D-Link DFL-700 Firewall Router - I'm impressed

Thanks Leythos, for the info. Good network firewalls in the $200-$400 bracket is where the "hole" in the market is right now, IMHO. I will definitely look at this alternative.

-Frank

I'm so impressed with it that I may have to consider it for smaller installs where the $2000 WG was way out of the clients price range.

The only think I wish it could do that it doesn't is the SMTP Proxy attachment filtering.

With the ability to do all that it does, and the logging working with WallWatcher (had to select DFL-200 format), it's a dang nice unit for the price.

The specs on the vendors site don't do the features justice.

aBOUT a 1/3rd of what you can do with IPCop.

Which is still $350 more than IPCop. E.

And IPCop requires a computer, requires setup by a competent user, requires that you maintain the computer....

IPCop doesn't make sense for a small business without a person that understands computers, linux, etc....

You would need that for anyone to make any use of most of the features you mentioned anyway.

"{Acts as a PPTP Server with multiple users able to be setup in groups or permissions. Also does IPSec tunnels, but the PPTP Server was a very nice feature."

IPSEC is a pain to set up, very fiddly. PPTP is proven insecure. Good luck doing either without a competent computer guy on hand.

"Has Port Mapping rules for all combinations: # LAN->WAN policy - 7 rules, NAT enabled # WAN->LAN policy - 0 rules # LAN->DMZ policy - 3 rules # DMZ->LAN policy - 0 rules # WAN->DMZ policy - 0 rules # DMZ->WAN policy - 4 rules, NAT enabled"

99.9%+ of all non-computer geeks won't have the foggiest damn clue what you're talking about here.

"It has a real LAN and real DMZ dedicated jacks, and each can be assigned a unique subnet and each has it's own DHCP Service!"

Computer noob: What's a subnet? What's DHCP? What's a DMZ? Isn't that in Korea?

"Has DNS and DHCP relay options/settings."

So you've set up DNS and DHCP servers but you're too stupid to set up IPCOP?

"Has reasonable logging features."

Ditto for a syslog server?

"Oh, and it has a RADIUS Server interface ability!"

Oh, wow? And a RADIUS Server? With LDAP or AD I presume?

IPCOP is good. I prefer Endian, which is based on IPCOP.

Feature list:

- Firewall (statefull inspection)

- Outgoing Firewall

- IPSec Gateway to gateway VPN

- IPSec Remote client to gateway VPN (roadwarrior)

- NAT

- Multi-IP address support (aliases)

- Dynamic DNS

- DMZ support

- HTTPS Web Interface

- Detailed network traffic graphs

- View currently active connections

- Event log management

- Log redirection to external server

- Server DHCP

- Server NTP

- Traffic Shaping / QoS

- Transparent POP3 antivirus/antispam proxy

- Transparent HTTP proxy

- Web Proxy with local users, windows domain, samba, LDAP, radius server management

- Intrusion Detection System

- ADSL modem support

- Configuration backup and restore

- Remote update

- SIP VoIP Proxy

- SMTP Proxy

- HTTP Antivirus

- Endian Security Tools for Windows Desktop

- Transparent SMTP antivirus/antispam proxy

- Gateway to gateway VPN with OpenVPN

- Remote client to gateway VPN (roadwarrior) with OpenVPN

- Bridged and Routed VPN mode

- Endian Client VPN ? Windows, Linux, MacOSX

- URL filter

- Web content analysis/filter

- Whitelists and blacklists management

- Web surfing time limits

For those of you who prefer the certified appliances, Endian

is also a commercial company and you will very soon be able to purchase an ICSA certified appliance from them. But you will also always be able to download an iso of the OS for free and set up your own system on an older box (recommended 450 MHz Pentium w/ 256 MB ram). Like IPCOP it supports four zones: Red (Internet), Green (Internal), Orange (DMZ), and Blue (Wireless). It will also very soon support Failover and Load Balancing. This is a serious firewall solution.

Agreed. Also, although I have no problem with software network firewalls (I use them and like them) I usually do not recommend them for small business clients. Few reasons... (I know you know all this, just a convenient place to post it)

First, most small businesses do not have the proverbial "old spare computer" laying around. They throw them out when they are too old to perform becuase they take up too much (PAID OR LEASED) storage space. Space that can be used for other things. like PEOPLE.

Next, even if an "old compuer" was available, you still have the issue of space, maintenance, and support. You need an OS (which is very likely to need upgrading, at some $ expense). You may need to upgrade memory to run a decent FW application (more $). Telling a small business (most of which hate computers but consider them a necessary evil to run their business) that they should BUY another computer doesn't really appeal to them.

Also, The space thing is a biggie. Most small businesses much prefer a device they can bolt on the back of a desk, or on a wall, or hide under the desk on the floor, than (yet another) full fledged computer that is in the way and not even used by anyone (their view).

Again, personally, I like the OS based firewalls because of the rich feature set you can get for the same money and the always fantasttic logging abilities. Admittedly though, after factoring in the total cost of ownership of another computer, it may not be that much cheaper.

Also, when you say "support", you are talking about having to call (yet again) your computer consultant in, for big bucks, to make sure all the latest upgrades/patches/AVs, etc. are on the OS holding the FW.

Bottom line... all this "just use an old computer laying around" stuff is fine for geeks and hobbyists, but usually not small businesses (or large businesses either, for that matter).

-Frank

You misunderstand my reply - I can setup any soft/hard based firewall, it's not something "I" worry about.

When it comes to clients, most of them don't want an uncertified solution or one that has no support path.

Additionally if I install an IPCop solutions on an old clunker, well, that doesn't exactly pass the SOX audit rules, nor does it pass other audits as it's a "self" built solution. I can purchase most cheap certified firewalls and pass most audits and I can also get vendor support for them.

Since most clients are not going to accept a solution that includes an old P1 or P2 with used parts, etc... as their firewall solution, it doesn't matter how good IPCop is, it's still running on a computer that requires support/maintenance and is only as good as the person that installed the OS/rules.

In the case of most appliances, they have a higher MTBF, don't include a disk drive, have been certified, have support, etc....

I run mine on a laptop with PCMCIA cards for interfaces. I can also use the USB nics if I wanted.

The only OS's that requires money to upgrade are proprietary like Cisco IOS or Windows. Anyone that would use a firewall based on Windows is an idiot anyway.

You may need to upgrade memory to run a

Firewalls aren't particularly hardware intensive. The Cisco PIX 501 runs on a 200 MHz processor with 16 MB of ram. I have 192 MB on my firewall box and I don't even come close to using swap.

Telling a small business (most of which hate

But spending $350 on a firewall does... interesting.

I remind you that I'm running mine on an old laptop. It isn't significantly larger than the DFL-700.

Have you looked at the specs on the DFL-700? You can't seriously tell me that administering and maintaining that thing is going to be any easier than IPCOP or Endian. You either learn how to do it yourself or you hire someone to do it for you. Otherwise you may as well get a cheap home unit for $50 because you are just wasting the capabilities of the DFL. It's $350 spent on feeling good.

In article , snipped-for-privacy@gmail.com says... [snip]

Actually, setup is a LOT easier than IPCop, as it provides all that's needed by just connecting it. If you want to refine the rules, you only need to open a browser, change the white/black lists, and test - it even has one really nice feature, AUTO REVERT TO LAST KNOWN CONFIG if you don't get back in as an admin in XX seconds after a change :)

The unit is painless, can be setup by a novice, and can be managed by a novice. I suspect that my mother could even get her PC online after purchase of a DFL-700, but, even as good as Fedora and others are, she could not build a PC let alone setup Linux or even start to setup IPCop.

The target is not the home user, the target is small businesses, and this hits the mark just perfectly.

The DFL-700 isn't on the ICSA certified list. In fact, NO D-Link products are ICSA certified. As far as support goes, all I can find on the site are the usual firmware downloads, faq's, and knowledge base. I suppose you can e-mail Tech support, but in the end this looks a lot like a do-it-yourself situation. I went to the contact page and the phone number for TS is blank.

ANY machine needs support and maintenance. You can get a brand-new white box from Dell for less than $300 and you end up with much more capability for the same or less money. You don't HAVE to use old/recycled computers. I'd be interested to see what the default rule-set is for the DFL. Because unless you know what you're doing or hire somebody you will most likely screw it up.

No disc drive = "you need a syslog server if you want any significant logging"

Bottom line is that security isn't easy, it isn't for amateurs, and it's not going to be free. I just don't see how you get around having someone knowledgeable administering it.

Some things don't need "administered" to the same level as others. Filtering content doesn't need administering, NAT doesn't need administering, etc... The logs get sent to another computer, and the interface to the syslog app is very simple to understand....

Before you knock the DFL-700, get one for testing an see for yourself. I've installed about every firewall on the market over the last 6 years, soft, hard, dedicated, etc... Appliances are my choice in all cases, as they are far more reliable, far easier to get support from a third party source (read that as vendor), etc....

Like it or not, the DFL-700 device is a good unit for most home users and small businesses, the only thing it really needs is SMTP content filtering.

Yep. And my unit has a 40 Gig hard drive and keeps the logs right there. No need for a server, but it can do so if you want.

That explains why it has all of a one-year warranty. And no certification (at least not ICSA).

far easier to get support from a third party

I don't see home users ponying up $350 for a firewall. You can just about buy a PC for that much.

the only thing it really needs is SMTP content

I've got that. And POP3 proxying, too.

I'm not really knocking the DFL-700; it seems like a fine little unit. I'm just trying to resolve a bit of cognitive dissonance. On the one hand, you're bragging about it's capabilities. On the other, you claim the market is home and small business users who aren't technically savvy and don't want to spend money on consultants. If the latter is true, then the DFL-700 is about 10 times overkill because they're not going to understand what half that stuff does much less how to use it. I mean if you can set up a web or mail server (what else are you going to use the DMZ for?) then I'm sure you can handle IPCOP, or Smoothwall, or Endian.

How many URLs can the DFL 700 filter? Our Netgear router is limited to about two dozen.

Best, Christopher

It's only limited by the memory in the unit, the better you make your rules (smaller) they more you can make - I have almost a hundred in one of these.

I am still using a DI-704UP for my small business. Is the DFL-700 worth the extra $300?? - the VPN would be nice (I don't have a remote office and I am used to SSHing for remote access) - the 704 only logs failures. That has always bugged me as you don't see succesfull break-in attempts - I don't know if the 700 is actually faster and can handle more load (bandwith, filterring work) than the 704 - I love my print server on the 704UP and I will miss not having it - I have problems with some sites (maybe their problem) loosing packets. Perhaps it's the DI-704??

While the DLF-700 has more firewall features (and probably memory), is it a much faster CPU/OS than the DI-704 to keep up with the traffic (especially for the extra $300)? If it is, perhaps it will solve my dropped packet problems.