hardware or software firewall for office?

[dsd17]

Our small office currently has a router/firewall setup on our network blocking any unwanted traffic. We are having issues now when we attempt to connect from outside our network through TB2. We have the external IP addresses mapped to our internal computer IP's and the ports are being forwarded correctly, but it still does not seem to connect properly.

My question is, is it safer to have a hardware firewall or have a personal firewall on each computer? There are a total of 7 OS X machines and 5 XP or 2000 machines.

 

[SaintTigurius]

cause its an office and of course you have valuable stuff, i would use both a software firewall and a hardware firewall.

 

[Boscoh]

Mapping your internal computers to external addresses and then forwarding ports to them probably circumvents most/all protection the firewall would provide you.

Personally, I'd look at setting up VPN and VNC or some form of remote control. Then only allow the port your remote control software uses over the VPN. Then you have nothing open to the outside. You could use Windows Remote Desktop for the windows PC's and only allow TCP 3389 over the VPN. I dont know what you'd use on the OS X machines besides a mac-version of VNC. You could always just use TB2 over the VPN as well.

However, if you must do it the way you're doing now, use a hardware and software firewall. But make sure your passwords are strong.

 

[dsd17]

That is what Timbuktu Pro is (TB2). We do use that and only have one or two ports available, but in order for our developers to get into the specific machines we need the external ip's mapped to those computers.

 

[InlineFive]

Originally posted by: SaintTigurius
cause its an office and of course you have valuable stuff, i would use both a software firewall and a hardware firewall.

If you have a good centralized firewall protecting all of your WAN connections you shouldn't actually need a software firewall on each PC. But I have the SP2 firewall enabled because of possible virus outbreaks inside the network which might be blocked.

 

[dsd17]

we initially had a linksys router/firewall setup between our T1 router and our network, but it seemed to slow it down alot and also caused tons of collisions (probably the reason for the slowing). After I took this off and configured the firewalls on each computer, its been much faster and so far we have not been hit with any viruses.

 

[Woodie]

Originally posted by: dsd17
so far we have not been hit with any viruses.

Famous last words?

In my professional opinion, you should install a hardware firewall between your LAN and the internet. If the one you were using was causing performance degredation, then you should switch vendors or model until you are satisfied with the performance.

The software firewall is less useful within the LAN, because it ends up looking like swiss cheese, because of all the "permitted" ports/applications which are necessary to support LAN-based activities like Domain authentication, file sharing, client-server applications, etc... Not to say it has no value!

 

[novon]

any recommendations for a good hardware firewall/router?

 

[funkyacidmonkey]

I'm currently looking into a Cisco PIX Gateway Router/Firewall/VPN. We currently use a Hotbrick VPN 800/2 and hate everything about it except it's ability to load balance two DSL connections...but even that needs improvement (auto throttleing/QOS).

Can anybody send me to a good review of the Cisco PIX and/or comparo's of these type of devices? Thanks.