Firewall opinions wanted please
Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best? Thanks in advance!! Nicole -- |\ __ /| (`\ | o_o |__ ) ) // \\ - nmh@daemontech.com - Powered by FreeBSD - ------------------------------------------------------ " Daemons" will now be known as "spiritual guides" -Politically Correct UNIX Page
As much as I hate to follow up my own post, I suppose I was a bit too vauge for my own good =] We do not run any cisco gear and we are in a Class A data facility. By proxy I did not mean to imply NAT. I cannot remember the proper term but what I mean is full packet handeling as opposed to packet inspection. Security is important but the budget limit is only up to about 3K. I have been trying to get the client a firewall for some time and am just now getting the go ahead. Sorry for any vaugeness but I usually like to not say to much as to sway opinions one way or another and to learn more as any knowlege I have may be wrong or out of date. Nicole On 16-Mar-04 Unnamed Administration sources reported Nicole said :
Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best?
Thanks in advance!!
Nicole
Another important question is who is going to be managing the firewall once it gets purchased and installed? Buying a PIX is great but not if you don't have anyone that knows how to use it. This applies to any vendors solution be it Checkpoint, IPTables, PIX, netscreen, etc.. Also by proxy do you mean statefull packet inspection? -Brent At 03:07 PM 3/16/2004, Nicole wrote:
As much as I hate to follow up my own post, I suppose I was a bit too vauge for my own good =]
We do not run any cisco gear and we are in a Class A data facility.
By proxy I did not mean to imply NAT. I cannot remember the proper term but what I mean is full packet handeling as opposed to packet inspection.
Security is important but the budget limit is only up to about 3K. I have been trying to get the client a firewall for some time and am just now getting the go ahead.
Sorry for any vaugeness but I usually like to not say to much as to sway opinions one way or another and to learn more as any knowlege I have may be wrong or out of date.
Nicole
On 16-Mar-04 Unnamed Administration sources reported Nicole said :
Hi I am looking for a good but reasonably priced firewall for a 40 or so
site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for
server protecting
servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best?
Thanks in advance!!
Nicole
Sonicwall makes a great product that can run in STANDARD (Proxy) mode. Their prices are pretty good as well, espicially if you buy them through a reseller. We deploy many of these firewalls every year and they are great! Thanks, Brandon On Tue, 16 Mar 2004 15:07:26 -0800 (PST) Nicole <nmh@daemontech.com> wrote:
As much as I hate to follow up my own post, I suppose I was a bit too vauge for my own good =]
We do not run any cisco gear and we are in a Class A data facility.
By proxy I did not mean to imply NAT. I cannot remember the proper term but what I mean is full packet handeling as opposed to packet inspection.
Security is important but the budget limit is only up to about 3K. I have been trying to get the client a firewall for some time and am just now getting the go ahead.
Sorry for any vaugeness but I usually like to not say to much as to sway opinions one way or another and to learn more as any knowlege I have may be wrong or out of date.
Nicole
On 16-Mar-04 Unnamed Administration sources reported Nicole said :
Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best?
Thanks in advance!!
Nicole
You mean _PROTOCL HANDELING_, I believe. I do not know, why people are paying so much attention to it. Important questions are: - which services are you providing for the public? - who will handle all your SSL sessions, if any (may be, Load Balancers? Then you do not bother about FW proxy for them); - who will handle all http requests (yes, proxy can help here, but it is not the only way); - who will inspect mail content (not SMTP protocol, but attachments etc)? - who will handle your ssh sessions, if you have inbound shh? - who will handle your inbound VPN or PPTP, if you use it? - are DDOS attacks dangerous for you (you host SCO, for example) or not (you provide specific servic for 100 companies, not for wide public); - do you use host level IDS / change control? PIX is excellent firewall... for many purposes, but not for others (and not as a proxy, of course). It is impossible to select anything without knowing answers on this questions... AlexeiRoudnev ============
As much as I hate to follow up my own post, I suppose I was a bit too vauge for my own good =]
We do not run any cisco gear and we are in a Class A data facility.
By proxy I did not mean to imply NAT. I cannot remember the proper term but what I mean is full packet handeling as opposed to packet inspection.
Security is important but the budget limit is only up to about 3K. I have been trying to get the client a firewall for some time and am just now getting the go ahead.
Sorry for any vaugeness but I usually like to not say to much as to sway opinions one way or another and to learn more as any knowlege I have may be wrong or out of date.
Nicole
On 16-Mar-04 Unnamed Administration sources reported Nicole said :
Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best?
Thanks in advance!!
Nicole
On Tue, 16 Mar 2004 17:18:38 -0700 "Brandon Shiers" <brandons@wyoming.com> wrote:
Sonicwall makes a great product that can run in STANDARD (Proxy) mode.
As with any product, it's only as good as the support channel behind it *in your locality* ... we have just removed Sonicwall from the list of approved suppliers here because of a series of failures that left two parts of our network unprotected for several weeks (and, if any other Firewall vendors with _good_ European support are reading this thread, you're welcome to contact us by mail if you feel you can do better than Sonicwall's local representatives did ;-) ) -- Richard Cox
On Tue, 16 Mar 2004 14:27:16 PST, Nicole <nmh@daemontech.com> said:
From what I have heard a proxy firewall would be best?
I'll go out on a limb here and say that the actual make and model of the firewall don't matter anywhere *near* as much as a proper understanding on the client's part of what a firewall can and can't do. It can let you know when somebody's poking at your site. But it can't do it on its own, somebody *will* have to read the logs (even if you use a good log-filtering package to trim out all the true noise). It can't automagically secure your site. All it takes is *one* laptop or VPN connection to the "inside" from a compromised machine and you're history. The most successful firewall installs I've encountered have invariably considered the firewall not as a "prevention device" but as an "IDS with a bad attitude". A firewall is *never* an acceptable substitute for proper end-host security procedures - the end host *must* be fully prepared to deal with a total breach of the firewall (remember - a firewall will never stop a disgruntled employee).
In message <200403170238.i2H2caAA006011@turing-police.cc.vt.edu>, Valdis.Kletni eks@vt.edu writes:
--==_Exmh_2134986584P Content-Type: text/plain; charset=us-ascii
On Tue, 16 Mar 2004 14:27:16 PST, Nicole <nmh@daemontech.com> said:
From what I have heard a proxy firewall would be best?
I'll go out on a limb here and say that the actual make and model of the firewall don't matter anywhere *near* as much as a proper understanding on the client's part of what a firewall can and can't do.
You're not going out on a limb; you're absolutely right, and I've been saying that for years. I'll quote myself: Although firewalls are a useful part of a network security program, they are not a panacea. When managed properly, they are useful, but they will not do everything. If firewalls are used improperly, the only thing they buy you is a false sense of security. Beyond that, different security policies have a much greater impact than different brands or types of firewalls. --Steve Bellovin, http://www.research.att.com/~smb
Netscreen rocks. They are record-breakingly sexy devices running the gamut as far as networks they can be configured to service and they burlier beasties are easily worthy of deployment on a carrier class network. However, if you're looking to drop small change on a product that will not be required to withstand the rigors of VPN termination, HA, VRRP, blah blah blah, and you are trying to cover basic, fundamental firewalling (port filtering is a very base feature and should open the doors to many other vendors if that's truly the brunt of what you are trying to achieve), then take a gander at PIX. Or even Raptor or Checkpoint. All 3 are old standbys that have seen their days being equally celebrated as leaders and mourned as losers. boa sorte, --ra -- k. rachael treu, CISSP rara@navigo.com ..quis costodiet ipsos custodes?.. On Tue, Mar 16, 2004 at 02:27:16PM -0800, Nicole said something to the effect of:
Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best?
Thanks in advance!!
Nicole
-- |\ __ /| (`\ | o_o |__ ) ) // \\ - nmh@daemontech.com - Powered by FreeBSD - ------------------------------------------------------ " Daemons" will now be known as "spiritual guides" -Politically Correct UNIX Page
participants (8)
-
Alexei Roudnev
-
Brandon Shiers
-
Brent Van Dussen
-
Nicole
-
Rachael Treu
-
Richard Cox
-
Steven M. Bellovin
-
Valdis.Kletnieks@vt.edu