On Feb 5, 2008 2:23 PM, kenw <[EMAIL PROTECTED]> wrote: > That was a good response. We're already doing those things, although > I'm looking hard at ways to do them better. > > I hesitate to mention firewalls, because people seem to get jumped on if > they are perceived as thinking that's all they need. But... firewalls > are Necessary But Not Sufficient, and I'm not satisfied with my current > solution to that aspect of security. I need to address that. > > Low end firewalls don't offer near the packet inspection and other > functionality I'd like to see, and the higher end ones I've used (like > Cisco) tend to be too expensive in terms of both management time > overhead and capital cost. > > I want a firewall that actually understands something of the protocols > it allowa through, and can detect password guessing attempts on a number > of protocols. I reeealy hate opening up ports for the bots to hammer on > without good packet inspection, and I just do not have and cannot afford > the time to cover all the details manually. > > I see a lot of talk about SonicWall (they burned me once), WatchGuard, > Astaro, Untangle, ISA Server, etc. People talk a lot about what the > like or don't, but hardly anyone seems to know what they actually do. > From what I've seen, I haven't been all that impressed. I liked the > Cisco 1841 with IOS IPS, but it was buggy and very time-consuming. If I > spent that kind of time on all the contenders, I might as well switch > careers. > > Maybe I'm a paranoid iconoclast. Probably. > > Do you know of anyone who can speak knowledgeably about firewall > products appropriate for one-server-no-IT-staff small business? > > /kenw
My first impressions of the Sidewinder firewalls we've just installed (Secure Computing) is very good. We turned them up over the weekend on the T1 that we're sending everything web/ftp over, and they even denied us access to our own (3rd-party hosted) company web site. Called the URLs poorly formed. 'Course, the content manager the developers are using is something I'd never heard of before, and it has since been purchased and discontinued (no support), and I was critical of it from the beginning. Vindication is sometimes sweet - they shoulda gone with plone/zope like I told 'em, if they were concerned about price. However, to the subject at hand: the model we've put into production is the 510D - two of them in HA/Failover. I'm still tweaking the setup, but I'm impressed so far. I've got two 110s to send to our foreign offices, but haven't put them together yet. When I do that, it'll be more interesting, because I have to set up the IPSec tunnels between them and us. The 510D's are rebranded Dells, and I can't tell what the 110s are. Both models come with 4 network ports - the higher-end models of this line apparently have optional SSL accelerators that can be installed, though I don't believe that's available for the 510 or lower models. The cool thing is that they're based on FreeBSD, though it seems to be heavily modified - I'm sure there's some Trusted BSD underneath there somewhere, though I'm no expert in that. I'm a big fan of FreeBSD, though, which means that the command line on it, and the flavors of various tools on it, are familiar and comfortable. The software rev is the most recent - 7.0.0.005 - and the Windows management GUI is pretty straightforward, but being able to ssh into the machine and do some tasks is very sweet. As for the software itself, it seems to have a *very* deep understanding of the protocols it proxies - I'm quite impressed with how controllable it is. Kurt ~ Upgrade to Next Generation Antispam/Antivirus with Ninja! ~ ~ <http://www.sunbelt-software.com/SunbeltMessagingNinja.cfm> ~
