Need suggestions for (Linux) firewall - KiXtart.org - official site

You are not logged in. [Log In] KiXtart.org website » Forums » KiXtart » Lounge » Need suggestions for (Linux) firewall

Page 2 of 3

2

Topic Options

#172171 - 2006-12-29 02:47 PM Re: Need suggestions for (Linux) firewall [Re: Mart]
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Ja, everyone loves to bash M$, but lack of security is NOT a valid reason to pass on ISA. A lack of features like dual-WAN support, bandwidth shaping, 1:1 NAT, etc., is what drives most people to linux based products. OTOH, ISA is feature rich in its stateful inspection, integration with AD, Outlook integration, etc. which can deliver a more secure product. Personally, I probably would not put it out on the edge, but rather put it behind another product that helps make up for ISA's shortcomings. There has been very litle said about what is really needed in a firewall, and making decisions in a vacuum based on what platform it runs on is just plain stupid. In my organization, we have all kinds of firewalls in different places for different reasons. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#172175 - 2006-12-29 04:38 PM Re: Need suggestions for (Linux) firewall [Re: Les]
Glenn Barnas Glenn Barnas KiX Supporter Registered: 2003-01-28 Posts: 4400 Loc: New Jersey	Originally Posted By: Les I haven't seen anyone mention ISA server. I use ISA 2K6 in my office and at the branch site, and we use an ISA 2K cluster at work. I am very pleased with the performance and capabilities, but - as the original request was for "low budget" - I didn't think it was a fit. It does really lock down the machine it runs on, and has some really good features, like integration into AD, allowing/denying access on a per-user basis, and stateful packet inspection of all (including encrypted) traffic. Another huge benefit is the real-time monitoring/logging, which is invaluable for troubleshooting. Glenn _________________________ Actually I am a Rocket Scientist! $\:D$
Top

#172178 - 2006-12-29 04:51 PM Re: Need suggestions for (Linux) firewall [Re: Glenn Barnas]
Mart Mart KiX Supporter Registered: 2002-03-27 Posts: 4673 Loc: The Netherlands	Originally Posted By: Glenn Barnas .... as the original request was for "low budget" - I didn't think it was a fit. .... like integration into AD, allowing/denying access on a per-user basis, and stateful packet inspection of all (including encrypted) traffic ..... Low budget would be nice but if the low budget stuff does not completely fit our needs we need to look at the others. Low budget is not an absolute must but would be nice. Integration into AD and per user allowing/denying access would be great. My CEO asked this numerous times in the past and it is at the top of his wish list. I just dl-ed the 180 day evaluation copy of ISA2K6. Next week I’ll take a spare system and setup a testlab. _________________________ Mart - Chuck Norris once sold ebay to ebay on ebay.
Top

#172186 - 2006-12-29 06:38 PM Re: Need suggestions for (Linux) firewall [Re: Mart]
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	It is not always about purchase price. There is the hidden cost of supporting whatever solution you choose. I'm not saying that ISA is brain-dead simple but the learning curve on some products could be worse. If you think ISA is expensive, try pricing out CheckPoint or some of the Cisco solutions. Then look at some of the free linux products and factor the learning curve and support cost. As I mentioned, we use all of the above but for different reasons. The cheapest (monowall) and the most expensive (CheckPoint) both run on Linux. So does our Symantec but it has been in the toilet lately. I can't speak to what our Cisco stuff is and costs because that is upstream to me, so it could very well bump CheckPoint to second place in cost. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

#172195 - 2006-12-29 09:02 PM Re: Need suggestions for (Linux) firewall [Re: Les]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	now we are talking. imho, if you wanna get a firewall simply up and running. maybe even with the simple basic rules: - allow this - allow that - deny everything else that's easy to do with linux. and it's still cheap. dish the suse though, you get lot better off with other distros, like fedora. what comes to symantec, for some reason I have very little trust on that company and it's abilities. probably would choose watchguard instead. _________________________ ! download KiXnet
Top

#172211 - 2006-12-30 12:04 AM Re: Need suggestions for (Linux) firewall [Re: Lonkero]
Witto Witto MM club member Registered: 2004-09-29 Posts: 1828 Loc: Belgium	We had a WatchGuard FireBox II. What I remember is that it was rather easy to reconfigure. But the rules were not really what you call "numbered". There is just a pool of rules. Due to that, making complicated rulebases, where the order mattered, was just impossible. Oh yes, I believe it could also be configured in "bridge mode".
Top

#172212 - 2006-12-30 12:32 AM Re: Need suggestions for (Linux) firewall [Re: Witto]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	well, you can enable auto-ordering or do manual ordering of the rules. but you won't see the numbers if you keep the cute view on. just like you don't see details in windows folders if you have the large icons view on. I bet I didn't mention that I've been testing a lot of firewalls lately and spent a lot of time with WG firewalls. _________________________ ! download KiXnet
Top

#172226 - 2006-12-30 12:49 AM Re: Need suggestions for (Linux) firewall [Re: Lonkero]
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	And none of these software solutions are probably going to be able to handle a DDos attack. That requires a heavy duty dedicated piece of hardware.
Top

#172236 - 2006-12-30 10:11 AM Re: Need suggestions for (Linux) firewall [Re: Lonkero]
Witto Witto MM club member Registered: 2004-09-29 Posts: 1828 Loc: Belgium	I think I will dig up that WG FBII somewhere. I cannot remember we could sort or number the rules. As the FBII is discontinued, you have more recent models?
Top

#172239 - 2006-12-30 01:20 PM Re: Need suggestions for (Linux) firewall [Re: Witto]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	witto, sure. edge, edge e, core 500, core 700 and core 550e depending on the size of your network and usage amounts you would need to decide between edge and core lines. in your case money would most likely be a huge player in the decision. _________________________ ! download KiXnet
Top

#172386 - 2007-01-04 03:17 PM Re: Need suggestions for (Linux) firewall [Re: Lonkero]
Björn Björn Korg Regular Registered: 2005-12-07 Posts: 953 Loc: Stockholm, Sweden.	how about something that's proven and ofcourse costs some money first, then something 'free', or isa after? thought my layout was quite nice $\:\)$ _________________________ as long as it works - why fix it? If it doesn't work - kix-it!
Top

#172467 - 2007-01-06 07:06 PM Re: Need suggestions for (Linux) firewall [Re: Björn]
Co Co MM club member Registered: 2000-11-20 Posts: 1342 Loc: NL	I agree... At front Cisco Pix and a ISA Server as a backend firewall. There is support for both products. There are many people who have knowledge about both products. When Mart walks against a car $;\)$ someone else can take his place easily. Most managers only look at the price of a product but they don't look to the time it takes to configure and support it... A cheaper or free product can eventually become more expensive. _________________________ Co
Top

#172471 - 2007-01-06 08:21 PM Re: Need suggestions for (Linux) firewall [Re: Co]
Lonkero Lonkero KiX Master Guru Registered: 2001-06-05 Posts: 22346 Loc: OK	and that's why it shouldn't be a cisco product. $;\)$ linux firewall will be cheaper to get running and maintain. if you are howerew wanting something bigger... say antivirus at the wall and webproxy and maybe proper IPS, some commercial products are way easier in that sense. still wouldn't buy a cisco product though. _________________________ ! download KiXnet
Top

#172476 - 2007-01-06 09:58 PM Re: Need suggestions for (Linux) firewall [Re: Lonkero]
NTDOC NTDOC Administrator Registered: 2000-07-28 Posts: 11625 Loc: CA	Plenty of things on the market. The #1 thing Cisco has going for it is excellent support which many of the others DO NOT.
Top

#172516 - 2007-01-08 01:41 PM Re: Need suggestions for (Linux) firewall [Re: NTDOC]
Richard H. Richard H. Administrator Registered: 2000-01-24 Posts: 4946 Loc: Leatherhead, Surrey, UK	Originally Posted By: NTDOC Plenty of things on the market. The #1 thing Cisco has going for it is excellent support which many of the others DO NOT. Good point. When you are looking at solutions you will also need to ensure that you are not limiting the rest of your environment. For example, if you need to deploy something like Websense for rule based URL blocking it will only integrate with a limited number of firewall solutions. BTW, I'm not advocating that anyone should deploy Websense - there are other solutions on the market.
Top

#172517 - 2007-01-08 02:58 PM Re: Need suggestions for (Linux) firewall [Re: Richard H.]
masken masken MM club member Registered: 2000-11-27 Posts: 1222 Loc: Gothenburg, Sweden	If you've got an AD behind the firewall, I'd most definetly recommend the newest ISA. It's a really good and very safe product that will bring you more integration and features than most if not all other firewalls (given the tight integration with AD). _________________________ The tart is out there
Top

#172524 - 2007-01-08 03:39 PM Re: Need suggestions for (Linux) firewall [Re: masken]
Björn Björn Korg Regular Registered: 2005-12-07 Posts: 953 Loc: Stockholm, Sweden.	Masken, I'm sorry, but since I have no experience with ISA (yet), I cannot really see the benefits with integrating it with the AD. In my current opinion a firewall should stay a bit back from other structural things in the lan, since it can be proven to be a security-issue later on (somehow, perhaps I am totally wrong). _________________________ as long as it works - why fix it? If it doesn't work - kix-it!
Top

#172531 - 2007-01-08 03:57 PM Re: Need suggestions for (Linux) firewall [Re: Björn]
masken masken MM club member Registered: 2000-11-27 Posts: 1222 Loc: Gothenburg, Sweden	The ISA is of course a stand-alone, but you set it up to communicate with a DC through an encrypted pipe, thereby taking advantage of integration $\:\)$ Integration has several advantages; quotas, priority, externally available Intranets, secure application publishing, branch office gateway, single sign on, and last but not least very good per-user or group reporting etc $\:\)$ http://www.microsoft.com/isaserver/prodinfo/features.mspx Edited by masken (2007-01-08 03:57 PM) _________________________ The tart is out there
Top

#172533 - 2007-01-08 04:01 PM Re: Need suggestions for (Linux) firewall [Re: masken]
Björn Björn Korg Regular Registered: 2005-12-07 Posts: 953 Loc: Stockholm, Sweden.	Mkay. I change my statement - I now see the benefits with it, and kinda like it. But putting an ISA at front is still for me committing suicide. Nothing is secure enough, and with those features - no. But, behind something else - Yes indeed in a corporate environment. _________________________ as long as it works - why fix it? If it doesn't work - kix-it!
Top

#172536 - 2007-01-08 04:06 PM Re: Need suggestions for (Linux) firewall [Re: masken]
Les Les KiX Master Registered: 2001-06-11 Posts: 12734 Loc: fortfrances.on.ca	Don't fall for the hype that says ISA should be stand-alone. There are additional security features when integrating it with your AD. If you were to setup two of them in series, you might consider making the one on the edge stand-alone. I suggest however that you not put ISA on the edge. Not because of security but rather because it lacks some features like 1:1 NAT. By using a packet filtering hardware firewall like a PIX, it can take the bashing at the edge and do your 1:1 NATting, leaving the ISA on the inside doing what it does best. You can then treat the network between the two as a DMZ. _________________________ Give a man a fish and he will be back for more. Slap him with a fish and he will go away forever.
Top

Page 2 of 3

2

Previous Topic

Previous Topic View All Topics

View All Topics

Index Next Topic

Next Topic

Moderator: Arend_, Allen, Jochen, Radimus, Glenn Barnas, ShaneEP, Ruud van Velsen, Mart

Hop to:

Shout Box

Who's Online

0 registered and 323 anonymous users online.

Newest Members

Audio, Hoschi, Comet, rrosell, PatrickPinto
17880 Registered Users

Generated in 0.075 seconds in which 0.027 seconds were spent on a total of 14 queries. Zlib compression enabled.

click tracking