Re: Recommendation needed for a firewall appliance

[Mark Tinberg <mtinberg () securepipe com>]

On Fri, 17 Oct 2003, Christopher L. Everett wrote:

> I'm a web programm/system admin  for a small company in the
> medical advertising space.  We operate on a pretty low budget,
> but I can get anything I can demonstrate a need for, within
> reason.  In this case, within reason is $500 or less.

I don't know that there's a lot of hardware in this range, except for SOHO 
stuff.
 
> Id set up a Linux based Firewall/VPN server, but I just don't
> have the time to mess with setting up such a box from scratch;
> the last time I played with FreeSWAN a little over a year ago
> I was unsuccessful in getting an IPSec VPN going with a Win2K
> box despite following detailed instructions verbatim.

There are several firewall specific linux distros, Astaro, Coyote 
Linux and Devil Linx appear to be a few examples.  More can assuredly be 
found in the Freshmeat listing at 

  http://freshmeat.net/browse/151/?topic_id=151

> After looking around and seeing what's happening in the firewall
> appliance market, and thinking about what I'd like to be able to
> do, I've come up with these requirements:

There are some small firewall units, and there are small Managed Security 
companies as well.

> 1) > 50 Mbps LAN-to-WAN throughput (needs a 10/100 WAN port)

?? Do you have a 50Mbps connection to the internet ??

> 2) a 10/100 DMZ port

So you need three interfaces, inside, outside, dmz.

> 3) enough VPN speed for 3 to 5 broadband users, 10Mbps or more

?? You're going to have 30-50Mbps of VPN (IPSec) traffic ??
?? do your clients have 10Mbps links to the internet     ??

> 4) client to VPN connectivity without needing special software,
>    for Windows, OSX and Linux.

I believe Windows comes with an IPSec stack, although I don't know if its
functional (it wasn't on W2K last I looked, and clients ended up buying
SafeNet SoftPK) Linux has FreeSWAN (and USAGI) ahd I believe OSX ships
with KAME from *BSD.

There is OpenVPN as well, which has generally decent crypto (links against 
libssl) and also runs on all of the abovementioned platforms.

  http://openvpn.sourceforge.net/

> 5) maker has a good record on security & releasing patches

Always important, and a too often overlooked requirement.  The other thing 
to look for is how often they _haven't_ had to release patches, but this 
is a lot harder to determine.

> 6) The firewall/VPN runs in hardware as much as possible.

All software runs on hardware, I doubt this is a sensible requirement for 
your network setup.  A few of your other requirements don't seem to really 
make sense either.

> As far as new, currently manufactured equipment that looks
> good to my inexperienced eye are:
>
> 1) Netgear FVL328
> 2) Hotbrick 600/2
>
> The Symantec 200R and Sonicwall stuff seems to need special VPN
> software so that's out.

I'm pretty sure that both support IPSec, in face I think that the Symantec 
is using Linux and FreeSWAN as their IPSec implementation underneath 
anyway.  At least judging from all the Symantic hits I received when 
searching for FreeSWAN error messages.

> But I've also been checking out used equipment on Ebay hoping
> toget lucky and stretch our budget into something a little more
> deluxe such as an older Nokia (IP440?) or Watchguard box.
>
> One thing that I don't understand are the licensing issues
> with used Nokia boxes: do the Checkpoint licenses travel with
> the box or will I have to buy new licenses?

I think this question was answered on the list about Cisco hardware, and 
in that case the licenses are not transferrable.  You buy the hardware on 
eBay, and you've still got to buy a maintenance contract to get access to 
legit firmware and any firmware updates.  If you really want to know, 
there's no substitute for calling the vendor and asking, I'm sure they'd 
be happy to talk to you.

> Another thing I'd like to know about are the risks involved
> in running an older, possibly unsupported firewall/VPN box:
> is it riskier than just running straight NAT access?  Are
> there some of these older boxes I should stay away from?

Well, in that case you're on your own, flapping in the wind with no 
parachute.  IMHO you want to have either A) a maintenance contract with a 
very responsive and active vendor or B) the source and at least the will 
to pay someone to help you when you need helping.

--
Mark Tinberg
Network Security Engineer
SecurePipe, Inc.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards