Hardware Firewall
12 March 2002, 01:33 PM
#1
Scooby Regular
Thread Starter
Join Date: Feb 2001
Posts: 334
Likes: 0
Received 0 Likes
on
0 Posts
Hi Guys and Gals,
Looking to install a hardware firewall, which one do you recommend ? This is going into an NT4 enviroment, which will be updraded to W2K within 12 months.
Cheers,
Darrell
Looking to install a hardware firewall, which one do you recommend ? This is going into an NT4 enviroment, which will be updraded to W2K within 12 months.
Cheers,
Darrell
12 March 2002, 03:26 PM
#5
Scooby Regular
Join Date: Oct 1999
Posts: 778
Likes: 0
Received 0 Likes
on
0 Posts
Really depends on what you want to do we actively resell three products that hopefully cover the arena.
Smoothwall - a small but powerful linux solution that runs on a stand alone box. Not truely a hardware solution but there is not hardware firewall as they all run software somewhere.
Advantages - cheap about £250 + a PC to run it on plus some configuration.
Sonicwall - A small hardware box nice and easy to configure and will do most applications.
Advantages - does what is says on the box and is just that a box
Disadvantages - each model has limits though if you are willing to look at things like the GX which competes more with the following.
Guardian Firewall 1
The mutts nuts but expensive. High through put high availablity high price.
As I say its down to what you require. email me and I will give you some more info.
Smoothwall - a small but powerful linux solution that runs on a stand alone box. Not truely a hardware solution but there is not hardware firewall as they all run software somewhere.
Advantages - cheap about £250 + a PC to run it on plus some configuration.
Sonicwall - A small hardware box nice and easy to configure and will do most applications.
Advantages - does what is says on the box and is just that a box
Disadvantages - each model has limits though if you are willing to look at things like the GX which competes more with the following.
Guardian Firewall 1
The mutts nuts but expensive. High through put high availablity high price.
As I say its down to what you require. email me and I will give you some more info.
12 March 2002, 05:19 PM
#6
Scooby Regular
Join Date: Nov 2001
Location: Leeds - It was 562.4bhp@28psi on Optimax, How much closer to 600 with race fuel and a bigger turbo?
Posts: 15,239
Likes: 0
Received 1 Like
on
1 Post
think we have a velociraptor... (hardware based raptor..)
Amongst others..
David
Amongst others..
David
Trending Topics
12 March 2002, 07:50 PM
#8
Scooby Regular
I'm astonished that no one has mentioned the market leader....
Nokia IP series running Checkpoint Firewall-1.
Walk around any hosting center and these are the box's you see.
Jeff
Nokia IP series running Checkpoint Firewall-1.
Walk around any hosting center and these are the box's you see.
Jeff
12 March 2002, 08:39 PM
#9
Scooby Regular
Join Date: Aug 2001
Posts: 401
Likes: 0
Received 0 Likes
on
0 Posts
Try Trustix Xsentry Firewall, All the features you would expect with likes of cisco. VPN access built in. With most of the other firewalls you have buy additional modules to get features. This has all that is required to protect your LAN. Available in 2 zone to 4 Zone.
Currenlty have implemented these in large public orgs to SMEs. Has Triple DES IPSEC.
Currenlty have implemented these in large public orgs to SMEs. Has Triple DES IPSEC.
12 March 2002, 08:57 PM
#10
Scooby Regular
Join Date: May 1999
Posts: 424
Likes: 0
Received 0 Likes
on
0 Posts
Go Nokia/FW1 or PIX... you wont go wrong there...
Put loads of both in in combinations and both have pluses/minuses but as I say you wont have issues with either.
You may find the PIX is better from a cost adavtange but your reseller may be able to do something as Checkpoint are very agressive at the moment
Ids
Put loads of both in in combinations and both have pluses/minuses but as I say you wont have issues with either.
You may find the PIX is better from a cost adavtange but your reseller may be able to do something as Checkpoint are very agressive at the moment
Ids
13 March 2002, 01:08 AM
#11
Scooby Regular
Join Date: Nov 2001
Posts: 2,576
Likes: 0
Received 0 Likes
on
0 Posts
First thing is how big is the company?
All the firewalls mentioned are good, but depending on the size of your company and whats sort of equiptment you want to firewall and the budget you have or the amount of money you want to spend gets you your piece of kit....
My company currently run Checkpoints Firewall 1 NG. Very good product but may be very pricey or major overkill for your company. Checkpoint license their product based on the number of IP address behind the firewall. This included pc's, servers, switches etc...
The other companies may price their solution the same based on ip addresses, but I honestly can't remember. I have to admit I have only worked on Cisco PIX and Firewall 1 as a software based solution for a server and the Nokia box based systems.
Hope this helps you work out the best solution for you.
H
All the firewalls mentioned are good, but depending on the size of your company and whats sort of equiptment you want to firewall and the budget you have or the amount of money you want to spend gets you your piece of kit....
My company currently run Checkpoints Firewall 1 NG. Very good product but may be very pricey or major overkill for your company. Checkpoint license their product based on the number of IP address behind the firewall. This included pc's, servers, switches etc...
The other companies may price their solution the same based on ip addresses, but I honestly can't remember. I have to admit I have only worked on Cisco PIX and Firewall 1 as a software based solution for a server and the Nokia box based systems.
Hope this helps you work out the best solution for you.
H
13 March 2002, 09:42 AM
#12
Moderator
Join Date: Dec 1998
Location: Staffs
Posts: 23,573
Likes: 0
Received 0 Likes
on
0 Posts
I don't particulally disagree with anything said so far, but my first question would be how big is your budget and how many machines do you want to "protect"?
Cisco / Nokia + CP1 etc probably offer the best throughput and features but total overkill for anything outside the Enterprise or large hosting environment IMHO.
The 100 rules limit on a SonicWall might become an issue if you have racks of servers but for somebody using xDSL, it's ideal IMO.
Chris.
Cisco / Nokia + CP1 etc probably offer the best throughput and features but total overkill for anything outside the Enterprise or large hosting environment IMHO.
The 100 rules limit on a SonicWall might become an issue if you have racks of servers but for somebody using xDSL, it's ideal IMO.
Chris.
13 March 2002, 10:52 AM
#13
Scooby Regular
Join Date: Mar 1999
Posts: 4,518
Likes: 0
Received 0 Likes
on
0 Posts
Dont get hung up on "Hardware" firewalls.
S/W on a properly secured OS can be just as good -and the hardware will be cheaper to replace should it go wrong.
A PIX is just an ATX Intel PIII PC in a rack case. - go on open one up
- The M/B is set back so that extension cables can be run from the serial ports to the console port/failover port.
Deano
S/W on a properly secured OS can be just as good -and the hardware will be cheaper to replace should it go wrong.
A PIX is just an ATX Intel PIII PC in a rack case. - go on open one up
- The M/B is set back so that extension cables can be run from the serial ports to the console port/failover port. Deano
13 March 2002, 12:15 PM
#15
Scooby Regular
Thread Starter
Join Date: Feb 2001
Posts: 334
Likes: 0
Received 0 Likes
on
0 Posts
Thanks for all the input Guys !
More info:-
1000 users all accessing the Net, currently using Proxy 2.0 and Gauntlet Firewall 5.5. Upgrading to ISA very soon from Proxy 2.0. Various web and FTP servers in place approx. 20, plus another 80 servers.
Budget is of no concern !
Cheers,
Darrell
More info:-
1000 users all accessing the Net, currently using Proxy 2.0 and Gauntlet Firewall 5.5. Upgrading to ISA very soon from Proxy 2.0. Various web and FTP servers in place approx. 20, plus another 80 servers.
Budget is of no concern !
Cheers,
Darrell
13 March 2002, 12:16 PM
#16
Scooby Regular
Join Date: May 2000
Posts: 869
Likes: 0
Received 0 Likes
on
0 Posts
Can you give any more info about how many machines you've got and what services in/out you want to allow? (eg ftp/www/smtp/pop3 etc etc).
Another option is http://www.firebrick.co.uk/ if you're looking for something offering decent protection for under a grand.
Installed a few of these and they work pretty well, with easy config changes. Let me know if you want exact pricing.
Another option is http://www.firebrick.co.uk/ if you're looking for something offering decent protection for under a grand.
Installed a few of these and they work pretty well, with easy config changes. Let me know if you want exact pricing.
13 March 2002, 12:18 PM
#17
Scooby Regular
Join Date: May 2000
Posts: 869
Likes: 0
Received 0 Likes
on
0 Posts
Both posted togehter 
Looks like you after a bigger solution.
All I'd say is make sure you get one with training/consultancy for the setup/install - no use having it sat there if you screw up the config and let everything in anyway!
Looks like you after a bigger solution.
All I'd say is make sure you get one with training/consultancy for the setup/install - no use having it sat there if you screw up the config and let everything in anyway!
14 March 2002, 07:10 AM
#20
Scooby Regular
Money no object......
OK then
Foundry Iron Layer 3-7 switch
into
Two Nokia IP 720 with Checkpoint FW-1 V4.1
into
Foundry Iron Layer 3-7 switch
(this will give you Load Balancing & HA)
First Foundry has a connection to another Nokia IP 650 running ISS Realsecure Network Sensor
2nd Foundry has another IP650 running RealSecure (Internal & External IDS). Requires a NT server for management console.
All Public Servers have a RealSecure OS or System Sensor.
NT Server needed to manage the Firewall-1
Internal Foundry is fronted by a NetApp NetCache proxy using ICap for Content Filtering and Anti-Virus
3 Weeks Consultancy
Cost........£120000ish
Jeff
[Edited by Jeff Wiltshire - 3/14/2002 7:11:25 AM]
OK then
Foundry Iron Layer 3-7 switch
into
Two Nokia IP 720 with Checkpoint FW-1 V4.1
into
Foundry Iron Layer 3-7 switch
(this will give you Load Balancing & HA)
First Foundry has a connection to another Nokia IP 650 running ISS Realsecure Network Sensor
2nd Foundry has another IP650 running RealSecure (Internal & External IDS). Requires a NT server for management console.
All Public Servers have a RealSecure OS or System Sensor.
NT Server needed to manage the Firewall-1
Internal Foundry is fronted by a NetApp NetCache proxy using ICap for Content Filtering and Anti-Virus
3 Weeks Consultancy
Cost........£120000ish
Jeff
[Edited by Jeff Wiltshire - 3/14/2002 7:11:25 AM]
14 March 2002, 12:09 PM
#22
Scooby Regular
Join Date: Dec 2001
Location: Arborfield, Berkshire
Posts: 12,387
Likes: 0
Received 0 Likes
on
0 Posts
Isnt it true that Nokia are looking to replace FW1 with their own FW software in the near future. I dont work with firewalls but heard this rumour at work and our FW team are already looking at alternatives (non Nokia by the sound of it).
14 March 2002, 12:14 PM
#23
Scooby Regular
Join Date: Nov 2001
Posts: 2,342
Likes: 0
Received 0 Likes
on
0 Posts
Depends on how much traffic you are expecting and whether its a front end (internet facing) or backend (between DMZ and backend) beast.
Up to 250,000 connections, the Nokia IP330 with FW-1 should suffice. A Cisco PIX 515 should also do the trick.
Up to 250,000 connections, the Nokia IP330 with FW-1 should suffice. A Cisco PIX 515 should also do the trick.
14 March 2002, 03:05 PM
#24
Scooby Regular
Rich
Is that comment at the £8000 or £120000
The Nokia/Checkpoint thing has been rumbling on for some time. I think that Nokia resent the fact that Checkpoint charge so much for what is at the end of the day old software (from the perspective that it goes in Checkpoints pocket and not Nokias). Checkpoint are effectively the 'Microsoft' of Firewalls and for anyone to take them on in a serious manner would need significant funds and a corporate reputation. Maybe Nokia have this....maybe they don't. If you look at Raptor/Pix/Guardian they all being squeezed from the Top by Checkpoint and from the bottom from SonicWall, Watchguard, Netscreen etc. Checkpoint are trying to move into the 'appliance' market using NG on various platforms (as are Symantec) and conversely the Appliance manufactures are going upmarket (especially Netscreen).
Interesting times !
jeff
Is that comment at the £8000 or £120000
The Nokia/Checkpoint thing has been rumbling on for some time. I think that Nokia resent the fact that Checkpoint charge so much for what is at the end of the day old software (from the perspective that it goes in Checkpoints pocket and not Nokias). Checkpoint are effectively the 'Microsoft' of Firewalls and for anyone to take them on in a serious manner would need significant funds and a corporate reputation. Maybe Nokia have this....maybe they don't. If you look at Raptor/Pix/Guardian they all being squeezed from the Top by Checkpoint and from the bottom from SonicWall, Watchguard, Netscreen etc. Checkpoint are trying to move into the 'appliance' market using NG on various platforms (as are Symantec) and conversely the Appliance manufactures are going upmarket (especially Netscreen).
Interesting times !
jeff
14 March 2002, 11:12 PM
#25
Scooby Regular
Join Date: May 2000
Location: MY00,MY01,RX-8, Alfa 147 & Focus ST :-)
Posts: 10,371
Likes: 0
Received 0 Likes
on
0 Posts
I'll add in my comments..
Sonicwall - very good - clever box - shows you how a web based interface should be done. I used to work for a the company that was one of the first resellers of these in the UK and I've installed many of them.
Firewall-1 - market leader for good reason. Combined with the Nokia hardware and it becomes a very good product. Performance is excellent. Because Nokia do a range of platforms, they may not necessarily be the overkill solution that you might think (the IP110 works well for small offices). If you are serious than the 330 or 440 models are where you should be looking.
If you want the ultimate performance then stick FW-1 on a multi processor Sun Ultra or equivalent platform. Contary to popular belief this WILL outperform the Nokia h/w version. It all comes down to how much money you want to spend.
Don't fall into the trap of considering yourself to be 100% secure with a firewall installed - no such thing exists. Your shopping list should ideally include a pcket sniffer and some form of intrusion detection software and make sure you get your firewall tested at regular intervals by a 3rd party company (preferably not the company that sold you the firewall - call me a cynic....) who will launch attacks etc.
There are many other good hardware based firewalls on the market, I can only comment on those that I have practical experince of though. Ultimately the effectiveness of the unit will come down to the security policy used and how this is enforced.
Chris
Sonicwall - very good - clever box - shows you how a web based interface should be done. I used to work for a the company that was one of the first resellers of these in the UK and I've installed many of them.
Firewall-1 - market leader for good reason. Combined with the Nokia hardware and it becomes a very good product. Performance is excellent. Because Nokia do a range of platforms, they may not necessarily be the overkill solution that you might think (the IP110 works well for small offices). If you are serious than the 330 or 440 models are where you should be looking.
If you want the ultimate performance then stick FW-1 on a multi processor Sun Ultra or equivalent platform. Contary to popular belief this WILL outperform the Nokia h/w version. It all comes down to how much money you want to spend.
Don't fall into the trap of considering yourself to be 100% secure with a firewall installed - no such thing exists. Your shopping list should ideally include a pcket sniffer and some form of intrusion detection software and make sure you get your firewall tested at regular intervals by a 3rd party company (preferably not the company that sold you the firewall - call me a cynic....) who will launch attacks etc.
There are many other good hardware based firewalls on the market, I can only comment on those that I have practical experince of though. Ultimately the effectiveness of the unit will come down to the security policy used and how this is enforced.
Chris
15 March 2002, 07:00 AM
#26
Scooby Regular
Chris
I agree with what you say.
A security device is useless without a security policy and you should have security in depth not just at the perimeter.
If you want really high thoughput then the Netscreen 1000 is the daddy (1Gb wire speed stateful inspection !) The GX range from SonicWall will out perform any of the Nokia platforms running FW-1 as well.
Jeff
I agree with what you say.
A security device is useless without a security policy and you should have security in depth not just at the perimeter.
If you want really high thoughput then the Netscreen 1000 is the daddy (1Gb wire speed stateful inspection !) The GX range from SonicWall will out perform any of the Nokia platforms running FW-1 as well.
Jeff
15 March 2002, 03:25 PM
#27
Scooby Regular
Join Date: Jan 2001
Posts: 442
Likes: 0
Received 0 Likes
on
0 Posts
Go for the PIX
If you have a 2Mbps leased line then look at the new PIX 506E which can run upto 10Mbps of throughput. Or go for the 515E if you want something bigger.
Si
PS. The real daddy is the 535 which has 1.7Gbps throughput.
If you have a 2Mbps leased line then look at the new PIX 506E which can run upto 10Mbps of throughput. Or go for the 515E if you want something bigger.
Si
PS. The real daddy is the 535 which has 1.7Gbps throughput.
15 March 2002, 04:04 PM
#28
Scooby Regular
Join Date: Mar 2000
Posts: 225
Likes: 0
Received 0 Likes
on
0 Posts
Fw-1 on a Sparc out performs a Nokia, well perhaps if you put it an E10k. But close to a mill on a FW may be a bit of an over spend!
The fastest performing FWs out there are the Nokia IP740, the NetScreen 1000 or the PIX 535. That is, we assume you are looking for performance on encryption. (Apologies to all other manufacturers, whom have elusions of grandeur, but the proof is in the pudding and some of us are fat *******s!)
If you want real performance in hosting areas, load balancing comes into affect - both across multiple hosting centres and within each hosting centre itself. But I will still stick to one of the above mentioned FW platforms! (The FW costs would be approx 10% of the entire thing)
From a security point of view all this is totally pointless if vulnerabilities exist on the systems which need to be opened to the web.
Anyway from a small/SME business if self management is important I would go for a SonicWall or NetScreen. If management out sourcing is an option I would go for a Nokia/FW-1 (but only to a Check Point Managed Service Partner) or Pix (to a Cisco Security Partner).
Alternately, I will negotiate a config of a tables/Snort/PortSentry config. For cash of Course
The fastest performing FWs out there are the Nokia IP740, the NetScreen 1000 or the PIX 535. That is, we assume you are looking for performance on encryption. (Apologies to all other manufacturers, whom have elusions of grandeur, but the proof is in the pudding and some of us are fat *******s!)
If you want real performance in hosting areas, load balancing comes into affect - both across multiple hosting centres and within each hosting centre itself. But I will still stick to one of the above mentioned FW platforms! (The FW costs would be approx 10% of the entire thing)
From a security point of view all this is totally pointless if vulnerabilities exist on the systems which need to be opened to the web.
Anyway from a small/SME business if self management is important I would go for a SonicWall or NetScreen. If management out sourcing is an option I would go for a Nokia/FW-1 (but only to a Check Point Managed Service Partner) or Pix (to a Cisco Security Partner).
Alternately, I will negotiate a config of a tables/Snort/PortSentry config. For cash of Course
Thread
Thread Starter
Forum
Replies
Last Post
MH-Racing
Subaru Parts
18
18 October 2015 04:49 PM
DazV
Non Scooby Related
12
30 November 2001 01:29 PM