1. Home
  2. Networking Firewalls
  3. Help wanted selecting a hardware firewall

Help wanted selecting a hardware firewall

I'm looking for some help selecting a hardware firewall. My current setup is a WinXP machine with a USB ADSL modem and ZoneAlarm connecting directly to the internet for email, surfing and downloading. I have other PC's but they are not connected to the XP machine or the internet . I want to impliment a new setup to network all my pc's in a secure way:

  • A machine for email only with firewall setting to only allow email traffic to my ISP's email server address. Traffic to any other address or non-email traffic should be blocked. Any email based attacked should be trapped here.

  • A machine for surfing and downloading but no email traffic should be allowed in or out and any suspect traffic should be blocked (I don't need VoIP or anything fancy). Any web-based attacked should be trapped here.

  • Other machines on the internal LAN should be able to talk to each other but not to the email or surf machines directly and no traffic should be allowed in or out between my internal machines and the internet.

  • To get files from the email or surf machines onto my other PC's I was thinking about running one of the simple FTP server programs on the email and surf machines and setting the firewall so that they would only respond FTP requests from my internal machines (it's my understanding that using FTP is more secure than setting up shared drives).

  • The email and surf machines should be completely isolated from the other machines on the LAN other than by responding to incomming FTP requests from LAN machines. The LAN machines should be completely isolated from the internet but they should be able to talk to each other using standard windows protocols and to the email/surf machines via FTP only.

Will my new setup work (i.e. be secure) and what hardware is out there to do the job?

I've looked at a few integrated ADSL modem/firewall/router units but the ones i've looked at don't offer enough control over how the various local machines can communicate with each other or the internet.

I really want to be able to specify rules per machine (or type of machine at least). I could probably do all this using multiple firewall devices but it's likely to get expensive and I don't want to go much over $1500US. Also I'm not a security expert so something with a reasonably friendly interface would be a bonus (but not essential).

Thanks in advance!

Karl.

Reply to
me
Loading thread data ...

Karl,

You mention that

Have you looked at the NETGEAR fvs318. It is only $150

If so what are its limitations in implemnting what you want to do?

I am by no way an expert but from what I have read I think you might need a domain server for the internal side of the router.

thanks!

My 2 cents!

Reply to
picard

Located in DMZ, rule only allowing outbound SMTP and inbound POP3 (if you use POP3).

Located in DMZ, HTTP/HTTPS and DNS outbound only. HTTP filtering applied through HTTP Proxy rules in firewall.

Allow inbound FTP from LAN to DMZ specific IP.

Located in LAN, block WAN, allow FTP to DMZ.

See above.

Done, DMZ for email/surf, LAN for others.

WatchGuard Firebox 700 will do this, and it's about that price.

You could also implement this using a personal firewall with properly setup rules.

Reply to
Leythos

Netscreen have a 5GT-ADSL box. It can do what you want, the only sticky stuff is how you seperate the machines on the LAN. One thing the 5GT can do is support a split home/work zone on the basic box, this is like a poor mans DMZ. There is the option to go to a full DMZ but thats $$$. The home/work zone allows traffic from: work -> net, work -> home, home -> net, but not home -> work.. I think this will cover what you need.

The 5GT-ADSL lists for US$990 but I'm sure you can get it cheaper, theres also an AV version (inline http/ftp/email scanning), and the Deep Inspection updates for either version list for $90 per year (given you'll be running services behind the firewall the DI would be quite handy, and you can do SMB/RPC attack checking between the zones too - quite handy to stop any machines infecting your servers across the LAN).

Reply to
Mark S

Have you looked at pix501.

Reply to
Adnan Yamin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.