Results 1 to 17 of 17
  1. #1
    Join Date
    Aug 2002
    Location
    Texas
    Posts
    34

    * Firewalls... Which is better?

    I'm looking to get a good firewall in place. I'm running three WINDOWS 2K servers off a cable/T1 line. Obviously, I need the three servers IP's to be public. Is there a firewall solution that is cost effective for my application? Should I be looking at hardware firewalls or software firewalls? Which is better?

    Thanks!
    ~~~ TECHSUPPORT ~~~
    Hosting -- Design -- Consulting

  2. #2
    Join Date
    Jan 2002
    Location
    SoCal
    Posts
    71

    Re: Firewalls... Which is better?

    Originally posted by Cybertoad
    I'm looking to get a good firewall in place. I'm running three WINDOWS 2K servers off a cable/T1 line. Obviously, I need the three servers IP's to be public. Is there a firewall solution that is cost effective for my application?
    Any *nix firewall would be cost effective but I don't know if your comfortable administering something like that.

    Should I be looking at hardware firewalls or software firewalls? Which is better?

    Thanks!
    Depends. Essentially they're the same thing. A "hardware" firewall as most people describe them are _usually_ better as they are designed for the system they're built atop. With that comes an expense. IMO, a "hardware" firewall is not justified in your case as ANY firewall on the market will easily be able to handle a T1/cable line.

    If your not comfortable with *nix and you still want a cheap firewall, check out one of the web based configuration firewalls like smoothwall.

  3. #3
    We have a SonicWall appliance, and it's been very easy to administer. Some of their models don't support public web servers, so be sure you get one with a DMZ.

    Ann

  4. #4
    Join Date
    Apr 2001
    Location
    St. Louis, MO
    Posts
    2,508
    You can get yourself a Netscreen 5 for a lot less than you can build a *nix box. They run about $350.00 and can handle more than a T1 (and are going to be more stable than a *nix box).

    Hope that helps!
    Mike @ Xiolink.com
    http://www.xiolink.com 1-877-4-XIOLINK
    Advanced Managed Microsoft Hosting
    "Your data... always within reach"

  5. #5
    Join Date
    Sep 2002
    Posts
    900
    You could get an old Pentium box with 64mbs of ram or possibly even less, install OpenBSD and it would make a great firewall

  6. #6
    Join Date
    Apr 2001
    Location
    St. Louis, MO
    Posts
    2,508
    You are still going to have better performance/reliability from a HW firewall
    Mike @ Xiolink.com
    http://www.xiolink.com 1-877-4-XIOLINK
    Advanced Managed Microsoft Hosting
    "Your data... always within reach"

  7. #7
    Join Date
    Dec 2000
    Location
    Leesburg, VA
    Posts
    3,205
    Originally posted by RackMy.com
    You are still going to have better performance/reliability from a HW firewall
    In addition the NetScreen is easier to configure than a standard Unix firewall...especially for somone who is not a Unix administrator by trade. Plus, if you don't know Unix you may wind up running a firewall on an OS with multiple security holes.

  8. #8
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    The NetScreen should outperform a general purpose PC running the same processor speed as far as network traffic goes.

    But the statement that a hardware firewall is faster than a software one is a very generalized statement. It all really depends on what you're comparing.

    I prefer installing a free OS on some specialized hardware. I would rather spend time managing the box than line the pockets of a company with thousands of dollars to finance their over priced per user or per VPN tunnel fees. It's too Microsoft for me.

    I'm sure that it's "right" for some, though.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  9. #9
    Join Date
    Jan 2002
    Posts
    574
    You're talking a very low bandwidth line here. You're also only talking about 3 servers. Why waste your money/time getting a standalone firewall? Just setup the win2k boxes to only serve what is needed, or use the built-in filter.

    Also.. you said cable/t1... a lot of routers/bridges that connect to cable have firewall features, such as the cisco ubr series.. they pretty much use the same IOS as cisco routers, so you can just create access lists.

    It really really doesn't sound like you need to go overboard, cause any type of bandwidth flood is most likely going to kill you anyways at only t1 speeds.

  10. #10
    Join Date
    Mar 2001
    Location
    London, England
    Posts
    334
    Why not put IPSec on it in the first instance?

    Cheers
    Mark Castle
    Secura Hosting Ltd
    www.capitalethernet.co.uk
    My views are my own and not those of my company.

  11. #11
    Join Date
    Apr 2001
    Location
    St. Louis, MO
    Posts
    2,508
    I would rather spend time managing the box than line the pockets of a company with thousands of dollars to finance their over priced per user or per VPN tunnel fees.
    Have you price them out lately, they are going to be cheaper than managing a software box over the long run.
    Just setup the win2k boxes to only serve what is needed, or use the built-in filter.
    That is still not very secure as the W2K boxes will still be hackable.

    Here is the problems as I see it when using software/computer based firewalls. You have to keep up with the security updates/patches/etc or else you have a vunerable firewall. A firewall, itself, should be as secure as possible. Hardware firewalls are build to be stable/secure which give you added protection.
    Mike @ Xiolink.com
    http://www.xiolink.com 1-877-4-XIOLINK
    Advanced Managed Microsoft Hosting
    "Your data... always within reach"

  12. #12
    Join Date
    Aug 2002
    Location
    Texas
    Posts
    34
    WOW! That's a lot of information to digest. What about Checkpoint's software firewall? I've got a copy from a friend, but haven't installed it yet.
    ~~~ TECHSUPPORT ~~~
    Hosting -- Design -- Consulting

  13. #13
    Join Date
    Jan 2002
    Posts
    574
    Originally posted by RackMy.com

    Here is the problems as I see it when using software/computer based firewalls. You have to keep up with the security updates/patches/etc or else you have a vunerable firewall. A firewall, itself, should be as secure as possible. Hardware firewalls are build to be stable/secure which give you added protection.
    I was just telling the guy he doesn't need a firewall at all, unless his he protecting non-public machines (which it seems he isn't).

    Just run what services you want public, turn everything else off. There's no need for a firewall.

    If a certain ip/network is giving you problems, use the filtering feature in win2k to drop them.... we're talking about 3 servers here, not 100


    My suggestion to him is to save your money until you truely need a firewall, and then use that saved money for a decent hardware firewall (checkpoint on a nokia box would be nice).

  14. #14
    Join Date
    Aug 2002
    Location
    Texas
    Posts
    34
    That's fine and I can do that, but what about those anoying POPup windows that use the Win PopUp feature of Windows. How can I block those?
    ~~~ TECHSUPPORT ~~~
    Hosting -- Design -- Consulting

  15. #15
    Join Date
    Apr 2001
    Location
    St. Louis, MO
    Posts
    2,508
    Just run what services you want public, turn everything else off. There's no need for a firewall.
    I completely understand what you are saying, but these days you should not have a server up without a firewall (my opinion ) Just turning off services/ports will not completely protect you. Remember that Nimda opened up back doors so even if you turned off services/ports, attacks can open them up.

    but what about those anoying POPup windows that use the Win PopUp feature of Windows. How can I block those?
    Turn off the Alerter service.
    Mike @ Xiolink.com
    http://www.xiolink.com 1-877-4-XIOLINK
    Advanced Managed Microsoft Hosting
    "Your data... always within reach"

  16. #16
    Join Date
    Nov 2001
    Location
    Ann Arbor, MI
    Posts
    2,978
    Originally posted by RackMy.com
    Have you price them out lately, they are going to be cheaper than managing a software box over the long run.That is still not very secure as the W2K boxes will still be hackable.
    I haven't checked the prices on NetScreens lately. I actually think you're getting ripped off when you have to call for prices.

    ME: "How much?"
    SALES: "Well, how much do you have?"

    Anyway, I'd say that the cost might be even in the long run, but not cheaper. Easier, definitely.
    -Mark Adams
    www.bitserve.com - Secure Michigan web hosting for your business.
    Only host still offering a full money back uptime guarantee and prorated refunds.
    Offering advanced server management and security incident response!

  17. #17
    Join Date
    Jun 2002
    Location
    New York City
    Posts
    330
    Originally posted by Cybertoad
    WOW! That's a lot of information to digest. What about Checkpoint's software firewall? I've got a copy from a friend, but haven't installed it yet.
    Checkpoint is pretty decent, EXTREMLY over priced but overall its a great firewall. We have a grip of Nokia Checkpoints deployed and have been quite happy with them. I have attempted to install their software several times on a Win2k server and had not had much luck.
    For a small setup such as you have I would recommend going with Fortinet (http://www.fortinet.com) FortiGate-200+. The Fortinet firewalls are great little boxes and have quite a bit packed into them.
    Pretty much every company that makes hardware firewalls will send you a demo unit of whatever you want to toy with for a couple weeks. I would highly recommend evalin several units from diff places before making your purchase.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •