OS and Software > No, I Will Not Fix Your #@$!! Computer > Firewall choices

Firewall choices

Have you looked into Fortinet's line of products?

»www.fortiwall.com/default.asp?so···odAS5HCg

Very intuitive interface, highly configurable and not too expensive. And supports all the key features you listed in this thread.

FortiGate 60B 24x7 Bundle

Price $1,131.00

The FortiGate 60B 24x7 bundle is ideally suited for small businesses, remote offices, retail stores, broadband telecommuter sites that require dual WAN interfaces for maximum uptime, continuous enhanced support, and complete protection.

Features Include:
Dual WAN Connections (1) Year of 24x7 Support
Supports Unlimited Users (1) Year of Virus Protection
Comprehensive Protection (1) Year of Intrusion Prevention
Advance Hardware Replacement (1) Year Hardware Warranty

»www.fortiwall.com/productcart/pc···gory=967

reply to JoelC707
The Cisco PIX line is being EOL'ed and replaced with the ASA line, which gives you the SSL capabilities ('clientless' SSL VPN).

I would give serious thought to a Cisco ASA 5505. It should be able to handle all of your requirements.
--
How lucky am I to have known someone who is so hard to say good-bye to.

reply to JoelC707
You mentioned untangled, have you taken a look at ipcop? It supports hardware to hardware vpn connections.

reply to JoelC707
You can setup a smoothwall box! www.smoothwall.org

I ordered a 1U Dell Powerapp off ebay for $40 (including shipping) and have been running it since. Great piece of software, rock solid, and has a thriving community for mods and homebrews!

reply to JoelC707
I was going to suggest a linux distro. You could set up what you want fairly easily. You pretty much only have to pay for the hardware then. It doesn't take much hardware for a firewall and what other things you want.
--
don't get 2 close 2 my fantasy

reply to JoelC707
Nothing says you only need a single device.

I think the Linksys RV series is a lot of bang for the buck -- dual WAN routers with basic security features including site to site IPSec.

We use SSL Explorer for occasional "SSL VPN" connections to a server. Keep in mind that what most call an "SSL VPN" isn't really a VPN at all -- it's a glorified web app gateway, and not as secure. OpenVPN uses SSL for security but is a real, full point to point VPN. In other words, use IPSec or OpenVPN, but use of "SSL VPNs" should be discouraged on security grounds.

As I've posted elsewhere, I think Watchguard is crappy.

Re: your concern for point to point and OpenVPN, you can get hardware support on many routers, for example:

»www.dd-wrt.com/wiki/index.php?title=OpenVPN

But again, no reason you can't combine things, particularly as you're apparently willing to devote a computer to it. Free certainly is "as cheap as possible". You could run something outside the stock Untangle suite to establish standard IPSec connections.

-- B
--
In a realm outside causality and function

reply to JoelC707
Yeah, cooking up my own DIY firewall was my idea with Untangle. I really like the product but I've gotta be able to do IPSEC based hardware to hardware tunnels. From what I understand Untangle only supports a software client not a hardware client. Although I assume it might be possible to do hardware on the client side but I'd rather not get it all setup and it not work.

Again, if you need IPSec to connect to existing remote IPSec equipment there are other ways to get it. You can use a cheapo router that supports it (many do; I've successfully used several -- usually they have "VPN" in the model name). You can run a different firewall distribution (IPCop, monowall, Astaro, etc.) in, for example, one separate virtual machine while Untangle runs in another. Or you can simply choose a different software router package than Untangle, one that does have IPSec support. IPCop fits the bill...

-- B
--
In a realm outside causality and function

reply to JoelC707
Vyatta is great... Some ex cisco engineers and others founded it...

FREE and it can compete head to head with more expensive cisco routers... It can be installed on any hardware...

I run it as a Xen Virtual machine and it works with no problems at all..

reply to JoelC707
Looks like I've now got five other choices for brewing up my own firewall.
Smoothwall
Monowall
IPCop
Astaro
Vyatta

How easy are these to use? Ive heard of the first three but never used them. Oh yeah, one thing to keep in mind is that I'm well Linux stupid I guess would be a good way to put it. I've been playing with Linux recently and so far don't have any problems but I would rather not use something that is going to take me forever to figure out and even then not be sure if I've got it right. The last thing I want is a firewall that doesn't do what it is supposed to because I don't know how to use it.

I've looked into the Linksys RV line for the home users but unless I missed one, all of them were desktop based. The same goes for the ASA 5505, I can't rack mount it and I dislike shelves for this kind of equipment. I did look into the ASA 5510 as I knew the PIX had been EOL'd (I'm not afraid of using old hardware which is why I looked at the PIX knowing they would be cheap from people replacing them with ASA's) but it is still $2000 or more. I could use a separate device for the tunnels, I hadn't thought of that before.

One thing I don't want to do is go so cheap that the device isn't capable of handling what we'll be pushing through it. I know the basic Linksys/Dlink/Netgear devices may work fine for home users but I think it would crumble with several tunnels being routed through it. I don't have a computer for it to run on yet but I do have a few rack mount ones I've got my eye on that are around $200 (P4 or Opteron based) and should handle firewall duties just fine.

»vyatta.com/products/demo.php

Vyatta is really easy. the console is similar to those found on Dlink and cisco routers. It shows you the available commands, but hitting "tab". The guide is very self explanatory...

No need to a linux expert nor very knowledgeable even when it is linux based, you would be issuing commands to the FUSE CLI which takes you commands, runs them through perl scripts and translates them into linux and carious of its applications... But it doesnt hurt to know some..

reply to JoelC707
I use Untangle and love it. I've heard Endian is also a good one though I haven't actually used it:
»www.endian.com/

Actually the Sonicwall 2040Pro is cheaper than the watchguard. Here it is with one of their UTM solutions for $1500.

»www.provantage.com/sonicwall-01-···I02P.htm

Also I personally think the Sonicwalls are much easier to deal with than the Watchguards. I've rarely had problems with my two 2040s that weren't self-inflicted.

Edit: It does handle plenty of IPSEC stuff, DES/3DES/AES with no problems. I think the 2040 will handle 50 tunnels (or more, can't remember the specifics)

The only thing on your list it doesn't do is SSL-VPN, but we have an SSL-VPN 2000 box (also from Sonicwall) that handles that stuff.

reply to JoelC707

Honestly I would also say the RV082 is worth looking into. I used an RV042 for several years with minimal problems (until it, for some reason, started rebooting every time the UPS went on battery, even with a new AC adapter)

Wouldn't be an issue (impossible really) with an online (double conversion) UPS rather than a "line interactive" UPS...

-- B
--
In a realm outside causality and function

reply to JoelC707

reply to JoelC707

bump for pfsense. I use it at 12+ of my clients sites for site to site VPN. It rawks. We're getting ready to replace a fortinet fortigate 60 with a pfsense box here at the office (100M/100M fiber, resell to other tenants of the building)