Sign in with
Sign up | Sign in
Your question

Firewall comparisons

Tags:
  • Firewalls
  • Security
  • Networking
Last response: in Networking
Share
Anonymous
a b 8 Security
June 3, 2004 2:03:00 PM

Archived from groups: comp.security.firewalls (More info?)

We are looking for a new firewall to deploy at employee homes. We are
looking to replace the Linksys systems that are already there, with
something a bit more robust.

I've been looking for a comparison of firewalls, but cannot find
anything up-to-date and useful. Any suggestions?

I am looking at the PIX501, NetScreen 5, WatchGuard Firebox SoHo 6 and
GTA Gnatbox GB-200 at the moment. I'll do a quick matrix of them.

Anybody have experience with any of these?

bk

More about : firewall comparisons

Anonymous
a b 8 Security
June 3, 2004 6:52:22 PM

Archived from groups: comp.security.firewalls (More info?)

In article <c9nb2p$i7h$1@reader2.panix.com>, NSbobkNS@panix.com says...
> We are looking for a new firewall to deploy at employee homes. We are
> looking to replace the Linksys systems that are already there, with
> something a bit more robust.
>
> I've been looking for a comparison of firewalls, but cannot find
> anything up-to-date and useful. Any suggestions?
>
> I am looking at the PIX501, NetScreen 5, WatchGuard Firebox SoHo 6 and
> GTA Gnatbox GB-200 at the moment. I'll do a quick matrix of them.
>
> Anybody have experience with any of these?

All of them.

It would help if we had a better understanding of what you are trying to
provide - more robust than linksys doesn't give much to work with.

Are you looking for IPSec tunnels between the device and the office or
are you looking to use client software for the tunnel?

How many IP do the home users have, more than one?

What services do the home users have in/outbound?

Are you going to let the home users manage the units so that they can
also do their personal tasks?

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 3, 2004 6:52:23 PM

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:
> In article <c9nb2p$i7h$1@reader2.panix.com>, NSbobkNS@panix.com says...
>
>>We are looking for a new firewall to deploy at employee homes. We are
>>looking to replace the Linksys systems that are already there, with
>>something a bit more robust.
>>
>>I've been looking for a comparison of firewalls, but cannot find
>>anything up-to-date and useful. Any suggestions?
>>
>>I am looking at the PIX501, NetScreen 5, WatchGuard Firebox SoHo 6 and
>>GTA Gnatbox GB-200 at the moment. I'll do a quick matrix of them.
>>
>>Anybody have experience with any of these?
>
>
> All of them.
>
> It would help if we had a better understanding of what you are trying to
> provide - more robust than linksys doesn't give much to work with.

Good point

> Are you looking for IPSec tunnels between the device and the office or
> are you looking to use client software for the tunnel?

Right now we are using Cisco's vpnclient software to establish the VPNs
and I am leaning toward keeping it that way, since ot would mean only
one box get's actual access to the corp net, as opposed to any box
establishing the connect. I'm sure that its configurable but I'd like to
keep it simpler since the users are going to want to do their own thing too.

> How many IP do the home users have, more than one?

More than one. Some have a few systems.

> What services do the home users have in/outbound?

Inbound should be nothing by default. Some have configured web and mail
servers inbound.

> Are you going to let the home users manage the units so that they can
> also do their personal tasks?

Yep, I want a good web interface for this. And I'd probably want the
ability to manage from the office as well, to debug, and audit and such.
Related resources
Anonymous
a b 8 Security
June 3, 2004 9:13:03 PM

Archived from groups: comp.security.firewalls (More info?)

On Thu, 03 Jun 2004 10:03:00 -0400, Bob Kryger <NSbobkNS@panix.com>
wrote:
>
>We are looking for a new firewall to deploy at employee homes. We are
>looking to replace the Linksys systems that are already there, with
>something a bit more robust.
>

I'd recommend a look at the ZyXEL ZyWALL 2X Internet Security Gateway,
perfect for telecommuters. This device is ICSA-certified for both
Firewall and IPsec and is very robust and affordable. Depending on the
number of devices you are interested in, I could get you a really good
deal.

Have a look at http://shopping.nowthor.com/0760559110178.html for more
info.

I'd be happy to further discuss this with you over the phone. You may
reach me at 703-668-9403 and leave a msg if I'm not available at the
time.

Thanks!

Carlos Antunes
Nowthor Corporation
Anonymous
a b 8 Security
June 3, 2004 9:15:24 PM

Archived from groups: comp.security.firewalls (More info?)

On Thu, 03 Jun 2004 10:03:00 -0400, Bob Kryger <NSbobkNS@panix.com>
wrote:
>
>We are looking for a new firewall to deploy at employee homes. We are
>looking to replace the Linksys systems that are already there, with
>something a bit more robust.
>

I'd recommend a look at the ZyXEL ZyWALL 2X Internet Security Gateway,
perfect for telecommuters. This device is ICSA-certified for both
Firewall and IPsec and is very robust and affordable. Depending on the
number of devices you are interested in, I could get you a really good
deal.

Have a look at http://shopping.nowthor.com/0760559110178.html for more
info.

I'd be happy to further discuss this with you over the phone. You may
reach me at 703-668-9403 and leave a msg if I'm not available at the
time.

Thanks!

Carlos Antunes
Nowthor Corporation
Anonymous
a b 8 Security
June 4, 2004 12:51:44 AM

Archived from groups: comp.security.firewalls (More info?)

In article <40BF5C3D.9020904@panix.com>, NSbobkNS@panix.com says...
> Leythos wrote:
> > In article <c9nb2p$i7h$1@reader2.panix.com>, NSbobkNS@panix.com says...
> >
> >>We are looking for a new firewall to deploy at employee homes. We are
> >>looking to replace the Linksys systems that are already there, with
> >>something a bit more robust.
> >>
> >>I've been looking for a comparison of firewalls, but cannot find
> >>anything up-to-date and useful. Any suggestions?
> >>
> >>I am looking at the PIX501, NetScreen 5, WatchGuard Firebox SoHo 6 and
> >>GTA Gnatbox GB-200 at the moment. I'll do a quick matrix of them.
> >>
> >>Anybody have experience with any of these?
> >
> >
> > All of them.
> >
> > It would help if we had a better understanding of what you are trying to
> > provide - more robust than linksys doesn't give much to work with.
>
> Good point
>
> > Are you looking for IPSec tunnels between the device and the office or
> > are you looking to use client software for the tunnel?
>
> Right now we are using Cisco's vpnclient software to establish the VPNs
> and I am leaning toward keeping it that way, since ot would mean only
> one box get's actual access to the corp net, as opposed to any box
> establishing the connect. I'm sure that its configurable but I'd like to
> keep it simpler since the users are going to want to do their own thing too.
>
> > How many IP do the home users have, more than one?
>
> More than one. Some have a few systems.
>
> > What services do the home users have in/outbound?
>
> Inbound should be nothing by default. Some have configured web and mail
> servers inbound.
>
> > Are you going to let the home users manage the units so that they can
> > also do their personal tasks?
>
> Yep, I want a good web interface for this. And I'd probably want the
> ability to manage from the office as well, to debug, and audit and such.

For the cost, I can't see where a real firewall is going to do much for
you. With home users being able to edit the rules, and the
cost/restrictions of a real firewall, you are better off getting a
Linksys BEFSX type unit and letting them sit behind it. The reasoning is
that if the users can edit the rules, they will screw it up - the first
port forward of 80/443, or some other for P2P, will let their systems be
compromised - so it doesn't really matter if they have a real firewall
appliance or a router/nat box.

As for remote management - I would not enable it, but ask them to run
VNC on their machines and then let you connect over the VPN to manage
the routers/firewall.

I'm thinking the typical home user, once they get into the rule sets,
it's not going to matter much - you'll have about as much protection as
a router will offer.



--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
Anonymous
a b 8 Security
June 9, 2004 11:30:57 AM

Archived from groups: comp.security.firewalls (More info?)

Update

I looked at the PIX 501, NetScreen 5, GnatBox, and one other, the name
of which escapes me at the moment.

I've decided to go with the NetScreen5GT. It has a number of attractive
features, includeing support for multiple WAN 'dirty' connections, so
that if the user's cable modem goes down, you can fail over to his DSL.
Assuming he has both of course.

Also the possiblity of multiple 'zones'. I have to check this one out
further, but the thinking is that we could have 3 zones on the FW, one
for outside, one for the work system and one for the user's personal
systems (i.e. his kids)

And it all integrates with the central management tool, not that I'll be
going there. but I will have SSH into the firewall for mgmt.

More to come as I implement.

bk


Leythos wrote:
In article <40BF5C3D.9020904@panix.com>, NSbobkNS@panix.com says...
>
>>Leythos wrote:
>>
>>>In article <c9nb2p$i7h$1@reader2.panix.com>, NSbobkNS@panix.com says...
>>>
>>>
>>>>We are looking for a new firewall to deploy at employee homes. We are
>>>>looking to replace the Linksys systems that are already there, with
>>>>something a bit more robust.
>>>>
>>>>I've been looking for a comparison of firewalls, but cannot find
>>>>anything up-to-date and useful. Any suggestions?
>>>>
>>>>I am looking at the PIX501, NetScreen 5, WatchGuard Firebox SoHo 6 and
>>>>GTA Gnatbox GB-200 at the moment. I'll do a quick matrix of them.
>>>>
>>>>Anybody have experience with any of these?
>>>
>>>
>>>All of them.
>>>
>>>It would help if we had a better understanding of what you are trying to
>>>provide - more robust than linksys doesn't give much to work with.
>>
>>Good point
>>
>>
>>>Are you looking for IPSec tunnels between the device and the office or
>>>are you looking to use client software for the tunnel?
>>
>>Right now we are using Cisco's vpnclient software to establish the VPNs
>>and I am leaning toward keeping it that way, since ot would mean only
>>one box get's actual access to the corp net, as opposed to any box
>>establishing the connect. I'm sure that its configurable but I'd like to
>>keep it simpler since the users are going to want to do their own thing too.
>>
>>
>>>How many IP do the home users have, more than one?
>>
>>More than one. Some have a few systems.
>>
>>
>>>What services do the home users have in/outbound?
>>
>>Inbound should be nothing by default. Some have configured web and mail
>>servers inbound.
>>
>>
>>>Are you going to let the home users manage the units so that they can
>>>also do their personal tasks?
>>
>>Yep, I want a good web interface for this. And I'd probably want the
>>ability to manage from the office as well, to debug, and audit and such.
>
>
> For the cost, I can't see where a real firewall is going to do much for
> you. With home users being able to edit the rules, and the
> cost/restrictions of a real firewall, you are better off getting a
> Linksys BEFSX type unit and letting them sit behind it. The reasoning is
> that if the users can edit the rules, they will screw it up - the first
> port forward of 80/443, or some other for P2P, will let their systems be
> compromised - so it doesn't really matter if they have a real firewall
> appliance or a router/nat box.
>
> As for remote management - I would not enable it, but ask them to run
> VNC on their machines and then let you connect over the VPN to manage
> the routers/firewall.
>
> I'm thinking the typical home user, once they get into the rule sets,
> it's not going to matter much - you'll have about as much protection as
> a router will offer.
>
>
>
June 9, 2004 9:10:24 PM

Archived from groups: comp.security.firewalls (More info?)

"Bob Kryger" <NSbobkNS@panix.com> wrote in message
news:ca6se7$mqi$1@reader2.panix.com...
> Update
>
> I looked at the PIX 501, NetScreen 5, GnatBox, and one other, the name
> of which escapes me at the moment.
>
> I've decided to go with the NetScreen5GT. It has a number of attractive
> features, includeing support for multiple WAN 'dirty' connections, so
> that if the user's cable modem goes down, you can fail over to his DSL.
> Assuming he has both of course.
>
> Also the possiblity of multiple 'zones'. I have to check this one out
> further, but the thinking is that we could have 3 zones on the FW, one
> for outside, one for the work system and one for the user's personal
> systems (i.e. his kids)
>
> And it all integrates with the central management tool, not that I'll be
> going there. but I will have SSH into the firewall for mgmt.
>
> More to come as I implement.
>
> bk

The NetScreen 5GT is a solid product. Just to be clear, though, the 5GT
product line does not have "full" support for multiple security zones like
it's bigger breathern. On the bigger units you can create security zones and
bind the physical ethernet ports to security zones however you see fit. You
can even bind VLAN tagged traffic to a specific security zone. The
flexibility is really nice.

On the 5GT, they limit you to a certain set of predefined "port modes"
though. I believe that this is because they are trying to discourage people
from trying to use a lowly 5GT in some complex enterprise setting where it
probably doesn't really belong based on throughput and session count limits
anyway. Here are the modes:

Physical Ports: Serial Untrust Eth4 Eth3 Eth2
Eth1
---------------------------------------------------------------------
Trust-Untrust M U T T T
T
Home-Work M U H H W W
Dual-Untrust U U T T
T
Combined U U H H
W

Hopefully, the above chart doesn't get too garbled. The default
Trust-Untrust mode provides 1 Untrust and 4 Trust ports with modem backup
through a serial port. Home-Work splits the 4 trusted ports into a "Home"
zone and a "Work" zone. Traffic can go from Work to Home, but not the other
way around. It is mainly to somewhat alievate security concerns for
corporate work-at-home users that have a VPN from the Work zone into their
corporate LAN. Some people try to configure the 5GT were the Home zone sort
of acts like a DMZ, but this can be problematic and to get a real DMZ
security zone you have to buy the 5GT Extended model which significantly
more expensive. The Dual-Untrust and the Combined modes allow for redundant
untrusted WAN connections as you noted.

Alec
!