Easy Corporate Firewall Suggestions

[chuck2002]

Does anyone have suggestions for where to begin researching an easilly managed firewall application for a 200 worker office?
I would like to run IPCop, but the boss wants something with a brand name attached.

I'd like something along the lines of IPCop in its ease of management however. I don't really need SPAM + Antivirus or the other stuff that some corporate firewalls seem to be bundled with now. I mean, I'd take it if it was there, but it isn't a need.
Thanks.

 

[Aarondeep]

What are the requirements? You want to do web filtering? VPN? How many remote clients/sessions?
Is this the only VPN endpoint? etc
I have experience with netscreen products from juniper I like them alot, but it seems people nowadays are using sonicwalls. The only advantages is support contracts from the manufactuerer and these hardware based solutions can be easily reconfigured in case of data loss.
Your idea of IPCOP seems to be pretty good and alot cheaper.

Tell us more detail about which specific features you are looking for and i'm sure someone here would be able to reccomend you a specific solution from a popular vendor.

 

[chuck2002]

VPN would be nice. I like how the firewall vendors seem to be packaging everything and the kitchen sink into their units, but mainly we'd just need a solid, easy to manage firewall that can manage our organization's size. Any features on top of that are gravy.

One thing we need to be able to do is have multiple web servers performing different functions while sitting behind the firewall but still be able to serve traffic on port 80. I know forwarding ports on consumer products, but what if there are multiple servers that have to operate on the same port? I'm sure this is easy with a corporate designed unit, but I haven't wrapped my mind around it yet.

 

[Tarrant64]

SonicWall.

 

[nightowl]

Cisco ASA 5510 with an IPS or Anti-X module.

 

[InlineFive]

Originally posted by: Tarrant64
SonicWall.

Absolutely not. Their platform isn't as fully-featured, their technical support sucks and once you enable the security services (IPS + WebFiltering, etc.) the performance tanks.

 

[compman25]

Originally posted by: InlineFive

Originally posted by: Tarrant64
SonicWall.

Absolutely not. Their platform isn't as fully-featured, their technical support sucks and once you enable the security services (IPS + WebFiltering, etc.) the performance tanks.

A SonicWall would be fine, but you have to ignore the published specs. Those are done with no load on the firewall, nothing turned on. With a SonicWall you buy the one that is double what you think you need or what the reseller says would work. The hardware is cheap but SonicWall gets you with all their subscription based stuff. We use Pro2040's in 2 offices with less than 50 users and I don't dare turn on any extra stuff or the users start bitching about how slow the internet is. They are really easy to set up though.

 

[acaeti]

Originally posted by: chuck2002
One thing we need to be able to do is have multiple web servers performing different functions while sitting behind the firewall but still be able to serve traffic on port 80. I know forwarding ports on consumer products, but what if there are multiple servers that have to operate on the same port? I'm sure this is easy with a corporate designed unit, but I haven't wrapped my mind around it yet.

This is pretty easy with most firewalls. You setup a demilitarized zone or DMZ.

-Get multiple IPs from your ISP (a /26 is 64 (62 usable) or a /28 is 16 (14 usable)).
-With IPCop it seems you can have your firewall setup all these IPs as aliases on the red interface and the port forward traffic (e.g. port 80 for http, port 443 for https, port 22 for ssh, port 25 for smtp, port 993 for imaps) to your dmz servers on your Orange interface.
-With other platforms, setups may vary. e.g. the firewall may route this block of addresses or do the alias thing or something else.

I personally use Linux boxen as combo firewall and router, so I do the routing thing. But then again that is all CLI, no gui and I have the time and inclination to learn how to do that, whereas you may be looking for a gui driven solution. And there is absolutely nothing wrong with that.

 

[fartbag]

http://www.checkpoint.com/prod...ds/utm-1_datasheet.pdf

 

[Nothinman]

I'd probably go with a Cisco ASA, I don't know if they have a web management interface because I hate those things anyway.

 

[ITJunkie]

Smoothwall?

 

[Tarrant64]

Originally posted by: compman25

Originally posted by: InlineFive

Originally posted by: Tarrant64
SonicWall.

Absolutely not. Their platform isn't as fully-featured, their technical support sucks and once you enable the security services (IPS + WebFiltering, etc.) the performance tanks.

A SonicWall would be fine, but you have to ignore the published specs. Those are done with no load on the firewall, nothing turned on. With a SonicWall you buy the one that is double what you think you need or what the reseller says would work. The hardware is cheap but SonicWall gets you with all their subscription based stuff. We use Pro2040's in 2 offices with less than 50 users and I don't dare turn on any extra stuff or the users start bitching about how slow the internet is. They are really easy to set up though.

SonicWall works for my company just fine. 600+ users across 14-15 sites. When properly configured with the proper hardware, it does its job quite well. We are also using Pro 2040s.

 

[compman25]

Originally posted by: Tarrant64

Originally posted by: compman25

Originally posted by: InlineFive

Originally posted by: Tarrant64
SonicWall.

Absolutely not. Their platform isn't as fully-featured, their technical support sucks and once you enable the security services (IPS + WebFiltering, etc.) the performance tanks.

A SonicWall would be fine, but you have to ignore the published specs. Those are done with no load on the firewall, nothing turned on. With a SonicWall you buy the one that is double what you think you need or what the reseller says would work. The hardware is cheap but SonicWall gets you with all their subscription based stuff. We use Pro2040's in 2 offices with less than 50 users and I don't dare turn on any extra stuff or the users start bitching about how slow the internet is. They are really easy to set up though.

SonicWall works for my company just fine. 600+ users across 14-15 sites. When properly configured with the proper hardware, it does its job quite well. We are also using Pro 2040s.

I didn't say it wouldn't work, I was stating that you can't look at their stated throughput and assume it's honest. Read the sonicwall forums and there's always people on there bitching about how their sonicwall slows down their network even though the stated bandwidth of the device is 10x what their connection is. SonicWall publishes those specs with nothing turned on on the firewall. Lots of people look at the TZ170 and see it's stated to deliver 90 Mbps of stateful packet inspection but when they buy it, install it and turn on all it's security features and they run a bandwidth test they get 100kbs and wonder what the hell happened. Before I started working for the the company I work for now they got conned into getting TZ170's for their 2 largest offices. It's an insurance company and everything is done with remote desktop. Having a T1 and only getting 100kbs bandwidth doesn't sit to well with 30 plus employees who all use remote desktop. When I started the first thing I did was explain that Sonic even advertises the TZ170 for home/small office use and you can't expect a device that is advertised for home use to be up to the challenge of an actual business enviroment. We now have the PRO2040's in the office's and the bandwidth is up where it should be. We use 170's in office with less than 10 employees. I'm not ragging on Sonic other than for the misleading bandwidth numbers. I find them to be very easy to set up and use and will continue using them.

 

[bluestrobe]

http://www.dlink.com/products/?sec=2&pid=512

 

[chuck2002]

This is an old post, but I just thought I would update it with what we decided to do about this:
We went with a Fortinet 310b unit. We got lots more complex from the last time I posted to now, and this thing has been an excellent addition.