Firewall comparisons

Archived from groups: comp.security.firewalls (More info?)

We are looking for a new firewall to deploy at employee homes. We are
looking to replace the Linksys systems that are already there, with
something a bit more robust.

I've been looking for a comparison of firewalls, but cannot find
anything up-to-date and useful. Any suggestions?

I am looking at the PIX501, NetScreen 5, WatchGuard Firebox SoHo 6 and
GTA Gnatbox GB-200 at the moment. I'll do a quick matrix of them.

Anybody have experience with any of these?

bk
7 answers Last reply
More about firewall comparisons
  1. Archived from groups: comp.security.firewalls (More info?)

    In article <c9nb2p$i7h$1@reader2.panix.com>, NSbobkNS@panix.com says...
    > We are looking for a new firewall to deploy at employee homes. We are
    > looking to replace the Linksys systems that are already there, with
    > something a bit more robust.
    >
    > I've been looking for a comparison of firewalls, but cannot find
    > anything up-to-date and useful. Any suggestions?
    >
    > I am looking at the PIX501, NetScreen 5, WatchGuard Firebox SoHo 6 and
    > GTA Gnatbox GB-200 at the moment. I'll do a quick matrix of them.
    >
    > Anybody have experience with any of these?

    All of them.

    It would help if we had a better understanding of what you are trying to
    provide - more robust than linksys doesn't give much to work with.

    Are you looking for IPSec tunnels between the device and the office or
    are you looking to use client software for the tunnel?

    How many IP do the home users have, more than one?

    What services do the home users have in/outbound?

    Are you going to let the home users manage the units so that they can
    also do their personal tasks?

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  2. Archived from groups: comp.security.firewalls (More info?)

    Leythos wrote:
    > In article <c9nb2p$i7h$1@reader2.panix.com>, NSbobkNS@panix.com says...
    >
    >>We are looking for a new firewall to deploy at employee homes. We are
    >>looking to replace the Linksys systems that are already there, with
    >>something a bit more robust.
    >>
    >>I've been looking for a comparison of firewalls, but cannot find
    >>anything up-to-date and useful. Any suggestions?
    >>
    >>I am looking at the PIX501, NetScreen 5, WatchGuard Firebox SoHo 6 and
    >>GTA Gnatbox GB-200 at the moment. I'll do a quick matrix of them.
    >>
    >>Anybody have experience with any of these?
    >
    >
    > All of them.
    >
    > It would help if we had a better understanding of what you are trying to
    > provide - more robust than linksys doesn't give much to work with.

    Good point

    > Are you looking for IPSec tunnels between the device and the office or
    > are you looking to use client software for the tunnel?

    Right now we are using Cisco's vpnclient software to establish the VPNs
    and I am leaning toward keeping it that way, since ot would mean only
    one box get's actual access to the corp net, as opposed to any box
    establishing the connect. I'm sure that its configurable but I'd like to
    keep it simpler since the users are going to want to do their own thing too.

    > How many IP do the home users have, more than one?

    More than one. Some have a few systems.

    > What services do the home users have in/outbound?

    Inbound should be nothing by default. Some have configured web and mail
    servers inbound.

    > Are you going to let the home users manage the units so that they can
    > also do their personal tasks?

    Yep, I want a good web interface for this. And I'd probably want the
    ability to manage from the office as well, to debug, and audit and such.
  3. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 03 Jun 2004 10:03:00 -0400, Bob Kryger <NSbobkNS@panix.com>
    wrote:
    >
    >We are looking for a new firewall to deploy at employee homes. We are
    >looking to replace the Linksys systems that are already there, with
    >something a bit more robust.
    >

    I'd recommend a look at the ZyXEL ZyWALL 2X Internet Security Gateway,
    perfect for telecommuters. This device is ICSA-certified for both
    Firewall and IPsec and is very robust and affordable. Depending on the
    number of devices you are interested in, I could get you a really good
    deal.

    Have a look at http://shopping.nowthor.com/0760559110178.html for more
    info.

    I'd be happy to further discuss this with you over the phone. You may
    reach me at 703-668-9403 and leave a msg if I'm not available at the
    time.

    Thanks!

    Carlos Antunes
    Nowthor Corporation
  4. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 03 Jun 2004 10:03:00 -0400, Bob Kryger <NSbobkNS@panix.com>
    wrote:
    >
    >We are looking for a new firewall to deploy at employee homes. We are
    >looking to replace the Linksys systems that are already there, with
    >something a bit more robust.
    >

    I'd recommend a look at the ZyXEL ZyWALL 2X Internet Security Gateway,
    perfect for telecommuters. This device is ICSA-certified for both
    Firewall and IPsec and is very robust and affordable. Depending on the
    number of devices you are interested in, I could get you a really good
    deal.

    Have a look at http://shopping.nowthor.com/0760559110178.html for more
    info.

    I'd be happy to further discuss this with you over the phone. You may
    reach me at 703-668-9403 and leave a msg if I'm not available at the
    time.

    Thanks!

    Carlos Antunes
    Nowthor Corporation
  5. Archived from groups: comp.security.firewalls (More info?)

    In article <40BF5C3D.9020904@panix.com>, NSbobkNS@panix.com says...
    > Leythos wrote:
    > > In article <c9nb2p$i7h$1@reader2.panix.com>, NSbobkNS@panix.com says...
    > >
    > >>We are looking for a new firewall to deploy at employee homes. We are
    > >>looking to replace the Linksys systems that are already there, with
    > >>something a bit more robust.
    > >>
    > >>I've been looking for a comparison of firewalls, but cannot find
    > >>anything up-to-date and useful. Any suggestions?
    > >>
    > >>I am looking at the PIX501, NetScreen 5, WatchGuard Firebox SoHo 6 and
    > >>GTA Gnatbox GB-200 at the moment. I'll do a quick matrix of them.
    > >>
    > >>Anybody have experience with any of these?
    > >
    > >
    > > All of them.
    > >
    > > It would help if we had a better understanding of what you are trying to
    > > provide - more robust than linksys doesn't give much to work with.
    >
    > Good point
    >
    > > Are you looking for IPSec tunnels between the device and the office or
    > > are you looking to use client software for the tunnel?
    >
    > Right now we are using Cisco's vpnclient software to establish the VPNs
    > and I am leaning toward keeping it that way, since ot would mean only
    > one box get's actual access to the corp net, as opposed to any box
    > establishing the connect. I'm sure that its configurable but I'd like to
    > keep it simpler since the users are going to want to do their own thing too.
    >
    > > How many IP do the home users have, more than one?
    >
    > More than one. Some have a few systems.
    >
    > > What services do the home users have in/outbound?
    >
    > Inbound should be nothing by default. Some have configured web and mail
    > servers inbound.
    >
    > > Are you going to let the home users manage the units so that they can
    > > also do their personal tasks?
    >
    > Yep, I want a good web interface for this. And I'd probably want the
    > ability to manage from the office as well, to debug, and audit and such.

    For the cost, I can't see where a real firewall is going to do much for
    you. With home users being able to edit the rules, and the
    cost/restrictions of a real firewall, you are better off getting a
    Linksys BEFSX type unit and letting them sit behind it. The reasoning is
    that if the users can edit the rules, they will screw it up - the first
    port forward of 80/443, or some other for P2P, will let their systems be
    compromised - so it doesn't really matter if they have a real firewall
    appliance or a router/nat box.

    As for remote management - I would not enable it, but ask them to run
    VNC on their machines and then let you connect over the VPN to manage
    the routers/firewall.

    I'm thinking the typical home user, once they get into the rule sets,
    it's not going to matter much - you'll have about as much protection as
    a router will offer.


    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  6. Archived from groups: comp.security.firewalls (More info?)

    Update

    I looked at the PIX 501, NetScreen 5, GnatBox, and one other, the name
    of which escapes me at the moment.

    I've decided to go with the NetScreen5GT. It has a number of attractive
    features, includeing support for multiple WAN 'dirty' connections, so
    that if the user's cable modem goes down, you can fail over to his DSL.
    Assuming he has both of course.

    Also the possiblity of multiple 'zones'. I have to check this one out
    further, but the thinking is that we could have 3 zones on the FW, one
    for outside, one for the work system and one for the user's personal
    systems (i.e. his kids)

    And it all integrates with the central management tool, not that I'll be
    going there. but I will have SSH into the firewall for mgmt.

    More to come as I implement.

    bk


    Leythos wrote:
    In article <40BF5C3D.9020904@panix.com>, NSbobkNS@panix.com says...
    >
    >>Leythos wrote:
    >>
    >>>In article <c9nb2p$i7h$1@reader2.panix.com>, NSbobkNS@panix.com says...
    >>>
    >>>
    >>>>We are looking for a new firewall to deploy at employee homes. We are
    >>>>looking to replace the Linksys systems that are already there, with
    >>>>something a bit more robust.
    >>>>
    >>>>I've been looking for a comparison of firewalls, but cannot find
    >>>>anything up-to-date and useful. Any suggestions?
    >>>>
    >>>>I am looking at the PIX501, NetScreen 5, WatchGuard Firebox SoHo 6 and
    >>>>GTA Gnatbox GB-200 at the moment. I'll do a quick matrix of them.
    >>>>
    >>>>Anybody have experience with any of these?
    >>>
    >>>
    >>>All of them.
    >>>
    >>>It would help if we had a better understanding of what you are trying to
    >>>provide - more robust than linksys doesn't give much to work with.
    >>
    >>Good point
    >>
    >>
    >>>Are you looking for IPSec tunnels between the device and the office or
    >>>are you looking to use client software for the tunnel?
    >>
    >>Right now we are using Cisco's vpnclient software to establish the VPNs
    >>and I am leaning toward keeping it that way, since ot would mean only
    >>one box get's actual access to the corp net, as opposed to any box
    >>establishing the connect. I'm sure that its configurable but I'd like to
    >>keep it simpler since the users are going to want to do their own thing too.
    >>
    >>
    >>>How many IP do the home users have, more than one?
    >>
    >>More than one. Some have a few systems.
    >>
    >>
    >>>What services do the home users have in/outbound?
    >>
    >>Inbound should be nothing by default. Some have configured web and mail
    >>servers inbound.
    >>
    >>
    >>>Are you going to let the home users manage the units so that they can
    >>>also do their personal tasks?
    >>
    >>Yep, I want a good web interface for this. And I'd probably want the
    >>ability to manage from the office as well, to debug, and audit and such.
    >
    >
    > For the cost, I can't see where a real firewall is going to do much for
    > you. With home users being able to edit the rules, and the
    > cost/restrictions of a real firewall, you are better off getting a
    > Linksys BEFSX type unit and letting them sit behind it. The reasoning is
    > that if the users can edit the rules, they will screw it up - the first
    > port forward of 80/443, or some other for P2P, will let their systems be
    > compromised - so it doesn't really matter if they have a real firewall
    > appliance or a router/nat box.
    >
    > As for remote management - I would not enable it, but ask them to run
    > VNC on their machines and then let you connect over the VPN to manage
    > the routers/firewall.
    >
    > I'm thinking the typical home user, once they get into the rule sets,
    > it's not going to matter much - you'll have about as much protection as
    > a router will offer.
    >
    >
    >
  7. Archived from groups: comp.security.firewalls (More info?)

    "Bob Kryger" <NSbobkNS@panix.com> wrote in message
    news:ca6se7$mqi$1@reader2.panix.com...
    > Update
    >
    > I looked at the PIX 501, NetScreen 5, GnatBox, and one other, the name
    > of which escapes me at the moment.
    >
    > I've decided to go with the NetScreen5GT. It has a number of attractive
    > features, includeing support for multiple WAN 'dirty' connections, so
    > that if the user's cable modem goes down, you can fail over to his DSL.
    > Assuming he has both of course.
    >
    > Also the possiblity of multiple 'zones'. I have to check this one out
    > further, but the thinking is that we could have 3 zones on the FW, one
    > for outside, one for the work system and one for the user's personal
    > systems (i.e. his kids)
    >
    > And it all integrates with the central management tool, not that I'll be
    > going there. but I will have SSH into the firewall for mgmt.
    >
    > More to come as I implement.
    >
    > bk

    The NetScreen 5GT is a solid product. Just to be clear, though, the 5GT
    product line does not have "full" support for multiple security zones like
    it's bigger breathern. On the bigger units you can create security zones and
    bind the physical ethernet ports to security zones however you see fit. You
    can even bind VLAN tagged traffic to a specific security zone. The
    flexibility is really nice.

    On the 5GT, they limit you to a certain set of predefined "port modes"
    though. I believe that this is because they are trying to discourage people
    from trying to use a lowly 5GT in some complex enterprise setting where it
    probably doesn't really belong based on throughput and session count limits
    anyway. Here are the modes:

    Physical Ports: Serial Untrust Eth4 Eth3 Eth2
    Eth1
    ---------------------------------------------------------------------
    Trust-Untrust M U T T T
    T
    Home-Work M U H H W W
    Dual-Untrust U U T T
    T
    Combined U U H H
    W

    Hopefully, the above chart doesn't get too garbled. The default
    Trust-Untrust mode provides 1 Untrust and 4 Trust ports with modem backup
    through a serial port. Home-Work splits the 4 trusted ports into a "Home"
    zone and a "Work" zone. Traffic can go from Work to Home, but not the other
    way around. It is mainly to somewhat alievate security concerns for
    corporate work-at-home users that have a VPN from the Work zone into their
    corporate LAN. Some people try to configure the 5GT were the Home zone sort
    of acts like a DMZ, but this can be problematic and to get a real DMZ
    security zone you have to buy the 5GT Extended model which significantly
    more expensive. The Dual-Untrust and the Combined modes allow for redundant
    untrusted WAN connections as you noted.

    Alec
Ask a new question

Read More

Firewalls Security Networking