Firewall choices?

KB_JBJS,

This post will be more of a background explanation than an answer, but at least it's a starting point.

Unlike other professions (medicine, law, etc.), the IT world doesn't have the luxury of a specific, stable vocabulary.  Almost everything in IT  can be addressed with any of three different terms, and almost every IT term has at least three different meanings, all subject to change over time.

The term "firewall" can denote hardware or software, internal or external, from about $40 to over $20,000. It might be completely contained in one product or it might require additional, companion products in order to provide its full suite of benefits.

At a minimum, a firewall acts as a controlled connection between two networks.   Higher priced firewalls will have better security and greater depth and flexibility of control.  Higher priced units will also have better reporting capabilities to allow the administrator to see what sort of traffic is present and what is being passed or blocked.

For a recommendation or comparison to be meaningful, it is necessary to learn and understand the product's feature set and decide what is appropriate for your purpose.

As an overly simplistic example:  A small network with just a few trusted users and no sensitive information might need little more than basic (NAT) protection. Larger networks or those with very sensitive data will need greater security against hackers, more specific control of traffic (times, ports, sources, destinations, users, bandwidth, etc.) and better monitoring to identify malfunctioning components or rogue activity.  (If you have 35 users, there's a strong possibility that you have some rogue activity.)

That said, maybe someone here has experience with those specific models and can help you with your selection.

-ENO

For that many users, the vendors I'd be looking at are Astaro and Sonicwall.  I prefer Astaro security gateways, but many people find them pricey.

However, you mentioned that your IT Vendor is recommending something in particular.  Do they just sell equipment or do they support it as well?  If they are supporting you, you may want to consider using the products they know in order to get the best support.  If you do not like the feature set or the price, tell them so and ask for alternatives.

Has anyone used Smoothwall or pfSense/m0n0wall in their office?

I've used all 3 on my home network at various times over the past 10 years or so. They worked great, but I'm wondering if they are really worth considering for a small - medium size nonprofit.

They run on Linux/FreeBSD, but all the management is done via web pages so they end up being very similar to other commercial solutions. I recently read a positive review about Smoothwall's latest interface, and I've never had any complaints about the UIs.

I'm looking at Smoothwall's feature list, and I'd tempted to say we could replace our PIX with it.

The biggest drawback I see is having to find hardware to run it on. Old PCs work great, but I worry about the power consumption ($$). That's actually why I stopped using m0n0wall a couple years ago (it was prob overkill for my home LAN, anyway).

So, the burning question...
Would it be better to just setup a commercial appliance (like the Netgear FVX538 or even Cisco PIX) in a <100 user office?

or

Is it just as good (or better) to run the free/open source firewalls since they are pretty much the same as the commercial solutions? (maybe as a Virtual Machine?)

I'm using m0n0wall in four office locations.  I've been using them for a couple of years now and they have worked well for my application.  They provide basic protection for Internet access, a hole for our software house to have access to our server, a site to site VPN and VPN access for myself and a couple of other users.  I am running on some old PC iron with 3com nic cards.

If you consider the m0n0wall route I would suggest getting some Compact Flash to IDE (or SATA) adapters so you have no moving disks on your router.  Set up a cold spare as well, so if you have a failure you can swap a complete unit in easily.  (I've never had to use mine)   I'm using a PII 266 pc one that is just providing Internet access (on a 8mb cable connection) up to a 733mhz PIII for the ones with the VPN tunnel.

You can get the embedded appliance version to run m0n0wall, which would have reduced power consumption.  Another option is to look at Untangle and see if you can replace other functions (spam filtering, perimeter virus protection, web filtering) with a single box that would save you some power.

Dave

One of my clients uses Smoothwall with Dan's Guardian plugged in for his firewall.  He's been using it now for over 3 years and has had great success with it.  He installed it on old hardware, but has been considering moving it to a virtual machine.  He has about 50 users at one location and another 50 using various VPNs back to his office.  Based on this and Dave's experiences, I'd say m0n0wall or Smoothwall could manage your firewall/router needs.

djanke

The biggest drawback I see is having to find hardware to run it on. Old PCs work great, but I worry about the power consumption ($$). That's actually why I stopped using m0n0wall a couple years ago (it was prob overkill for my home LAN, anyway).

I haven't brought in a current probe to see exactly how much power the fire wall PC is drawing, but with no hard drive, no monitor, no keyboard, you are looking at a very low power draw for a 7x24 on device.  When you work out the math of the cost of an appliance, vendor support contract, and the current draw of the dedicated appliance, will the difference be that much?  Also if you Virtualize as Chris you can get more economy.  (However I would still have at minimum a m0n0wall box between the Internet and my virtual host machine.)

Being green is good, but if we eliminate the locks on the doors to the building because we need to save maintenance dollars, and if we turn off the lights on the parking lot at night we can save money, but when the place is robbed or people are mugged getting to their cars at night....  There are some things that are a hard cost of doing business.

Dave

I have a related question.  Our network has about 50 workstations, with typically 35 - 40 users active at any one time.  We're running DSL with a Linsys router, and have a VPN set up for off-site access for myself and three other users.  for security reasons I now have to segment the network into at least two and possibly three separate networks, with a few users, including myself having access to each of the networks.

I'm looking at using some sort of Linux box to set up the separate networks.  The only one I have any experience with was IPCop on a smaller network a few years ago.  Can anyone give any insight into how IPCop might stack up against some of the others mentioned here (m0n0wall, sonicwall, etc.) for a network of our size?  As usual, cost is a major consideration.

I think you'd do very well with m0n0wall or Smoothwall Express.  Both have no license cost, you you're just going to need a PC with 3 NICs.  I recommend Smoothwall Express for ease of use.  There is a software appliance download - this is not a virtual appliance.  Its an ISO that will install all you need to make Smoothwall Express work.  So you don't have to configure the Linux isntallation with the appropriate dependent packages in order to make it work.  I think you'd be able to set it up so that a limited number of PCs (based on IP address, so theyd' be static assignments either through a DHCP assignment or manual assignment) could have access across zones to both networks.

I have used Smoothwall and I am currently using www.ipcop.org/.  I found both to be more reliable than the cheap home use routers.  They do cost more in electricity.

The electricity cost is changing.  You could purchase hardware for one of those for less than $300 that runs on a 90W (or less) power supply.  You can even load them on compact flash memory instead of a magnetic hard drive if you wanted to cut more power.  Take a look at miniITX barebones systems with Atom processors (Atom is the low power x86 32-bit processor line).  These would take some tech knowlege with hardware, though.

A couple of belated thoughts:

Your IT vendor might be reco'ing Juniper because 1) they sell it, 2) they support it, 3) they use it.  Ask them.

If you go with a do-it-yourself system like IPcop, Smoothwall or pfSense, you definitely want to use 1GB network cards and not 100MB cards.  That may be one of the 318's bottlenecks.

Check out upp'ing your bandwidth with your current ISP.  In fact, call them, tell them you have bandwidth issues, get a ticket number or reference number, then call back until you get to "Level 2".  I've gotten excellent support from ISP's before but it takes persistence.  Typically, the Level 2 (or 3) techs are network pros and might give you some good advice if you're patient.

Ask around.  There's help out there from a number of sources.