Firewall Fever
|
| Author | Content |
|---|---|
| NoDough Apr 05, 2007 8:39 AM EDT |
Hello All, The firewall at my work is throwing hissy fits, and I'm looking to replace it. I'm don't have the time to commit to building one myself, so I am looking for something reasonably priced and well supported with the following features... SMTP Proxy Antivirus Email Scanning SPAM Filtering IPSec Static (Branch Office) VPNs Mobile VPNs (but not PPTP) and, most importantly, rock solid reliability. Do you have experience with something you can recommend? |
| Sander_Marechal Apr 05, 2007 9:55 AM EDT |
I have had good experiences with Smoothwall (Linux distro), but I don't think it supports all that. And if it does, I don't know how well it supports the stuff I haven't used. |
| NoDough Apr 05, 2007 10:48 AM EDT |
Thanks, Sander. I'll check it out. |
| tuxchick Apr 05, 2007 11:52 AM EDT |
Not sure this will help you- I don't bother with commercial guff because they cost too much and do too little. I like this kind of setup: border firewall/router with minimal services: iptables firewall and OpenVPN for a genuine VPN. Lean and mean. Malware/spam scanner thingy on a separate box, gotta go with the commercial crud here 'cause the FOSS alternatives aren't quite up to snuff. Spamassassin is a superior spam filter, if you can find a home for it on your network. VPNs are tricky, because most of the commercial offerings are not real VPNs, but overpriced under-featured SSL portals. SSL portals are not VPNs. This tells a bit more about it: http://www.enterprisenetworkingplanet.com/netsecur/article.p... under 'A Vital VPN Tangent.' IPCop is a nice Linux-based firewall/router/DHCP/DNS/router/etc. with a good Web-based administration interface. It includes an IPSec-based VPN, but it's not a very good implementation. Anyway I think OpenVPN is the best of all VPNs, commercial and Free. |
| NoDough Apr 05, 2007 12:07 PM EDT |
TC, Actually, I would have a lot of fun setting up my own solution. However, the powers that be don't want me spending my time doing that. They would rather buy the commercially supported solution so they have someone to yell at when it breaks. The irony of that is that they currently have a very expensive solution in place that isn't working well. All the yelling in the world isn't fixing it. Regarding FOSS AV, let me relate a little story. When I worked a different position I had my own email server setup in Linux. I used quadruple redundant AV scanning. Every message was scanned first with McAfee, then with BitDefender, then with Trend, then with ClamAV. All four of the scanners checked for new signatures every hour. Upon the release of one particularly nasty Windows/Outlook virus the first three commercial scanners missed an infected message. ClamAV caught it. So, it seems pretty up-to-snuff to me. |
| dcparris Apr 05, 2007 1:51 PM EDT |
NoDough, Not sure about the price range, but you might look this over: http://calyptix.com/products.php I just heard about these guys today, and they are here in Charlotte. I don't know much about them but that their stuff is Linux-based. |
| jdixon Apr 05, 2007 1:57 PM EDT |
> They would rather buy the commercially supported solution... Well, there are Linux based commercial solutions. I can't speak to the quality of any of them. However, you might want to start by looking here: http://distrowatch.com/dwres.php?resource=firewalls Added: Most of them appear to be free, and not commercial, but enough of them have commercial branches to make it worth checking out. AFAIK, the most respected name in the firewall business is still Checkpoint, but I haven't kept up for a few years. |
| tuxchick Apr 05, 2007 2:10 PM EDT |
oh well then, nodough, all the pieces you need are there. Too bad you can't use them, because this is exactly the sort of thing that tuff do-it-yourselfers can whip up between lunch and tea-time, without getting gouged by silly license fees and getting victimized by inferior products. But then millions of bottles of tap water are sold everyday, so what do I know. |
| tuxchick Apr 05, 2007 2:14 PM EDT |
I just remembered Snapgear, which used to be an awesome and reasonably-priced product. It looks like they were acquired by Secure Computing, so who knows what they've done to the poor things. But it might be worth a look: http://www.securecomputing.com/index.cfm?skey=1571 |
| Sander_Marechal Apr 05, 2007 2:51 PM EDT |
NoDough: Have you thought about building the Linux version in your own time? It shouldn't take more then a few hours. And if your boss really wants commercial support you could offer it and relieve him of some extra cash otherwise spent on proprietary stuff. Afterall you are the perfect guy to support it commercialy since you know the network so well :-) |
| ggarron Apr 05, 2007 6:00 PM EDT |
Check this out smoothwall screenshots: http://linux.go2linux.org/node/24 and rc.firewall script http://linux.go2linux.org/node/3 |
| NoDough Apr 06, 2007 7:38 AM EDT |
Good suggestion all. Thank you everyone. Sander, great minds think alike... and so do ours. I'm looking for an old rack-mount system to setup as a backup firewall. Then, when the commercial solution breaks, I can switch the cables to the freed box for a quick fix. Of course, with everyone using it, finding a time to switch the cables back will be difficult. ;-) Thanks again, all. |
You cannot post until you login.