Re: Firewall Hardware and a bit of a Rant
- From: Leythos <void@xxxxxxxxxxx>
- Date: Tue, 17 Jul 2007 18:37:13 -0400
In article <5567507F-78D6-40DC-8AEA-50D4C90AFDF9@xxxxxxxxxxxxx>,
Colin@xxxxxxxxxxxxxxxxxxxxxxxxx says...
Hi all,
I need advice on which hardware firewall to purchase for a client with 20
users. I'm fairly new to SBS and have installed 3 servers. So far, no major
problems. I have installed Premium to use ISA but my line of thinking is now
moving to single NIC with hardware FW appliance and not relying just on a
password to secure a network. I've read (and appreciated) Leythos's advice on
Watchguard Firewalls but looking at the users forums fills me with dread -
Watchguard seem to think they are Cisco and don't have to provide support to
smaller IT guys because they are so powerful etc..
That's not true, you get 90 days support with every new firewall you
purchase, and then, like all the others, you purchase support for 1 year
increments as needed.
I need an appliance that
can provide Firewall, Content Filtering and be a VPN server/End Point and be
configurable by a mere mortal like me without having to enrol in a £1000 per
day class. I've looked at the major vendors offerings and so far I'm stumped
which way to go.
As a consultant you need to learn this stuff, and no firewall vendor
with a product worth owning provides the detailed training for free.
Cisco in this case is out of the question because of the
cost. Likewise with Watchguard (my reseller can sell me a X550e for £1100 but
need another £1000 to train me (in 6 hours) how to configure it). Sonicwall
seem approachable but I've no experience with them. Anyone used Juniper ? If
so what do you think ? Easily configurable ? What about D Link (business
line) ? Or Checkpoint Safe@Office line ? If my client didn't need web
filtering, I'd bang a PIX in and use the Cisco VPN Client for remote access
with local database XAuth to provide double authentication.
Unfortunately, they do so can anyone recommend an appliance that will cover
my needs and be (fairly) straightforward to configure ? Many thanks.
With the X550e you can install it on your own and have it working in
about 20 minutes, but, to properly filter and protect your network not
only do you need to know how to set the firewall rules (on any
appliance, not just a WG unit), but you need to understand security
concepts also.
Many people will allow an ANY outbound rule, it makes life simple, allow
all users to get out using any port/service, and means that they (IT
staff) don't have to deal with users complaining about blocked access. I
never allow any ANY rules, never, nada, nope. All services are limited
to those that actually need them, so, as an example, SMTP outbound is
limited to the IP of the server, since there is no reason for people to
be sending email (SMTP) from their desks....
The rules are simple, but understanding what is good and what impact
each has on the network is he brain part and were most people mess up. I
would guess that for 2 hours consulting time you could have your local
reseller set it up for you and then 1 hour to explain how to monitor it.
You can also email me if you need limited help, I do that for free
sometimes, but lets not get to the point where I build your entire x550e
config for free :)
You are going to find the same issues with any quality firewall solution
- and like many network things, sometimes you have to just pay someone
to do it for you.
--
Leythos
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@xxxxxxxxxx (remove 999 for proper email address)
.
- Prev by Date: RE: Monitoring and SBS 2003 SP2
- Next by Date: Re: account being locked out shortly after login Events 675, 529, 539
- Previous by thread: Re: Firewall Hardware and a bit of a Rant
- Next by thread: Re: Firewall Hardware and a bit of a Rant
- Index(es):
Relevant Pages
|
