Hardware Firewalls

[Cupis]

Hi guys,

I have been looking into hardware firewalls for my company, and wanted your opinions. I do not really want to get a Firewall router, but rather supply my own Machine, and install a Firewall OS on it.

I have been using IPCop until now, and lets just face it guys, the Cop is getting old. Until they bring out a new version im looking at something newer, and that does not require me to install all these fiddly add-ons. The function this firewall should be, like the IPCop provided, is to act as the Internet router with Proxy and URL Filtering. Preferably i want Load Balancing too.

I have found the following Firewalls worth looking into

Endian Firewall Community and,
Astaro Esential (however, the free version has so many features disabled)

What other Firewall OS's do you guys know and recommend.

If push comes to shove i may buy something, but i want to see what other solutions are available first.

Rgds,
Cupis

[rustypup]

arrived expecting discussion about cisco routers...

left disappointed...

these aren't h/ware firewalls you're discussing... they're s/ware solutions.... that's false advertising

<edit> i retract the disappointment and leave mollified... i see endian has finally gotten their UTM off the ground... nice...

[hamin_aus]

We use CheckPoint here and I hate it, so maybe don't go that route...

[Cupis]

Ok fair enough not true hardware firewalls

but still none of this personal stuff. Proper Network Firewall solution

[Nuke]

My feeling on the matter is a lot like Rusty's. If you want a firewall bigger than for a home office, get a Cisco. A 2801 will do almost all you need, the only thing it lacks in caching. But for that you can either get a dedicated Squid box, or a Cisco cache engine. Btw some of the older IOS versions lacks the URL filters and layer 7 filters, that why I suggest a 2801. They go for around R10K, and like I always tell people, a business have no reason not to use proper equipment, if I can pay for it and use it at home.

[hamin_aus]

You have a R10K firewall at home?

[Prime]

Nuke, where do you live?

j/k

[Nuke]

@Prime - In Ford Knox, you want to visit?

Its part of my Cisco Lab, I still need some DSPs to make it run one of my voice cards though.

[Cupis]

Hey Guys,

I may be considering, for rusty, true hardware Firewalls. I am busy reading up on the Cisco router now. The only concern for me is that i will be the one installing and implementing any of the firewalls. I have heard that you need a Cisco technician to do that.

I have had no experience with Cisco Routers (well other than those Linksys routers, which i am sure we should not consider?). I actually would love to work through and learn a piece of equipment like that.

So any other thoughts or suggestions for Cisco products, or working with them? Or even other Firewall/Routers?

Shot,
Cupis

[Cupis]

Have any of your guys dealt with Mikrotik or Astaro Firewalls?

They also offer a software (OS) solution to their products too.

[Nuke]

You don't really need a Cisco technician, there is alot help available online. I can answer most questions if you have any trouble, I started with the CCNP coursework, but I'm not ready for the exams yet(its about 2x more work than CCNA).

I know Mikrotik pretty well, while it is cheaper, it not the same quality. It also have a lot of strange glitches when you have a complicated config(random hangs, lost routes, ethernet that stops responding to name a few). Had to remotely reboot one this morning that stopped passing traffic on its Ethernet.

[rustypup]

ethernet that stops responding

second time i've heard this now...

[Nuke]

ethernet that stops responding

second time I've heard this now...

Ah, where did you hear it before?

I guess the problem is that they use the cheapest ethernet controller they can find(Realtek), an Intel based chip would go a long way.

[rustypup]

had a lecturer attempt to show us something last week and his internal network was ignoring him... when he got in, the MT switch was showing full green, (no blinking). had to reset to bring it up... i wrote it off as random chance... perhaps not...

[Nuke]

No it is definitely not random chance, it a common sickness. There is some that never have any problems, others you have to swap out because it gets so bad.

[DeathStrike]

We got this really cool device at work. it is so scary. its a firewall antivirus anti spam etc. it even has HDD that makes a cache server and tracks what everyone is doing on the network. its even remembers your google searches. forgot the name. will have to post on monday.

[Monty]

making a hardware firewall is easy.
1. get enough timber to make a wall
2. build a wall with the timber
3. drill holes through the wall and run the cables through the holds.
4. pour petrol over the wall

If your network is ever breached, light the wall. It will stop the network breach

[DeathStrike]

yes but that would be a very expensive solution. as your network would probably get attacked every few minutes. (without a real firewall)

[Cupis]

Lol, i think just pulling your wan link is easier than setting the place on fire but good solution to a "firewall".

my research continues this morning interested to see deathstrikes Gizmo

[DeathStrike]

Cyberoam 35ia is the products name. can't google it for you. (it will record. probably recording this now )

Have fun

EDIT: added model number.

[Cupis]

Hi Guys,

Well after some research I have the following thoughts.

I was very impressed by the idea of a UTM solution. I like the fact that they basically did everything, from firewall to complete web management (Proxy etc). After requesting some quotes here and there i received some horrendous quotes. Starting at 20 - 30 k, and ending at 50 -70 k. I seriously backtracked from that Idea fast.

I am now looking into Load Balancing routers, mostly Draytek routers at the moment. The idea being; DSL lines lead into a single point, then have a proxy controlling Web Access. So now, i ask you guys, what other routers have you worked with that is similar to the fore mentioned type? I am looking for 2-4k solutions.

Secondly, what Proxy Servers do you recommend. My knowledge of Proxy is Squid, and that is limited at best.

Regards,
Cupis

[DeathStrike]

well we used to use a D-Link brand Load balance router. but it failed because if the one account got capped then the whole network slowed to a crawl instead of falling back onto the other account only(which is uncapped.) So we went for the Cyberoam. and so far so good. I am not aware how much it costs. you say starting at R 20 - 30 k?? that is a huge amount. haha. glad i am not paying for it.

[Cupis]

Yes i was shocked. I was happily going along thinking, maybe it will cost 8 -11 k did not think has detailed as Cisco, boy i was wrong

[Nuke]

Squid as proxy works very well, if you are willing to take some time setting it up. Properly set up I normally save around 20% of traffic, going as high as 35% some days.

If you want a cheap solution buy yourself a Mikrotik 450G, with its indoor case and a 24v 38W PSU. It must be the High power PSU though, you want all the stability you can have(and it has a kettle cord, most importantly, not a 2 pin adapter). You can get it at Miro, Poynting or Scoop.