Re: What firewall for small medical research lab

[Bob Radvanovsky <rsradvan () unixworks net>]

If *cost* is your factor, there are plenty of "ISO firewalls"; that is, these firewalls a "plug 'n chug", and represent 
complete solutions that utilize a bootable CD-ROM from an ISO image, and load EVERYTHING onto a target server.  If you 
want something that is cheap and fairly cost-effective, may I suggest IPCOP -- it's built on a hardened Linux platform, 
is fairly robust and generally easy to use.  All administrative functions are done via *secured* SSL-based web 
interface that can ONLY be accessed from the INTERNAL (or "GREEN") network (that is, the "safe" network that isn't 
exposed to the Internet).

Go to this web site for more information: http://www.ipcop.org.

I ahve installed/implemented IPCOP at several sites, and they keep it fairly up-to-date.  It's a variant of the 
SmoothWall firewall, which has gone commercial.  So, if *FREE* is OK with you, I would recommend considering this one.  
I'm sure that others would agree that IPCOP is a suitable firewall for use.

Their hardware requirements are a tad bit off, and I would recommend the following:

(1) TWO (2) 3COM or INTEL NICs.
(2) ONE (1) IDE (or SATA IDE) drive-based server that's MINIMUM 20 GB in size.
(3) A workstation or small server that's a P3-600 Pentium III processor (or better).
(4) MINIMUM 512 MB of available RAM memory; the moer users you have surfing your website, the more memory you'll need.

** Estimated cost for this is around $300-500 USD.

Of course, if the ONLY reason you need a firewall is for OUTGOING ONLY for web browsing, get something simple like a 
Cisco LINKSYS or Netgear Cable/DSL router/switch box combination

** Estimated cost for this is around $60-80 USD.

Hope this helps, if not, send me a private email and I'd more than happy to help...  ;))

Good luck!

Bob Radvanovsky, CIFI, CISM, REM, CIPS
rsradvan () unixworks net
----- Original Message -----
From: rmillisl () millis-it com
To: firewalls () securityfocus com, security-basics () securityfocus com
Subject: What firewall for small medical research lab


> I have been asked to research what good, low cost, firewall solutions
> might prove suitable for a medical research lab at a local University to
> protect confidential patient data from outsiders.
>
> In addition to other research I though I would ask here.
>
> I realize a firewall is just one component of an overall security policy /
> implementation.
>
> Basically what is needed is a simple NAT box that generally keeps
> outsiders out, and allows authorized lab servers and workstations to
> access certain services out on the main building network (DNS, IMAP, POP,
> SMTP, HTTP, HTTPS, FTP, SSH) and through that network to the Internet
> (through the main building campus/network).
>
> Cost is a very important factor so suggested solutions have been:
>
> - Pay someone to set up a PC based firewall running on surplus hardware
> using either Fedora Core 5 and Shorewall 3.0.6 (to allow easy
> configuration of iptables rules).  The hardware and software cost are low.
> The time could add up. I have considerable experience with this so this
> would be the lowest learning curve. Problem is Fedora with its frequent
> updates may make managing this more of a chore.
>
> - Pay someone to set up a a PC based firewall running on surplus hardware
> using either OpenBSD 3.7 or 3.8 and pf. The hardware and software cost are
> low. The time could add up. I have some OpenBSD experience and no pf
> background.
>
> - Pay someone to set up a a Linksys or D-Link broadband
> switch/firewall/router. The hardware cost is low. The time to set up may
> be minimal (Plug&Play + some common sense and provided firewall/filter
> capabilities). Are these a serious and secure enough solution?
>
> - Some other low cost hardware or software based alternative. What else
> might be out there that I don't know about that might be comparable in
> cost to the D-Link or Linksys options.
>
> The PC based solutions I personally have the most confidence in with
> respect to hand crafting a minimal OS build and hardening and patching the
> OS and doing rules mostly by hand. With pf there is some concern of errors
> introduced due to learning curve.
>
> Comments? Suggestions?
>
>
> -------------------------------------------------------------------------
> This List Sponsored by: Webroot
>
> Don't leave your confidential company and customer records un-protected. 
> Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no 
> obligation. See why so many companies trust Spy Sweeper Enterprise to 
> eradicate spyware from their networks.
> FREE 30-Day Trial of Spy Sweeper Enterprise
>
> http://www.webroot.com/forms/enterprise_lead.php
> --------------------------------------------------------------------------

-------------------------------------------------------------------------
This List Sponsored by: Webroot

Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise

http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------