Orbit

[pacnog] Help:Firewalls Selection

by Alex Abraham

8 Mar 2006 10:46 p.m.

Hi Pacnog,

I am seeking anyone expertises in selection of firewalls. Presently I am review three (two) firewall. I like to know what everyone else in the pacific and beyond is using.

The firewalls I am looking at are:

* Fortinet 300A * Sonicwall 4060 * Sonicwall Pro 4100

Already looked at Cisco Pix, Watchguard X1000 Pro and Checkpoint NGX.

Looking forward to your comments.

Alex Abraham

Network Operations Manager

SamoaTel Limited

Maluafou HQ

Private Bag

Apia

Samoa

Tel: +685 67853

Fax: +685 24000

Email: alex.abraham@samoatel.ws

website: www.samoatel.ws

7 9

Replies

Jon Leeman

8 Mar 11:34 p.m.

Alex,

I've been using Checkpoint (current version is 4.1 SP3) for over 5 years now without any issues. In fact it runs on a dedicated server with a 2 Gb SCSI HDD, 200 Mhz pentium and 96 Mb of RAM and NT 4.0 SP6a. It is also running on an IBM Netfinnity server nextdoor - which I also maintain - on a 256 Kbps link.

The only downside is it's expensive.

Contact me off the list if you wish.

Rgds.,

Jon

Alex Abraham wrote:

...

Hi Pacnog,

I am seeking anyone expertises in selection of firewalls. Presently I am review three (two) firewall. I like to know what everyone else in the pacific and beyond is using.

The firewalls I am looking at are:

Fortinet 300A

Sonicwall 4060

Sonicwall Pro 4100

Already looked at Cisco Pix, Watchguard X1000 Pro and Checkpoint NGX.

Looking forward to your comments.

Alex Abraham

Network Operations Manager

SamoaTel Limited

Maluafou HQ

Private Bag

Apia

Samoa

Tel: +685 67853

Fax: +685 24000

Email: alex.abraham@samoatel.ws

website: www.samoatel.ws

pacnog mailing list pacnog@pacnog.org http://mailman.apnic.net/mailman/listinfo/pacnog

Brenda D. Tarimel

9 Mar 12:45 a.m.

Alex,

We've been using SonicWall since 1999 and based on our experience, is a very reliable appliance. This is what I got currrently.

Brenda

Sonic Wall PRO

Firewall Serial Number: 4010 Model: PRO (CPU: StrongARM / 233 Mhz) Firmware version: 6.5.0.4 ROM version: 5.0.1.0 RAM: 8 M Flash: 4 M Ethernet Speeds: WAN 10 Mbps Half Duplex, DMZ, LAN 100 Mbps Full Duplex Number of IP addresses allowed with this license: Unlimited Current connections: 331

At 07:46 AM 3/9/2006, Alex Abraham wrote:

...

Hi Pacnog,

I am seeking anyone expertises in selection of firewalls. Presently I am review three (two) firewall. I like to know what everyone else in the pacific and beyond is using.

The firewalls I am looking at are:

Fortinet 300A

Sonicwall 4060

Sonicwall Pro 4100

Already looked at Cisco Pix, Watchguard X1000 Pro and Checkpoint NGX.

Looking forward to your comments.

Alex Abraham Network Operations Manager SamoaTel Limited Maluafou HQ Private Bag Apia Samoa

Tel: +685 67853 Fax: +685 24000 Email: alex.abraham@samoatel.ws website: www.samoatel.ws

pacnog mailing list pacnog@pacnog.org http://mailman.apnic.net/mailman/listinfo/pacnog

Joe Abley

9 Mar 12:49 a.m.

On 8-Mar-2006, at 17:46, Alex Abraham wrote:

...

I am seeking anyone expertises in selection of firewalls. Presently I am review three (two) firewall. I like to know what everyone else in the pacific and beyond is using.

Personally, I like pf.

It's free software, and has a very rich feature set that exceeds what most commercial firewall appliances can offer (statefull failover between redundant firewalls, passive operating system fingerprinting, bandwidth control, traffic redirection, packet normalisation, etc). There are also good web-based admin tools available for it.

Like most free software, what you save on software costs you will likely spend in operational expense keeping the server upgraded, etc. However, if you already have systems people in staff, perhaps this expense isn't that great.

Another advantage to running something like pf on a dedicated, but general-purpose server rather than an appliance is that you retain the ability to install other related software (e.g. ntop, snort) on the same machines.

http://www.openbsd.org/faq/pf/

Most at home on OpenBSD, but is also included in recent distributions of FreeBSD, NetBSD, DragonflyBSD (and maybe others).

This seems to be a web interface for pf/OpenBSD (although I haven't tried it, and hence don't vouch for it):

http://www.mcortex.com/

Joe

Alex Abraham

9 Mar 1:31 a.m.

Hi All,

This is now getting quite interesting of what people are using. Maybe I should have explained a couple of features/Things that I like to do:

1. Multiple Physical Interfaces + ability to sub interface them or use VLAN 2. VPN - IPSec, etc 3. Intrusion Detection and Prevention 4. Virus Wall

With the firewalls, discussion, do they do the above? Very interesting is Joe, FreedBSD option. Only things how easy is it to configure the above (if the software is available).

Thanks for the comments so far...

Alex

Steve Phillips

9 Mar 6:47 a.m.

Alex Abraham wrote:

...

Hi All,

This is now getting quite interesting of what people are using. Maybe I should have explained a couple of features/Things that I like to do:

Multiple Physical Interfaces + ability to sub interface them or use VLAN

FreeBSD does this, you may want to use a recent version however, it supports .1q vlan tagging

...

VPN - IPSec, etc

FreeBSD does support ipsec, you will probably require some configuration on the BSD side, in this google becomes your friend.

...

Intrusion Detection and Prevention

IDS can be done with snort and interfaces with weblogs or the like (there were a couple of packages that looked quite nice a few years back but I can't recall their names) but IDP may be more of a difficult one to implement.

...

Virus Wall

This would largely depend on the above and what you are wanting with respect to AV scanning, if it is a simple "proxy and scan" system then take a look at the following which seems to indicate that it depends on the way you set things up (proxy package, e-mail package etc)

http://www.bsdforums.org/forums/archive/index.php/t-32613.html

...

With the firewalls, discussion, do they do the above? Very interesting is Joe, FreedBSD option. Only things how easy is it to configure the above (if the software is available).

ipf is not that hard to setup but natively does not have any pretty GUI's which a lot of commercial firewalls will give you, however, there are some quite good addons (also free) that can give you some excellent GUI interfaces to ipf. A quick search brings up fwbuilder which supports Linux, Free and OpenBSD and MacOS X

http://www.fwbuilder.org

The trick will be putting it all together and making it work, this probably only requires time and patience :-)

-- Steve.

Joe Abley

9 Mar 3:32 p.m.

On 9-Mar-2006, at 01:47, Steve Phillips wrote:

...

ipf is not that hard to setup but

Note that "ipf" is a different firewall system, for which (in OpenBSD) pf is a replacement. I think it's generally accepted that pf is more feature-rich than ipf today, but ipf is certainly another option if you want to do a full comparison.

(You might also investigate iptables on Linux, and ipfw on FreeBSD).

Joe

Joe Abley

9 Mar 3:30 p.m.

On 8-Mar-2006, at 20:31, Alex Abraham wrote:

...

This is now getting quite interesting of what people are using. Maybe I should have explained a couple of features/Things that I like to do:

Multiple Physical Interfaces + ability to sub interface them or

use VLAN 2. VPN - IPSec, etc 3. Intrusion Detection and Prevention 4. Virus Wall

With the firewalls, discussion, do they do the above? Very interesting is Joe, FreedBSD option. Only things how easy is it to configure the above (if the software is available).

OpenBSD (with a couple of add-on packages, like snort and clamav) can do what you want. IPSec support is strong and has been built-in for a long time.

The following might be a useful read:

http://www.amazon.com/gp/product/8391665119/sr=8-1/qid=1141917995/ ref=sr_1_1/002-3266974-1782460?%5Fencoding=UTF8

(If that URL doesn't survive this message's trip through the list server, search for "Building Firewalls with OpenBSD and PF, Second Edition").

OpenBSD has developed a reputation for use as a firewall platform, and there are several vendors who are shipping pre-built appliances based on it. If you google for "OpenBSD firewall appliance" you will probably find some links, in case it seems useful to buy a pre-built system rather than rolling your own.

Joe

Amante Alvaran

9 Mar 1:27 a.m.

Hi Alex,

I have used Cisco Pix, Netscreen and Checkpoint (Firewall 1) before and I think Netscreen is great! (expensive though). In my case the main consideration are in the areas of capability (features), stability and manageability not so much of the price. Also to avoid the to much time in comparing each firewall features it's also good to consider which systems and services you are thinking of protecting and how you want to do it. Then you can easily decide to go ahead with software application or the hardware based firewall.

Regards, Mants

Alex Abraham wrote:

...

Hi Pacnog,

I am seeking anyone expertises in selection of firewalls. Presently I am review three (two) firewall. I like to know what everyone else in the pacific and beyond is using.

The firewalls I am looking at are:
* Fortinet 300A
* Sonicwall 4060
* Sonicwall Pro 4100
Already looked at Cisco Pix, Watchguard X1000 Pro and Checkpoint NGX.

Looking forward to your comments.

**Alex Abraham**

Network Operations Manager

SamoaTel Limited

Maluafou HQ

Private Bag

Apia

Samoa

Tel: +685 67853

Fax: +685 24000

Email: alex.abraham@samoatel.ws

website: www.samoatel.ws

pacnog mailing list pacnog@pacnog.org http://mailman.apnic.net/mailman/listinfo/pacnog

Isaac Philip Purakali

9 Mar 1:46 a.m.

I have been using Borderware firewall system for my organisation for the last 9 years now. Apart from its NAT functions, Borderware has a lot of other modules like vpn, anti spam and antivirus (mxtreme), web content filter, voip features, as well as point and click proxy features that you can set to compliment your security policies. I started with version 4 and now its up to version 7.1. Patches and upgrades are easily downloadable from their site as and when they become available. I don't know what the cost price is now but for the main firewall, the annual maintenance fee is around US$2500.00. It runs on a dedicated server, the server can be an ordinary Pentium 4 PC with 1Gig RAM and 80G HD. Admin functions can be done at the console or through a GUI borderware client.

You can visit their website in the US at www.borderware.com or the reseller in Australia at www.opensystems.com.au and request for a trial version.

Isaac Purakali Manager Network Systems Information Technology Department Telikom PNG Limited

----- Original Message ----- From: Alex Abraham To: pacnog@pacnog.org Sent: Thursday, March 09, 2006 8:46 AM Subject: [pacnog] Help:Firewalls Selection

Hi Pacnog,

I am seeking anyone expertises in selection of firewalls. Presently I am review three (two) firewall. I like to know what everyone else in the pacific and beyond is using.

The firewalls I am looking at are:

a.. Fortinet 300A b.. Sonicwall 4060 c.. Sonicwall Pro 4100

Already looked at Cisco Pix, Watchguard X1000 Pro and Checkpoint NGX.

Looking forward to your comments.

Alex Abraham

Network Operations Manager

SamoaTel Limited

Maluafou HQ

Private Bag

Apia

Samoa

Tel: +685 67853

Fax: +685 24000

Email: alex.abraham@samoatel.ws

website: www.samoatel.ws

------------------------------------------------------------------------------

_______________________________________________ pacnog mailing list pacnog@pacnog.org http://mailman.apnic.net/mailman/listinfo/pacnog

Download
Add to favorites Remove from favorites

Activity Summary

6227 days inactive
6227 days old
pacnog@pacnog.org
7 participants
9 comments

Orbit

[pacnog] Help:Firewalls Selection

Activity Summary

Participants (7)