firewall recommendation

Synkro

hi,

could someone please explain the difference between the cheapish €100-200 netgear/dlink firewall routers and the more expensive, say sonicwall range ~€600.

Im looking for a reliable firewall to protect a small office (4pcs&dsl) from all the nasty things out there. Web and email traffic is the only necessity.

thanks!

liamo

Features and support, I would imagine. I believe the SonicWall support is excellent.

If you're price sensitive you might want to take a look at Smoothwall or IPCop or one of the other Firewall Linux distros. An old PC that's good for nothing else could be turned into the office firewall. I've been using Smoothwall and, more recently, IPCop for years and I have the greatest of respect for them.

Regards,

Liam

Kali

Any of the Netgear DGxxx set of adsl routers will do the job for a small office such as yours, where the main aim is to set-it up and leave it alone... I'd reccomend them in any office less than 10-15 people, its above that or in high-bandwidth usage scenarios where better performing firewalls come into their own, as well as supporting dedicated VPN and isolating DMZ from LAN traffic, proper stateful packet detection to avoid spoofing etc. etc.

Gosh

Synkro wrote:

Im looking for a reliable firewall to protect a small office (4pcs&dsl) from all the nasty things out there. Web and email traffic is the only necessity.

With the NetGear routers you will still need a software based firewall AND anti-virus on each PC - the NetGear routers only provide DoS attacks from hackers ... emails with viruses will not be stopped by these routers ...

gibo_ie

if there are only 4 pcs i would go with Zonealarms, its a free software and really good, you can also get AVG antivirus software for free!

Worth a go if you are money concious

liamo

Gosh wrote:

With the NetGear routers you will still need a software based firewall AND anti-virus on each PC - the NetGear routers only provide DoS attacks from hackers ... emails with viruses will not be stopped by these routers ...

Yes, Anti-Virus will be required.

No, additional firewalls won't be needed.

The router is a firewall and prevents inbound connections unless specifically instructed to allow inbound connections on specific ports.

It doesn't protect against DoS attacks which are something else entirely.

gibo_ie wrote:

if there are only 4 pcs i would go with Zonealarms, its a free software and really good, you can also get AVG antivirus software for free!

ZoneAlarm and AVG are free for personal use. For business use, you need to purchase the licenced versions.

Gosh

liamo wrote:

It doesn't protect against DoS attacks which are something else entirely.

From NetGear's own documentation available at
http://www.netgear.co.uk/pdfs/dg834gt.pdf

True Firewall using Stateful Packet Inspection (SPI) and Intrusion Control features Denial of Service protection from hacker attacks

liamo wrote:

No, additional firewalls won't be needed

It wouldn't harm to have additional protection

liamo wrote:

ZoneAlarm and AVG are free for personal use. For business use, you need to purchase the licenced versions.

You can buy a 5-user license for ZoneAlarm + Anti-Virus for less than €90

Gosh

Back to the original request from Synkro

Go for the NetGear router - this will give you a hardware based firewall

Read the following article and decide if you want to supplement with a software firewall

http://www.smallbusinesscomputing.com/webmaster/article.php/3103431

Firewall + Anti-Virus - go for ZoneAlarm 5-user licence $99.90 - about €77

liamo

From NetGear's own documentation available at
http://www.netgear.co.uk/pdfs/dg834gt.pdf

Thank you for correcting me.
I'll take your (and your quote's) word that it does provide some protection against certain DoS attacks.

It wouldn't harm to have additional protection

That's true. It does, however, add to costs and maintenance to have 2 systems in place when one would do.

You can buy a 5-user license for ZoneAlarm + Anti-Virus for less than €90

I agree that it's hard to go too far wrong with that price.


At the end of the day, as long as the product works, it's a matter of preference. My preference is for IPCop, but that's just me, why spend a few Euro on a nice, neat, quiet unit when you can have a noisy, costly, power guzzling P100 (complete with dodgy fan bearings that would wake the dead sometimes) in the corner protecting your network. .

Regards,

Liam

Paul.K

Hi Synkro,

Sorry for hijacking the tread but im selling a sonicwall on the for sale section of boards. Its a hardware firewall which supports up to 5 nodes. If your interested have a peep...

Paul.k

Gavin

Slightly off topic, but to address the DoS issue. No firewall on the end of a personal internet connection, for want of a better term, is going to provide any defence against a DoS attack. Simple fact is that if the attacker has a larger pipe than you, then unless the traffic is stopped further upstream from you, your connection will be swamped.

I'm guessing that their documentation is actually claiming to defend against PCs being used in a DoS attack as zombies.

Gav

RicardoSmith

I'm using a Wireless Netgear router and AVG/ZoneAlarm/Adware/Spybot/SpywareBlaster, with no problems so far.

Though if I was managing a small network, I'd probably have a server in place to manage everything and go for an AV that allowed me to manage it and distribute it from the server. Same with email, web acccess, firewall, etc.

Otherwise you have to do everything on every client. depends on the costs involved and how techies the person doing admin was though.

Synkro

Thanks, that information was really helpfull. I read that article ( http://www.smallbusinesscomputing.com/webmaster/article.php/3103431 ) and can see how perhaps even the best hardware firewall in the world might not stop a rogue email prog connecting to a legitimate smtp server outside the LAN. I think ill need to look for a firewall which has STI on both incoming AND outgoing packets.

This might be a silly question, but if i block ALL ports except port 80 and 25. Will this allow ONLY web/email traffic or, can trojans etc use these ports aswell, if so, is there a way to further examine the packets and maybe identify a trojan signature?

My understanding so far is that, a hardware firewall/router will block almost all hacker attempts from OUTSIDE the LAN, but to protect against Trojans on a pc, it is necessary to locally install a software firewall which defines whch aplications can use which ports rather than which pcs. (also is it true that most antivirus packages wont find the trojans?)

or... Could this be a possible alternative, and how reliable would it be over 1024/512 dsl lines....

To have all the pcs, some remote, some on site. Establish a vpn into one centrally located server. On this server would be a web proxy, email server and some sort of antivirus definitions server. Then, would i be right in thinking that only the server will need firewalling (software & hardware)? I say this because some of the pcs i currently have are old and installing a software firewalls package will be awkward.

In that case, could anyone recommend a fairly priced vpn/router/firewall that would make this sort of hardware vpn connection?


Thanks!

Adrian

Jaden

IpCop

is what you need. Get an old PC and install it. You will be suprised at how easy it is. IpCop is a Firewall/Router/VPN/Proxy/DHCP server. Remote controlled and fully configurable. A 12 year old could use it.

gline

Jaden wrote:

IpCop

is what you need. Get an old PC and install it. You will be suprised at how easy it is. IpCop is a Firewall/Router/VPN/Proxy/DHCP server. Remote controlled and fully configurable. A 12 year old could use it.

LOL, yeh i would recommend using an old pc as a firewall etc, i know i only do it as a homeuser but its great and you can just leave it in a cupboard working away, like i do, lol. I dont know how hard or easy it would be to set up in an office setup though

liamo

I dont know how hard or easy it would be to set up in an office setup though

No difference - a network is a network. We use it in our office and never have a problem.