OSX Server Firewall Suggestions

[dashpuppy]

We all know i LOVE untangle and rave about it 100000000x a day.

However my thought's are before i unleash my powers of untangle to my customer, i would like to know what other companies use for firewalls, i see that junipers are used alot for mac stuff, is that what is suggested ?

Right now the client is behind a brand new Apple Airport extreme, however that's not really a secure setup with all the ports that are forwarded.

So i need a firewall that can work with mac FLAWLESSLY with out a huge pain in the ass, allow vpn connections from a few in the filed laptops, this will allow them to vpn into the network and use APF for small file sharing such as pdf's and such, nothing HUGE.

I could order a untangle unit, but i would like to get other's thoughts first.

The server is osx 10.6 running :

Ical
addressbook
afp
www
( internal ftp for the MPF unit )

Thanks

 

[/usr/home]

Mikrotik?

 

[Berg0]

We all know i LOVE untangle and rave about it 100000000x a day.

However my thought's are before i unleash my powers of untangle to my customer, i would like to know what other companies use for firewalls, i see that junipers are used alot for mac stuff, is that what is suggested ?

Right now the client is behind a brand new Apple Airport extreme, however that's not really a secure setup with all the ports that are forwarded.

So i need a firewall that can work with mac FLAWLESSLY with out a huge pain in the ass, allow vpn connections from a few in the filed laptops, this will allow them to vpn into the network and use APF for small file sharing such as pdf's and such, nothing HUGE.

I could order a untangle unit, but i would like to get other's thoughts first.

The server is osx 10.6 running :

Ical
addressbook
afp
www
( internal ftp for the MPF unit )

Thanks

OSX (Darwin) is a BSD derivitive, which happens to be the same lineage as JUNOS (also a BSD derivitive).

That being said, there is no reason to use a Juniper device over Cisco or anyhitng else if the clients are using a particular OS. TCP/UDP/ICMP all work the same regardless of OS, and there is no OS integration with a firewall.

Only caveat to that would be if your firewall is handling remote client VPN duties, I've had good luck with Junipers SSL VPN and Cisco Anyconnect on my Macs (I use an iMac and a Macbook Pro at home, previous employer had about 50 Mac Pro workstations sitting behind a pair of ASA540's w/ no problems)

 

[dashpuppy]

OSX (Darwin) is a BSD derivitive, which happens to be the same lineage as JUNOS (also a BSD derivitive).

That being said, there is no reason to use a Juniper device over Cisco or anyhitng else if the clients are using a particular OS. TCP/UDP/ICMP all work the same regardless of OS, and there is no OS integration with a firewall.

Only caveat to that would be if your firewall is handling remote client VPN duties, I've had good luck with Junipers SSL VPN and Cisco Anyconnect on my Macs (I use an iMac and a Macbook Pro at home, previous employer had about 50 Mac Pro workstations sitting behind a pair of ASA540's w/ no problems)

Id rather have the firewall do all the vpn, i think we are going to order a untangle box from Jim at untangleappliances.com

J'

 

[Berg0]

jsut a heads up forwarding the ports on any device doing NAT will be as secure as another, be it the current airport extreme, an untangle appliance, or a Cisco or Juniper firewall.

..differentiating factors will be IPS/IDS, flow monitor and logging abilities.

 

[dashpuppy]

jsut a heads up forwarding the ports on any device doing NAT will be as secure as another, be it the current airport extreme, an untangle appliance, or a Cisco or Juniper firewall.

..differentiating factors will be IPS/IDS, flow monitor and logging abilities.

yes i know, one of the main features of the Untangle unit is the compatibility with VPN and the mac's.

 

[Deleted member 12106]

I'd use untangle, everything else suks!

 

[dashpuppy]

Yes yes! Just ordered A Ng-50 from Untanlge Appliances!

 

[Deleted member 12106]

Yes yes! Just ordered A Ng-50 from Untanlge Appliances!

When are you getting the tattoo?

 

[cymon]

OSX (Darwin) is a BSD derivitive, which happens to be the same lineage as JUNOS (also a BSD derivitive).

That being said, there is no reason to use a Juniper device over Cisco or anyhitng else if the clients are using a particular OS. TCP/UDP/ICMP all work the same regardless of OS, and there is no OS integration with a firewall.

Only caveat to that would be if your firewall is handling remote client VPN duties, I've had good luck with Junipers SSL VPN and Cisco Anyconnect on my Macs (I use an iMac and a Macbook Pro at home, previous employer had about 50 Mac Pro workstations sitting behind a pair of ASA540's w/ no problems)

I think that the concern would be any default rulesets/quirks of the operating system causing weird issues with a protocol like AFP (for instance, something like 'inspect sunrpc' being operational on an ASA).

According to the wikipedia page, iCal is just an xml-based protocol that gets pushed out over HTTP. Not a lot of potential for quirkyness there, even if 'inspect http' was turned

I would expect 'address book', is probably unicode XML over HTTP.

AFP might cause issues, depending on what the TCP MSS was set to (I know Microsoft is using some ridiculously huge values in Vista and newer). I don't see anything on the wikipedia page on whether this is an RPC-style protocol, or perhaps something like NFS, that could potentially get messed up over a VPN/through a firewall (whether that is because of fragmentation of a giant TCP dgram, or perhaps some UTM functionality choking on a complex protocol, or something like NFS potentially getting screwed up if a few datagrams are lost)