Re: What firewall for small medical research lab

[Smith <smith () confuciun com>]

I agree with Jordan Dallas 110%, go with OpenBSD.  Ignore the Gentoo 
suggestion, not because there is anything bad about gentoo but because 
of the amount of time and maintence involved to go that route.  When I 
wanted to learn firewalls and vpns, I researched Linux solutions and got 
so fed up reading how firewall and vpn features must be compiled into 
the kernel.  I knew nothing about firewalls so I had a hard time 
learning firewalls/vpn's because of iptables and ipchains horrible 
syntax.  Then I found OpenBSD and stayed with it since.  OpenBSD has 
firewall and vpn compiled in and the syntax really is easy to learn.  
Plus OpenBSD and Checkpoint (the best commercial firewall) were the 
first to have stateful inspection when all the other guys like linux, 
sonicwall, and cisco pix had it a few years later if they even have it 
at all.  If you don't know what stateful inspection means, lets just say 
its a very important firewall feature.  You know what else, once you 
learn how to install OpenBSD by reading their FAQ, it takes literally 5 
to 10 minutes to install a full blown system (which also means full 
blown fiirewall/vpn).  Compare that to spending days/weeks just to get 
gentoo up and running and CONFIGURED!  As far as cost, $45 for OpenBSD 
if you want to support their cause by buying their CD or get it for free 
via ftp and take any old computer system preferably a Pentium II or 
better with two or three nic cards.  Compare that to the other suggestions.

And before anybody flames me about some of the things I said, please 
note everything I said above (except about OpenBSD) is based off the 
situation as it stood back around 2002.  I know a lot has changed now 
that it's 2006.  So in 2002 I chose OpenBSD and never regretted it.

rmillisl () millis-it com wrote:
> I have been asked to research what good, low cost, firewall solutions
> might prove suitable for a medical research lab at a local University to
> protect confidential patient data from outsiders.
>
> In addition to other research I though I would ask here.
>
> I realize a firewall is just one component of an overall security policy /
> implementation.
>
> Basically what is needed is a simple NAT box that generally keeps
> outsiders out, and allows authorized lab servers and workstations to
> access certain services out on the main building network (DNS, IMAP, POP,
> SMTP, HTTP, HTTPS, FTP, SSH) and through that network to the Internet
> (through the main building campus/network).
>
> Cost is a very important factor so suggested solutions have been:
>
> - Pay someone to set up a PC based firewall running on surplus hardware
> using either Fedora Core 5 and Shorewall 3.0.6 (to allow easy
> configuration of iptables rules).  The hardware and software cost are low.
> The time could add up. I have considerable experience with this so this
> would be the lowest learning curve. Problem is Fedora with its frequent
> updates may make managing this more of a chore.
>
> - Pay someone to set up a a PC based firewall running on surplus hardware
> using either OpenBSD 3.7 or 3.8 and pf. The hardware and software cost are
> low. The time could add up. I have some OpenBSD experience and no pf
> background.
>
> - Pay someone to set up a a Linksys or D-Link broadband
> switch/firewall/router. The hardware cost is low. The time to set up may
> be minimal (Plug&Play + some common sense and provided firewall/filter
> capabilities). Are these a serious and secure enough solution?
>
> - Some other low cost hardware or software based alternative. What else
> might be out there that I don't know about that might be comparable in
> cost to the D-Link or Linksys options.
>
> The PC based solutions I personally have the most confidence in with
> respect to hand crafting a minimal OS build and hardening and patching the
> OS and doing rules mostly by hand. With pf there is some concern of errors
> introduced due to learning curve.
>
> Comments? Suggestions?
>
>
>   



-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected. 
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
obligation. See why so many companies trust Spy Sweeper Enterprise to 
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------