a fan of sonicwall, very expensive to run/mantain. you spend 300-500 on the machine, each year have to pay to renew, even better is ive had a few calls from clients that brought laptops in and went over hte user limit and it locked down the whole network, dunno why it wouldn't just allow another machine on.

stupid stupid. i use the RV series but don't use much of the UTM. i want to start doing more of Untangle but hard to bring into some clients. i would like to get one on a Opti 330 or similar from outlet for 300 bucks and ad dthe nic and use free adition with AD connector.

I may be using one soon for webfiltering, that or barracuda.
 
this was almost a cock fight!

why doesn't untangle have IPSEC? licensing or something? How many more updates before it?

honestly im not a fan of sonicwall, very expensive to run/mantain. you spend 300-500 on the machine, each year have to pay to renew, even better is ive had a few calls from clients that brought laptops in and went over hte user limit and it locked down the whole network, dunno why it wouldn't just allow another machine on.

stupid stupid. i use the RV series but don't use much of the UTM. i want to start doing more of Untangle but hard to bring into some clients. i would like to get one on a Opti 330 or similar from outlet for 300 bucks and ad dthe nic and use free adition with AD connector.

I may be using one soon for webfiltering, that or barracuda.

Yea I ran into the user limit with a client who had a sonicwall when we took them over. We always quote the unlimited node ones ourselves.

I have a few linux/unix boxes doing routing but we have been loading more sonicwalls. A lot of clients like the idea of them over a home built solution.
 
Back
Top