Home Firewall vs Corporate Firewall

There is a thread in this NG that's active called *Lets talk Firewalls*

- What do............

I suggest you read the tread about FW's.

Here is some stuff you can read about that $100 NAT router trying to protect a business it.

Here is what network FW(s) do may be it on a host based gateway computer (not some personal FW -- it's not a FW), a packet filtering FW router or a FW appliance. *What does a FW do?*

The selection process

You do know that you can get a refurbished FW appliance with support, warrantee and the whole nine yards for considerable less money from a reputable dealer. You can call a FW appliance vendor and they should have a list of vendors the sell the referbised appliances.

Duane :)

Under $ 100 for a serious firewall appliance? Your boss is clueless. The least expensive Firewall appliance I've seen comes from Netgear.

I would explain to your boss that for $100 you a NAT router much like you have now with very bad support. For $800 you get a true stateful packet inspection device that truely protects a network.

But as mentioned in here already a watchguard SOHO will cost you less that $800 I would guess ~450.

Thanks, Duane! I will definitely do some reading here!

James

A Linksys BEFSX41 Firewall/Router has SPI. It can allow/block specific services such as PPTP, telnet, IMAP, SMTP, DNS, POP3, HTTP, HTTPS, etc. All For $80. I understand the new D-Link Firewall is very good too (for the $). Don't know the price of the D-Link but it's probably under $100.

I think the OP needs to quantify his needs better. What is he protecting? Why? If lost/compromised, how long ($) would it take to recreate it? What would be the monetary losses? What about intellectual losses? Etcetera.

You can't do a risk/cost analysis unless you know both sides of the equation.

-Frank

On huge difference is that (typically) more technical knowledge is required to take advantage of additional capabilities of the $800 unit.

How do you know it is not a wise move yourself?

Don't get me wrong, I know this is a firewall ng and that you came here expecting support for "bigger is better". But... the fact is that all security decisions are a combination of risk/cost analysis. Or should be.

So... what are you protecting? Why? What would happen if it was lost? Can you quickly recreate it? Monetary losses? Intellectual losses? PR losses? Exactly what is worth the purchase of an $800 device verses a $100 device that is worth an additional $700? Prove that the added protection can thwart a loss of thousands of dollars and you might get approval. Prove that it can thwart the time lost rebuilding one server is likely not to get the nod.

-Frank

I have read about the BEFSX41.....

We are a marketing firm with all of our jobs on one server. We have 5 servers with email, accounting, etc on them. Backups are done nightly and taken off site. It would take days to be back up to normal. The dollar loss could be figured out by accounting, but it's the old attitude (not mine!) that nothing has happened in the past....so why spend so much when we don't need to. It's very frustrating for me.

Thanks for the input!

James

This leads me to believe that you might easily need to be in the $800+ range for a firewall. However, I would be interested to know exactly how you would configure a firewall device to protect your network. Remember, without the technical ability to properly configure a firewall, it's useless.

I'm not trying to be a wise-ass... really.

Here are a few questions that may shed some light on your requirments, and any arguments you might want to present to your boss.

Do you require remote (Internet) access? Are you running any services available from the Internet? Why? What? You say you have "5 servers with email" - what does that mean? Do you run 5 separate email servers with access from the Internet?

Bottom line, it is very easy to protect systems that are not running any publicly available services and do not allow any external access. Almost any NAT router will do. The main security job here is to make sure your do "OS Hardening" as it is called. Configure your OSs so that they are not presenting services to the outside (Internet) and not running unneeded services. Also, configure directory permissions so that only authenticated users have access. This is basic stuff, but often overlooked and very important. Most home users fall into the category of not offering servcies to the public (or on the Internet).

It is when you are purposely offering public access that the additional features of an enterprise class firewall become more necessary. You need to distinguish and allow/reject specific types of traffic. You might allow only HTTP requests on port 80. Not just "open port 80 for anything", for example, if you are running a web server. The key word being, web

*server*.

So... what services are you presenting to the public that need some kind of control that they are not getting already with a NAT router?

-Frank

Decisions about the devices one wants to use are the last step when setting up a security solution. Get a good book, get another one and even a third one. Read them all. Then read them again carefully. Build test setups, after that the books again. After that you can tell your boss ewhat you need to secure your network. You might even have learned that you can build a security solution completely from free software.

Wolfgang

Actually.....I didn't expect support for bigger is better. Maybe my question was not very clear. Basically, I'm a true believer in that you get what you pay for. I do not buy dish soap that is half the price of a leading brand...because it takes twice as much soap to clean as well. I could give a lot of examples, but I think you get the picture.

There are a number of home "firewalls" that "claim" to do the SAME THINGS (features such as VPN, Web Site Filtering, etc...DoS, Ping of Death, SPI...) as a $400-$800 dallar unit. Should the small home cheapies be putting the expensive units out of business? Can a home unit handle 40-60 users with 50 GB monthly throughput? Surely, if two things claimed that they could both do the exact same things.....a smart person would take the cheaper of the two. Personally....I don't think that way. Nothing good is free (spyware), etc......

You're right....I'm hear to learn. I'm not a firewall expert.

So....questions are:

1. Can a home unit handle 40-60 users with 50 GB monthly throughput?

1. Would you do it? If not, why not.

James

It may or may not be me configuring the device. From what I understand, I thought that a WatchGuard or comparable unit blocked all traffic in and out. I would only open or allow any necessary traffic. It may be our service provider that will be maintaining the firewall. That is yet to be decided.

OK....neither am I. I know that dealing with someone without a high level of knowledge on a topic can be frustrating...

I would like the option of having VPN access. Blackberry's and Remote Desktop would be nice if the need came about.

We run a web development server that is accessible from the Internet to allow clients to view websites/solutions that we are developing for them.

I meant that we use a total of 5 servers with various information (including backed up PST files) on them. Our email is not done in-house.

No.

We have the Cisco 675 (owned and managed by our ISP) set to port forward port 80 to the private IP address of our web developement server. I am not sure if it is ONLY HTTP traffic....or any protocol on port 80 (not sure what the Cisco 675 is capable of).

We can't access our files/desktops from home and in this day and age, that is a little embarrassing.

NO IT CAN'T, it can only block ports. The cheap units can not tell the difference between ANY of those protocols running on ANY port.

The cheap NAT units can only block ports, not SMTP or HTTP, they only block TCP/25 or TCP/80, they can't tell that traffic is SMTP or HTTP.

The cheap unit can not strip content out of SMTP Sessions and very few strip content out of HTTP sessions.

Removing unapproved content from HTTP sessions.

Removing had headers from HTTP/SMTP sessions.

Removing unapproved attachments from STMP sessions.

Creating groups of rules that permit some users different levels of access to HTTP.

Setting up web-site blocking features to disallow access to all except approved sites or categories of sites.

Known ability to block most intrustions....

None of the above are found in the cheap $100 unit.

YES, YOU'RE RIGHT! :) The config has a pull-down to block those services, as I noted, but now that I actually select those options I see that all it does is to auto-fill the field with the customary port for those services. So... sorry.

Anyhow... back to the original thread...

-Frank

Thank You Very Much!

James