Firewall: General Discussion

ntlbell

I suppose this could probably go into the security fora but I thought it might get a bit more exsposure here.

I was looking to get folks opinions/thoughts on Firewalls and just have a bit of a discussion on current offerings etc

It seems more and more Firewall companys are trying to flog all in one wonder boxes. Application filtering,content filtering, Anti-virus, Anti-Spam etc It's almost like the firewall is tacked on as after thought. I requested a trial from one of these from a company who will remain nameless for now and was amazed with the amount of "crap" that was in the base OS, so much I wouldn't trust it as a desktop nevermind an external facing firewall.

It was based on RH, there was a very old version of sendmail,BIND, xorg libs etc. It was like someone tacked on a java front end on to a base RH install. This is a fairly big player in the security market and the firewall itself is far from cheap.

where possible I generally use a minimal OpenBSD with PF/Carp implimentation where the boxes pretty much do nothing but filter.

What are your thoughts on these multi purpose firewalls? would you use them? where and why? would you risk putting one on the external facing segment of your network?

Static M.e.

Im no firewall expert but I tend to do it old school with one box per job.

So I use Multiple Firewalls for general blocking.. then I use seperate boxs for Application filtering,content filtering, Anti-virus, Anti-Spam etc. Most of which have firewalls built into them.

I dont see a problem with tacking a firewall on to everything, its a good thing for me. However, I dont like it the other way around though with stuff being tacked on to my firewall. - Anything you dont need 100% shouldn't be allowed/open including services.


I can see the Multi Function boxes being used by any Small Company who wants/needs the lot but doesnt have the Cash\Skills\Tech Person to implement and manage it.

It wouldnt be interesting to hear from someone who does security for a living or has a serious interest in it, what they thought.

Standard Toaster

I use the Astaro Security Gateway Virtual Appliance and find it works quiet well. This is at home.
I hear what you're saying mind, generally tend to avoid those all-in-one boxes.
What was the name of the one you were trying there?

Use Cisco ASAs here. Doubt anything else would be considered.

rolion

I'm using Sonicwall with Comprehensive Security Suite for small business as a cost effective solution.Cisco PIX or ASA is way too much €€€€ for this market...

What i found is that the requirements have been increasing coming from inside the network and not from outside...
I reckon that from outside a basic NAT with IPS/IDS does the job.
Most Senior staff asked me to block certain sites,or applications or traffic in a combination with time of day/week.
So the application level filtering of the router/firewall is becoming critical,no more open /close ports doing the job these days...

gerryk

This http://soekris.eu/shop/net5501/net5501_60_board_and_1_slot_standard_case_en.html
+
This http://www.pfsense.org/

hmmm

It depends on the size of the company and what they can afford. Most firewall problems I've seen have been because of misconfiguration, not the box itself. It's all very well you being able to run your own excellent firewall, but most small companies don't have that ability so they choose to buy an all-in box that will "just work". A larger corporate will typically have multiple dedicated boxes, but that again is changing - e.g. Cisco have multiple modules for their ASA firewalls which cost a pretty penny.

A crap firewall is a crap firewall, whether it hosts multiple services or not isn't really the problem. The alternative might be a really strong firewall and crap boxes behind it which is the same problem.

If I was buying for a small company with minimal technical resources I'd buy an all-in box with foolproof configuration.

NullZer0

Another vote for PFSense.
Of course if you had some Cisco routers already you can do a fairly reasonable Zone based firewall and CBAC - you can get pretty granular with it.


If you want a commercial solution, I would look at an ASA or something from Juniper (budget permitting).

Edit: I too am no firewall expert!