Firewall Fever

Forum: LinuxTotal Replies: 11
Author Content
NoDough

Apr 05, 2007
8:39 AM EDT
Hello All,

The firewall at my work is throwing hissy fits, and I'm looking to replace it. I'm don't have the time to commit to building one myself, so I am looking for something reasonably priced and well supported with the following features...

SMTP Proxy Antivirus Email Scanning SPAM Filtering IPSec Static (Branch Office) VPNs Mobile VPNs (but not PPTP) and, most importantly, rock solid reliability.

Do you have experience with something you can recommend?
Sander_Marechal

Apr 05, 2007
9:55 AM EDT
I have had good experiences with Smoothwall (Linux distro), but I don't think it supports all that. And if it does, I don't know how well it supports the stuff I haven't used.
NoDough

Apr 05, 2007
10:48 AM EDT
Thanks, Sander.

I'll check it out.
tuxchick

Apr 05, 2007
11:52 AM EDT
Not sure this will help you- I don't bother with commercial guff because they cost too much and do too little. I like this kind of setup:

border firewall/router with minimal services: iptables firewall and OpenVPN for a genuine VPN. Lean and mean.

Malware/spam scanner thingy on a separate box, gotta go with the commercial crud here 'cause the FOSS alternatives aren't quite up to snuff.

Spamassassin is a superior spam filter, if you can find a home for it on your network.

VPNs are tricky, because most of the commercial offerings are not real VPNs, but overpriced under-featured SSL portals. SSL portals are not VPNs. This tells a bit more about it: http://www.enterprisenetworkingplanet.com/netsecur/article.p... under 'A Vital VPN Tangent.'

IPCop is a nice Linux-based firewall/router/DHCP/DNS/router/etc. with a good Web-based administration interface. It includes an IPSec-based VPN, but it's not a very good implementation. Anyway I think OpenVPN is the best of all VPNs, commercial and Free.
NoDough

Apr 05, 2007
12:07 PM EDT
TC,

Actually, I would have a lot of fun setting up my own solution. However, the powers that be don't want me spending my time doing that. They would rather buy the commercially supported solution so they have someone to yell at when it breaks.

The irony of that is that they currently have a very expensive solution in place that isn't working well. All the yelling in the world isn't fixing it.

Regarding FOSS AV, let me relate a little story. When I worked a different position I had my own email server setup in Linux. I used quadruple redundant AV scanning. Every message was scanned first with McAfee, then with BitDefender, then with Trend, then with ClamAV. All four of the scanners checked for new signatures every hour. Upon the release of one particularly nasty Windows/Outlook virus the first three commercial scanners missed an infected message. ClamAV caught it. So, it seems pretty up-to-snuff to me.
dcparris

Apr 05, 2007
1:51 PM EDT
NoDough, Not sure about the price range, but you might look this over: http://calyptix.com/products.php

I just heard about these guys today, and they are here in Charlotte. I don't know much about them but that their stuff is Linux-based.
jdixon

Apr 05, 2007
1:57 PM EDT
> They would rather buy the commercially supported solution...

Well, there are Linux based commercial solutions. I can't speak to the quality of any of them. However, you might want to start by looking here: http://distrowatch.com/dwres.php?resource=firewalls

Added: Most of them appear to be free, and not commercial, but enough of them have commercial branches to make it worth checking out. AFAIK, the most respected name in the firewall business is still Checkpoint, but I haven't kept up for a few years.
tuxchick

Apr 05, 2007
2:10 PM EDT
oh well then, nodough, all the pieces you need are there. Too bad you can't use them, because this is exactly the sort of thing that tuff do-it-yourselfers can whip up between lunch and tea-time, without getting gouged by silly license fees and getting victimized by inferior products. But then millions of bottles of tap water are sold everyday, so what do I know.

tuxchick

Apr 05, 2007
2:14 PM EDT
I just remembered Snapgear, which used to be an awesome and reasonably-priced product. It looks like they were acquired by Secure Computing, so who knows what they've done to the poor things. But it might be worth a look: http://www.securecomputing.com/index.cfm?skey=1571
Sander_Marechal

Apr 05, 2007
2:51 PM EDT
NoDough: Have you thought about building the Linux version in your own time? It shouldn't take more then a few hours. And if your boss really wants commercial support you could offer it and relieve him of some extra cash otherwise spent on proprietary stuff. Afterall you are the perfect guy to support it commercialy since you know the network so well :-)
ggarron

Apr 05, 2007
6:00 PM EDT
Check this out

smoothwall screenshots: http://linux.go2linux.org/node/24

and rc.firewall script

http://linux.go2linux.org/node/3
NoDough

Apr 06, 2007
7:38 AM EDT
Good suggestion all. Thank you everyone.

Sander, great minds think alike... and so do ours.

I'm looking for an old rack-mount system to setup as a backup firewall. Then, when the commercial solution breaks, I can switch the cables to the freed box for a quick fix. Of course, with everyone using it, finding a time to switch the cables back will be difficult. ;-)

Thanks again, all.

You cannot post until you login.