I'm looking to get a good firewall in place. I'm running three WINDOWS 2K servers off a cable/T1 line. Obviously, I need the three servers IP's to be public. Is there a firewall solution that is cost effective for my application? Should I be looking at hardware firewalls or software firewalls? Which is better?

Thanks!

Originally posted by Cybertoad
I'm looking to get a good firewall in place. I'm running three WINDOWS 2K servers off a cable/T1 line. Obviously, I need the three servers IP's to be public. Is there a firewall solution that is cost effective for my application?
Any *nix firewall would be cost effective but I don't know if your comfortable administering something like that.

Should I be looking at hardware firewalls or software firewalls? Which is better?

Thanks!
Depends. Essentially they're the same thing. A "hardware" firewall as most people describe them are _usually_ better as they are designed for the system they're built atop. With that comes an expense. IMO, a "hardware" firewall is not justified in your case as ANY firewall on the market will easily be able to handle a T1/cable line.

If your not comfortable with *nix and you still want a cheap firewall, check out one of the web based configuration firewalls like smoothwall.

We have a SonicWall appliance, and it's been very easy to administer. Some of their models don't support public web servers, so be sure you get one with a DMZ.

Ann

You can get yourself a Netscreen 5 for a lot less than you can build a *nix box. They run about $350.00 and can handle more than a T1 (and are going to be more stable than a *nix box).

Hope that helps!

You could get an old Pentium box with 64mbs of ram or possibly even less, install OpenBSD and it would make a great firewall :)

You are still going to have better performance/reliability from a HW firewall :)

Originally posted by RackMy.com
You are still going to have better performance/reliability from a HW firewall :)

In addition the NetScreen is easier to configure than a standard Unix firewall...especially for somone who is not a Unix administrator by trade. Plus, if you don't know Unix you may wind up running a firewall on an OS with multiple security holes.

The NetScreen should outperform a general purpose PC running the same processor speed as far as network traffic goes.

But the statement that a hardware firewall is faster than a software one is a very generalized statement. It all really depends on what you're comparing.

I prefer installing a free OS on some specialized hardware. I would rather spend time managing the box than line the pockets of a company with thousands of dollars to finance their over priced per user or per VPN tunnel fees. It's too Microsoft for me.

I'm sure that it's "right" for some, though.

You're talking a very low bandwidth line here. You're also only talking about 3 servers. Why waste your money/time getting a standalone firewall? Just setup the win2k boxes to only serve what is needed, or use the built-in filter.

Also.. you said cable/t1... a lot of routers/bridges that connect to cable have firewall features, such as the cisco ubr series.. they pretty much use the same IOS as cisco routers, so you can just create access lists.

It really really doesn't sound like you need to go overboard, cause any type of bandwidth flood is most likely going to kill you anyways at only t1 speeds.

Why not put IPSec on it in the first instance?

Cheers

I would rather spend time managing the box than line the pockets of a company with thousands of dollars to finance their over priced per user or per VPN tunnel fees. Have you price them out lately, they are going to be cheaper than managing a software box over the long run.Just setup the win2k boxes to only serve what is needed, or use the built-in filter. That is still not very secure as the W2K boxes will still be hackable.

Here is the problems as I see it when using software/computer based firewalls. You have to keep up with the security updates/patches/etc or else you have a vunerable firewall. A firewall, itself, should be as secure as possible. Hardware firewalls are build to be stable/secure which give you added protection.

WOW! That's a lot of information to digest. What about Checkpoint's software firewall? I've got a copy from a friend, but haven't installed it yet.

Originally posted by RackMy.com

Here is the problems as I see it when using software/computer based firewalls. You have to keep up with the security updates/patches/etc or else you have a vunerable firewall. A firewall, itself, should be as secure as possible. Hardware firewalls are build to be stable/secure which give you added protection.

I was just telling the guy he doesn't need a firewall at all, unless his he protecting non-public machines (which it seems he isn't).

Just run what services you want public, turn everything else off. There's no need for a firewall.

If a certain ip/network is giving you problems, use the filtering feature in win2k to drop them.... we're talking about 3 servers here, not 100 :)


My suggestion to him is to save your money until you truely need a firewall, and then use that saved money for a decent hardware firewall (checkpoint on a nokia box would be nice).

That's fine and I can do that, but what about those anoying POPup windows that use the Win PopUp feature of Windows. How can I block those?

Just run what services you want public, turn everything else off. There's no need for a firewall. I completely understand what you are saying, but these days you should not have a server up without a firewall (my opinion :)) Just turning off services/ports will not completely protect you. Remember that Nimda opened up back doors so even if you turned off services/ports, attacks can open them up.

but what about those anoying POPup windows that use the Win PopUp feature of Windows. How can I block those?Turn off the Alerter service.

Originally posted by RackMy.com
Have you price them out lately, they are going to be cheaper than managing a software box over the long run.That is still not very secure as the W2K boxes will still be hackable.

I haven't checked the prices on NetScreens lately. I actually think you're getting ripped off when you have to call for prices.

ME: "How much?"
SALES: "Well, how much do you have?"

Anyway, I'd say that the cost might be even in the long run, but not cheaper. Easier, definitely. :)

Originally posted by Cybertoad
WOW! That's a lot of information to digest. What about Checkpoint's software firewall? I've got a copy from a friend, but haven't installed it yet.

Checkpoint is pretty decent, EXTREMLY over priced but overall its a great firewall. We have a grip of Nokia Checkpoints deployed and have been quite happy with them. I have attempted to install their software several times on a Win2k server and had not had much luck.
For a small setup such as you have I would recommend going with Fortinet (http://www.fortinet.com) FortiGate-200+. The Fortinet firewalls are great little boxes and have quite a bit packed into them.
Pretty much every company that makes hardware firewalls will send you a demo unit of whatever you want to toy with for a couple weeks. I would highly recommend evalin several units from diff places before making your purchase.