Need help deciding on a firewall

[dailo]

Need a good recommendation for a firewall for a small company, lately we were hacked and now the router firewall on the dsl modem is going crazy.

I keep on getting this error on the firewall logs:
IP Subnet Broadcast Amplification


So i'm htinking about just investing in a firewall, but our budget is fairly small. Something under 500 would be perferable.
was thinking about this one:
http://www.hotbrick.com/lb-2.html

any good? Thanks for the input!

 

[JackMDS]

If the Network is configured around Central Server you can install Software Firewall on the server, or get a Firewall Appliance.

If it is peer to peer Network get a Firewall Appliance (example): SonicWALL Internet security appliances.

The Hardware that you mentioned in your post is mainly a Load Balance Router. I am Not sure that it provides a real good Firewall.

:sun:

 

[sharq]

http://cyberguard.com/snapgear/products.html
Or if you know linux, you could look into buying a cheap machine and setting up your own firewall.

 

[dailo]

any more links regarding making a firewall with linux, not really sure what to do with that website. thanks in advance.

 

[Rainsford]

Smoothwall is great for small businesses, and if you need more features than the free version includes (and it includes quite a few), they have a commercial version as well.

 

[Joony]

Cisco PIX 501

 

[beatmix01]

I would take a look at this.

Cisco PIX 501 10-user/3DES bundle

Text

 

[Citadel535]

Unless you're running services that employees need access to from home, a simple NAT style firewall would do just fine. A linux box is fine for doing that + port filtering. If you want application level filtering etc then you need to invest time and money in setting that solution up. I personally use a Cisco PIX and it runs well. Sometimes it reboots on it's own though Oo and we're trying to narrow down why that happens.

 

[dailo]

thnx for the tips guys, will look into the cisco or the smoothwall.

 

[Boscoh]

Originally posted by: Citadel535
Unless you're running services that employees need access to from home, a simple NAT style firewall would do just fine. A linux box is fine for doing that + port filtering. If you want application level filtering etc then you need to invest time and money in setting that solution up. I personally use a Cisco PIX and it runs well. Sometimes it reboots on it's own though Oo and we're trying to narrow down why that happens.

Wiggle the power connector on the back and see if that's the cause. If it is, call TAC and tell them you've got one of the defective power supplies on your 501 and they should RMA it for you.

If not, type 'show crash' from the enable mode to view the crash file, open a case with TAC and send the crash file to them.

 

[cmetz]

I second the PIX 501 recommendation.

 

[dailo]

getting one tommorow Any suggestions how to set it up, i'm just gonna hook up my dsl router to it and then just hook it up to our switch. I presume that is the correct setup as I would like to keep my network gigabit. Also i read it only allows 32 dhcp leases, anyway to get more?

Also how does the software work, is it required? thanks a lot!

 

[beatmix01]

well, how big is your office? do you have your own dhcp server?

 

[dailo]

We use more then 32 leases, but I was thinking some of them are because of the computers we use for testing puposes, so I was just oging to hook up a router to those computers and just have that give out ips to the testing computers. Is that just as safe?

 

[Goosemaster]

Look into Astaro Security Linux. It is fantastic.

I don't know how it stacks up to the PIX tiugh, which is pretty much a benchmark.

 

[dailo]

should be getting the pix 501 in today, hopfeully it will be easy to setup haha

 

[Cheetah8799]

Dailo. Check out Smoothwall and IPCop. Both are free for a basic firewall setup. All you'd need is a basic desktop 300mhz type system with extra network cards. Very easy to setup!

smoothwall.org

ipcop.org

 

[Need4Speed]

another vote for astaro

 

[dailo]

just got the PIX in, a lot smaller then I thought it would be haha. Thanks for all the help guys, will post again if I need any help

 

[dailo]

any idea how I open a port incoming, so that someone can connect to our pcanywhere host. There is so much stuff, i'm completely lost haha

 

[cmetz]

Assuming you're using PAT:

access-list 100 permit tcp any interface outside eq pcanywhere-data
access-list 100 permit udp any interface outside eq pcanywhere-status
access-list 100 deny ip any any
access-group 100 in interface outside
static (inside,outside) tcp interface outside pcanywhere-data 192.168.0.42 pcanywhere-data netmask 255.255.255.0
static (inside,outside) udp interface outside pcanywhere-status 192.168.0.42 pcanywhere-status netmask 255.255.255.0

If that doesn't work, replace "interface outside" with your outside interface's IP address and/or the syntax "host <address>". The PIX has the ability to write some rules in terms of pointing to the interface, which makes renumbering or using DHCP outside much easier.

The CLI syntax is a pain to figure out, but once you know what to do you can do a lot.

 

[episodic]

Coyote Linux

 

[dailo]

thanks, I was able to figure out how to open that port just for one computer thnx to cisco tech support. This thing is so powerful, got a lot to learn!

 

[AdamRader]

Originally posted by: Goosemaster
Look into Astaro Security Linux. It is fantastic.

I don't know how it stacks up to the PIX tiugh, which is pretty much a benchmark.

I definitely second the Astaro vote. Been using it myself for about six months now after leaving smoothwall behind. It's *extremely* configurable, and isn't terribly difficult to set up or maintain. You would need to look at the commercial version since the private version (aside from being a legal license only for home users) doesn't support more than ten machines behind it.

Overall tho, it's a good system. Works well if you want a seperate nic for each your net connection, and seperate LAN's (dmz, private, etc.)

Edit: Woops, a little late. Enjoy the PIX! =)

 

[imported_LobbDogg]

I second Smoothwall, I've been using it on my LAN for over 2 years now, not only is it free but high customizable too. It is rock solid and provides lots of different logs as well as it is easy to setup as you don't have to know linux to set it up.