dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
11286
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

JoelC707

Premium Member

Firewall choices

Well it's about time to replace the junk firewall we have at our office. I've been reading some threads and it seems there are a lot of choices, some I didn't even know about. So what I'm asking is which one would be the best choice for my needs.

- Very small business, 8 users total
- must be rack mounted
- must support two or more WAN connections
- must support two or more LAN connections
- IPSEC VPN capabilities with 3DES or AES
- SSL VPN in the future maybe
- UTM bundle would be nice (anti virus, spam and spyware) but not necessary

Ideally I'm trying to keep this as cheap as possible. Being such a small company, funds are quite limited.

Here is what I have considered so far:
- Watchguard x750e - Would work but is pushing $2000, too expensive
- Pix 515/515E - A bit cheaper but would need a router in front to handle the dual WAN connections taking the price back up some
- Watchguard x700 - heard the older Watchguards have problems
- Untangle - Has everything I need except the OpenVPN software seems to only support client VPN connections not hardware to hardware like I want to do
- Sonicwall - haven't looked into these in a couple of years but from what I understand they are just as expensive as Watchguard

So knowing all this, what would you suggest and why?

mfrosty
Premium Member
join:2003-11-05
Crofton, MD

2 edits

mfrosty

Premium Member

Have you looked into Fortinet's line of products?

»www.fortiwall.com/defaul ··· odAS5HCg

Very intuitive interface, highly configurable and not too expensive. And supports all the key features you listed in this thread.

FortiGate 60B 24x7 Bundle

Price $1,131.00

The FortiGate 60B 24x7 bundle is ideally suited for small businesses, remote offices, retail stores, broadband telecommuter sites that require dual WAN interfaces for maximum uptime, continuous enhanced support, and complete protection.

Features Include:
Dual WAN Connections (1) Year of 24x7 Support
Supports Unlimited Users (1) Year of Virus Protection
Comprehensive Protection (1) Year of Intrusion Prevention
Advance Hardware Replacement (1) Year Hardware Warranty

»www.fortiwall.com/produc ··· gory=967

Weasel
Premium Member
join:2001-12-03
Minnesota

Weasel to JoelC707

Premium Member

to JoelC707
The Cisco PIX line is being EOL'ed and replaced with the ASA line, which gives you the SSL capabilities ('clientless' SSL VPN).

I would give serious thought to a Cisco ASA 5505. It should be able to handle all of your requirements.

hi
@rr.com

hi to JoelC707

Anon

to JoelC707
You mentioned untangled, have you taken a look at ipcop? It supports hardware to hardware vpn connections.

choco50000
choco50000
join:2001-09-27
Jackson, NJ

choco50000 to JoelC707

Member

to JoelC707
You can setup a smoothwall box! www.smoothwall.org

I ordered a 1U Dell Powerapp off ebay for $40 (including shipping) and have been running it since. Great piece of software, rock solid, and has a thriving community for mods and homebrews!

boognish
Premium Member
join:2001-09-26
Baton Rouge, LA

boognish to JoelC707

Premium Member

to JoelC707
I was going to suggest a linux distro. You could set up what you want fairly easily. You pretty much only have to pay for the hardware then. It doesn't take much hardware for a firewall and what other things you want.
B04
Premium Member
join:2000-10-28

B04 to JoelC707

Premium Member

to JoelC707
Nothing says you only need a single device.

I think the Linksys RV series is a lot of bang for the buck -- dual WAN routers with basic security features including site to site IPSec.

We use SSL Explorer for occasional "SSL VPN" connections to a server. Keep in mind that what most call an "SSL VPN" isn't really a VPN at all -- it's a glorified web app gateway, and not as secure. OpenVPN uses SSL for security but is a real, full point to point VPN. In other words, use IPSec or OpenVPN, but use of "SSL VPNs" should be discouraged on security grounds.

As I've posted elsewhere, I think Watchguard is crappy.

Re: your concern for point to point and OpenVPN, you can get hardware support on many routers, for example:

»www.dd-wrt.com/wiki/inde ··· =OpenVPN

But again, no reason you can't combine things, particularly as you're apparently willing to devote a computer to it. Free certainly is "as cheap as possible". You could run something outside the stock Untangle suite to establish standard IPSec connections.

-- B
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

JoelC707

Premium Member

Yeah, cooking up my own DIY firewall was my idea with Untangle. I really like the product but I've gotta be able to do IPSEC based hardware to hardware tunnels. From what I understand Untangle only supports a software client not a hardware client. Although I assume it might be possible to do hardware on the client side but I'd rather not get it all setup and it not work.
B04
Premium Member
join:2000-10-28

B04

Premium Member

Again, if you need IPSec to connect to existing remote IPSec equipment there are other ways to get it. You can use a cheapo router that supports it (many do; I've successfully used several -- usually they have "VPN" in the model name). You can run a different firewall distribution (IPCop, monowall, Astaro, etc.) in, for example, one separate virtual machine while Untangle runs in another. Or you can simply choose a different software router package than Untangle, one that does have IPSec support. IPCop fits the bill...

-- B

PToN
Premium Member
join:2001-10-04
Houston, TX

PToN to JoelC707

Premium Member

to JoelC707
Vyatta is great... Some ex cisco engineers and others founded it...

FREE and it can compete head to head with more expensive cisco routers... It can be installed on any hardware...

I run it as a Xen Virtual machine and it works with no problems at all..
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

JoelC707

Premium Member

Looks like I've now got five other choices for brewing up my own firewall.
Smoothwall
Monowall
IPCop
Astaro
Vyatta

How easy are these to use? Ive heard of the first three but never used them. Oh yeah, one thing to keep in mind is that I'm well Linux stupid I guess would be a good way to put it. I've been playing with Linux recently and so far don't have any problems but I would rather not use something that is going to take me forever to figure out and even then not be sure if I've got it right. The last thing I want is a firewall that doesn't do what it is supposed to because I don't know how to use it.

I've looked into the Linksys RV line for the home users but unless I missed one, all of them were desktop based. The same goes for the ASA 5505, I can't rack mount it and I dislike shelves for this kind of equipment. I did look into the ASA 5510 as I knew the PIX had been EOL'd (I'm not afraid of using old hardware which is why I looked at the PIX knowing they would be cheap from people replacing them with ASA's) but it is still $2000 or more. I could use a separate device for the tunnels, I hadn't thought of that before.

One thing I don't want to do is go so cheap that the device isn't capable of handling what we'll be pushing through it. I know the basic Linksys/Dlink/Netgear devices may work fine for home users but I think it would crumble with several tunnels being routed through it. I don't have a computer for it to run on yet but I do have a few rack mount ones I've got my eye on that are around $200 (P4 or Opteron based) and should handle firewall duties just fine.

PToN
Premium Member
join:2001-10-04
Houston, TX

PToN

Premium Member

»vyatta.com/products/demo.php

Vyatta is really easy. the console is similar to those found on Dlink and cisco routers. It shows you the available commands, but hitting "tab". The guide is very self explanatory...

No need to a linux expert nor very knowledgeable even when it is linux based, you would be issuing commands to the FUSE CLI which takes you commands, runs them through perl scripts and translates them into linux and carious of its applications... But it doesnt hurt to know some..

PC Doc 54
aka fcapes
Premium Member
join:2000-10-28
Alamogordo, NM

PC Doc 54 to JoelC707

Premium Member

to JoelC707
I use Untangle and love it. I've heard Endian is also a good one though I haven't actually used it:
»www.endian.com/

Jahntassa
What, I can have feathers
Premium Member
join:2006-04-14
Conway, SC

1 edit

Jahntassa

Premium Member

Actually the Sonicwall 2040Pro is cheaper than the watchguard. Here it is with one of their UTM solutions for $1500.

»www.provantage.com/sonic ··· I02P.htm

Also I personally think the Sonicwalls are much easier to deal with than the Watchguards. I've rarely had problems with my two 2040s that weren't self-inflicted.

Edit: It does handle plenty of IPSEC stuff, DES/3DES/AES with no problems. I think the 2040 will handle 50 tunnels (or more, can't remember the specifics)

The only thing on your list it doesn't do is SSL-VPN, but we have an SSL-VPN 2000 box (also from Sonicwall) that handles that stuff.

Kalford
Seems To Be An Rtfm Problem.
MVM
join:2001-03-20
Ontario

Kalford to JoelC707

MVM

to JoelC707
said by JoelC707:

I've looked into the Linksys RV line for the home users but unless I missed one, all of them were desktop based.
The RV082 comes with a rackmount kit and should cover off most of your requirements. I have had two of them for a few years now and have been pleased with their performance.(I haven't used both wans at the same time, so I can't say how well that performs though)

here's a link to the web interface for the rv082 - it's pretty straight forward and easy to navigate and configure.

»ui.linksys.com/files/RV0 ··· mary.htm

Zyxel is another line that you might be interested in checking out. They have some pretty reasonably priced UTM's on the market.

I recently picked up a Zywall 2Plus (initially for testing - I'll probably use it in one of my remote offices - not robust enough [imo] for larger groups) and I just received [this past fri] a Zywall USG 300 with kaspersky av & bluecoat content filtering subscription.

»www.zyxel.com/web/produc ··· 79CE2C44

Jahntassa
What, I can have feathers
Premium Member
join:2006-04-14
Conway, SC

Jahntassa

Premium Member

Honestly I would also say the RV082 is worth looking into. I used an RV042 for several years with minimal problems (until it, for some reason, started rebooting every time the UPS went on battery, even with a new AC adapter)
B04
Premium Member
join:2000-10-28

B04

Premium Member

Wouldn't be an issue (impossible really) with an online (double conversion) UPS rather than a "line interactive" UPS...

-- B

sporkme
drop the crantini and move it, sister
MVM
join:2000-07-01
Morristown, NJ

sporkme to JoelC707

MVM

to JoelC707
said by JoelC707:

Looks like I've now got five other choices for brewing up my own firewall.
Smoothwall
Monowall
IPCop
Astaro
Vyatta
Don't forget pfSense - it's a fork of m0n0wall. It has some features that I'm not sure the others include like a pretty insane load-balancing and QoS combo that works across multiple unequal-speed WAN connections and the ability to tie two units together for redundancy (like HSRP on the cisco side).

You can also buy support if that's something that's needed to get it in the door.

graysonf
MVM
join:1999-07-16
Fort Lauderdale, FL

graysonf to JoelC707

MVM

to JoelC707
said by JoelC707:

Looks like I've now got five other choices for brewing up my own firewall.
Smoothwall
Monowall
IPCop
Astaro
Vyatta
M0n0wall does not support two or more WAN connections. pfSense, a fork of M0n0wall, does.
nnaarrnn
join:2004-09-30
Charleston, WV

nnaarrnn

Member

bump for pfsense. I use it at 12+ of my clients sites for site to site VPN. It rawks. We're getting ready to replace a fortinet fortigate 60 with a pfsense box here at the office (100M/100M fiber, resell to other tenants of the building)

bksmith5
Tagging along
Premium Member
join:2001-04-07
Charlotte, NC

bksmith5 to Jahntassa

Premium Member

to Jahntassa
Heads up on the SonicWALL Pro 2040 (and the other Pro-based series of firewalls): they're on their way out starting somewhere around the end of this year. The "new" SonicWALL firewall of choice would be either the TZ190 for such a small environment (it's not rack-mountable, but VERY nice for what it offers) or the SonicWALL NSA 2400. The NSA line of firewalls appear to be the successors to the Pro series.

I've set up a couple of the SonicWALL NSA 3500s (one of the 2400's bigger siblings) and the new SonicOS Enhanced 5.0 interface is very easy to use and quite powerful for the features it offers!

SonicWALL sales info on the NSA series is here:
»www.sonicwall.com/us/pro ··· ies.html

Similar information on the TZ series is here:
»www.sonicwall.com/us/pro ··· ies.html
(note: The TZ170 line of firewalls is definitely on "life support" as the TZ180 is the successor to the TZ170. The TZ150 may very well be on its way out as well, being the at the low end of the product spectrum for SonicWALL.)

Note: the TZ190 can be purchased for roughly $500-$700 depending on the feature set that you want.

»computers.pricegrabber.c ··· st=query

The NSA 2400 is rack-mountable, features 4 zone-configurable Gigabit Ethernet ports and runs about $2,000 -- but is worth every penny for the functionality that it provides, IMO.
B04
Premium Member
join:2000-10-28

1 edit

B04 to nnaarrnn

Premium Member

to nnaarrnn
Who cares about dual WAN -- pfSense did away with the most irritating feature of its source, leetspeak spelling. I never was willing to look up, memorize, and/or type "m0n0wall" , any more than I will type whatever the right URL for "delicious" is.

Seriously, it's a blessing and curse to have all these great choices, eh, Joel?

Edit: As to SonicWall, I used to dismiss them as overpriced, but after seeing how a product (Watchguard) could be both overpriced and ineffective, I now relish my uneventful pleasant experiences with various Sonicwalls.

Has there been any formal run down / bake off / review of all the good open source router/gateway software offerings mentioned here?

-- B
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

JoelC707

Premium Member

said by B04:

Seriously, it's a blessing and curse to have all these great choices, eh, Joel?
You got that right. I never expected so many responses or so many choices for a firewall. Thanks for all the suggestions everyone, please keep them coming.
said by B04:

Has there been any formal run down / bake off / review of all the good open source router/gateway software offerings mentioned here?
No I don't think there is, at least not to my knowledge. I did a search for "firewall" here before posting this and got a LOT of hits but I didn't see anything that looked like what I wanted (but I also didn't look through them all either). If there is I'd love to see it.
JoelC707

JoelC707 to Kalford

Premium Member

to Kalford
Wow, it sure does, so does the RV016. Between the two, I think I would rather do the RV016 because I can reconfigure some of the ports to be other WAN/DMZ ports which could be beneficial. Either of them is certainly within the price range too so that makes it better. I had looked into the RV042 or more recently the RVL200 for the home users. If they will do what I want, they will certainly be much cheaper than the X10e Watchguards I was considering. I would prefer to keep all points using the same or at least similar hardware just so if something doesn't work and I need to get help with it there can't be any finger pointing at the other hardware.

djrobx
Premium Member
join:2000-05-31
Reno, NV

3 edits

djrobx to JoelC707

Premium Member

to JoelC707
Another big thumbs up for pfSense. Someone on this forum suggested it in response to someone looking to configure Linux for dual WAN support.

pfSense has been an absolute dream. It has a nice clean "router-like" interface, but I was able to configure multi-WAN, connect to several VPN subnets (other end is OpenSWAN), and allow PPTP "dial-in" access. It's SO straightforward, and lots of things "just work" compared to messing around with ipsec.conf and iptables scripts for hours on end.

Note that pfSense is its own "distribution" based on FreeBSD. It's possible to tack more onto it directly, but I found it's better to let it be its own "black box" and run additional Linux services on the host OS. pfSense behaves very well in a VMWare Server VM under Linux.
B04
Premium Member
join:2000-10-28

B04 to JoelC707

Premium Member

to JoelC707
Well there's also ClarkConnect and Endian. Keep in mind that neither Astaro nor ClarkConnect is available in a full featured free or open source version -- they're strictly commercial products and I think closed source.

»Linux Router Firewall

»[Poll] What Firewall Do You Use? '07

»www.fsckin.com/2007/09/0 ··· butions/

»www.hardforum.com/archiv ··· 731.html

»forum.softgil.com/news.php

-- B
JoelC707
Premium Member
join:2002-07-09
Lanett, AL

JoelC707

Premium Member

Well it looks like the RV016 won't do what I wanted after all. The 7 WAN ports cannot be shared as DMZ ports. But that's OK, I really only need one DMZ port because I can do 1-1 NAT to route the two /29 subnets I have to the internal IP of my choosing and I can still do the software DMZ it seems. Now to check and see what the RV042 or RVL200 will do. I'm still not completely swayed one way or the other but I'm currently leaning towards the Linksys routers.

Oh yeah, one feature that will be important for the home users routers is split DNS (though I'm sure other routers call it different things). Basically with the tunnel, I end up setting the DNS on the computers to the DNS server here at the office so they can access resources. The downside is that means all DNS requests go through the tunnel (surfing doesn't but it causes an annoying delay before it loads the page). With split DNS (or whatever it's called), I can point them to the router and the router forwards requests for my domains onto my servers and everything else onto the ISP. It seems very few consumer class routers for home use support this. At the office it won't matter but at the home sites it will.

sporkme
drop the crantini and move it, sister
MVM
join:2000-07-01
Morristown, NJ

sporkme to B04

MVM

to B04
said by B04:

Who cares about dual WAN -- pfSense did away with the most irritating feature of its source, leetspeak spelling. I never was willing to look up, memorize, and/or type "m0n0wall" , any more than I will type whatever the right URL for "delicious" is.
I wouldn't judge it by it's name, plus they are swiss, so give 'em a break. "mono.ch" was probably already taken.

m0n0 is good, but they were slow to move to a newer FBSD release and they still focus more on embedded installs vs. full PC installs. For some folks, m0n0 is a better choice (ask the WISPs).
B04
Premium Member
join:2000-10-28

B04

Premium Member

Yeah, I was mostly kidding (thus the "seriously" transition). For one thing, I care very much about dual (or more) WAN.

-- B

vito8
join:2001-11-28
Gilbertsville, PA

vito8 to JoelC707

Member

to JoelC707
another vote for pfsense....