Firewall Solution

[basspro]

Hello all. I'm looking for a firewall solution and I figured with all the talent around here I would ask the windrivers pros first. We have decided to bring in a 256K internet connection to serve all locations. We have 4 remote sites and one main hub. Everything is run over frame relay via routers. The remotes will gain internet access by coming across the frame and going out through the main connection here at the hub. What type of firewall solution should we go with. We are a smaller company & do not have a lot of money to spend on a firewall but we want one that will protect us and be easy to manage. Thanks for all your help people!

[Kymera]

You could check Watchguard. Their firewalls are pretty simple and not that expensive. Many of them are geared for small to medium businesses. If you configured the frame relay, you shouldn't have any problems configuring the firewall. Plus their products are a bright fire engine red color.

[thirdfey]

I'm shocked, normally someone would of said Linux by now. Linux is low cost but could be high maint if you are unfamiliar with linux. I don't know what type of budget you have but anything microsoft gets a little pricy considering you have to load win2k server along with hardware that supports it, 2k server in itself can be a firewall. Most hardware solutions like checkpoint are less expensive than a win2k solution depending on your options.

[basspro]

Well I'm not familar with Linux at this point. I would rather use a hardware based firewall that is basically plug n play with little configuration. I'm not to familiar with firewalls and not to sure how I will go about connecting this to our internet connection and router this is already in place Any ideas? Thanks!

[Higg]

Originally posted by basspro:
Well I'm not familar with Linux at this point. I would rather use a hardware based firewall that is basically plug n play with little configuration. I'm not to familiar with firewalls and not to sure how I will go about connecting this to our internet connection and router this is already in place Any ideas? Thanks!

Sorry to say this, but firewalls aren't plug'n'play - you'll always have to have knowledge about "how-it-works"... especially those hardware firewalls can be very hard to configure...

The easiest thing for this could be a router where NAT (NetworkAdressTranslation) is configured with no port beeing open from the internet... that could be a quick "firewall" (I do this at my home with 4 PC's - router is configured as default gateway at the PCs)

perhaps there's another crack with a better idea...

Higg

[Kymera]

Why are you doing this? An improperly configured firewall, is almost as bad as no firewall at all. The watchguard solution is a hardware solution. I think that they have a wizard that can help you configure the firewall, but someone with some knowledge of your infrastructure should really handle the firewall. Higg is right, the easiest "firewall" solution for you would be to run NAT. This would present one IP address to the internet while all of your computers are safe with private IP addresses. If you are going to do this yourself, I would recommend the NAT route.

[basspro]

We have a NAT router that connects everything on the WAN. So yes we only have one IP going out to the internet. If I plug the internet connection into the router then that will act as a firewall and allow access to the net for all machines?

[Kymera]

Well, if you're presenting only on IP to the internet, then no restructuring in necessary. I guess you're using one of the private ip ranges like 172.16.x.x or 192.68.x.x for your internal PC's and have a legit IP assigned to your NAT router. If you're very concerned about security, pay the money to have someone come out and evaluate you network. I don't think that these forums are a good replacement for on-site professional help, as good as we may be.

[basspro]

Right now I'm using one of the private ip ranges like 172.16.x.x for internal PC's and have a legit IP for the NAT router. I'm not using these forums as a replacement for on-site professional help. Just wanting soem advice as to wether I need a firewall other than my NAT router and if so what a good choice would be. I'm not real familiar with routers and firewalls so your adice is quite helpful.

[Kymera]

NAT is sufficient for most firewall applications. It limits outside access to your internal network, but usually will not provide nearly as good inside to outside security. For example, blocking non-work related sites, certain popular ports (ie network gaming, pcAnywhere, FTP, Telnet), and logging fuctions are provided by firewalls, but not by NAT. So, it depends what you want to do.

[cyberhh]

Also get a good book - "Hacking Exposed" for instance and look at what they reccommend - look online for what hackers look for and defend against that - any security solution is only as good as the possible intruders it is set to defend against - a firewall alone will not protect your network as well as excellent desktop and server security will along with a well maintained firewall solution.

Will your companies website be hosted from behind the firewall? What external-to-internal communication will you be allowing, or is this for a email and web access only location? Also - you may wish to close all questionable ports on the router and only open them as needed (blind fire method) - this will be safer than the possibility of leaving a backdoor open.

I hope this helps, un fortunately being a small arm in a many tenticled nation-wide MIS department makes it difficult to keep up on all these different fields, however I am always happy to help.

[basspro]

Right now we have a WAN and we want to give internet access to everyone through our main location. This connection is basucally for email and internet access. Blocking non-work related sites and apps (ftps) is not a big deal at this point in time. In the near future we will be setting up an email server.

[Kymera]

NAT would be fine for what you're trying to do. Just remember to forward the SMTP ports to your mail server when you get it up and running.

[Deity]

You might also want to check out WebRamp. We use their firewalls in our offices, and they seem to be decent. Easily configured and managed. I don't think they are that pricey either.

Although I do like the idea of the fire engine red color. That would be my highest priority.