Looking for good and cheapish hardware firewall

OK, I've got the message that software firewalls are mostly snake oil so I want to get a hardware firewall so I can put my software firewall to bed for good. Would I have to disable the firewall in my router if I get one, or do these work as routers too and I can remove my router from the chain? Post your recommendations. Thanks.

Reply to
Garrot
Loading thread data ...

Hi Garrot,

I recommend using ZyXEL firewall model ZyWall 2 (ICSA certified) for networks of less than 10 users with built-in broadband (DSL or cable) gateway(Router) and 4 port ethernet switch, you can get it for less than $200.

You can connect it directly to your broadband Modem and remove your router, it will work as a firewall and router in the same time.

Panda

formatting link

Garrot wrote:

Reply to
Panda

Why isn't the firewall in your router sufficient? It is true that if you have a business or organisation with a group of inexperienced users then a router designed for home use may not be sufficient, although they are getting better and cheaper. If there's only you with one or two PCs at home and if you are reasonably experienced (or wish to become more experienced) and are able to supervise other users of your home PCs then it may not be necessary to use anything more than a home router.

Since I don't know your situation or experience it is difficult to give specific advice.

It may be that a hardware firewall is a good choice for you but can you tell me why you want one? One good reason may be to learn how to configure one.

Assuming you are using Windows PCs then there are many other things to check before you start worrying about firewalls.

In my experience, home users often mistakenly put firewalls (hardware or software) above everything else. I've seen users who told me they must be safe because they had a firewall but who turned out to be running as administrator with no Windows updates, no anti-virus software (or anti-virus software that had never been updated) and no updates to other software such as Java, Acrobat, Flash, Office, etc etc.

Jason

Reply to
Jason Edwards

I second that recommendation. I've had my ZyWall 2 for 2+ years. It was easy to set up and has performed flawlessly.

Reply to
James T. White

Ok, thanks to both of you. I'll look for one to purchase but the price is a bit more than I wanted to spend. Still, if it's good then it's worth it and I will get one.

Reply to
Garrot

No, I've got all the other protections in place so am ok there. The reason I want one is because I see a few people in here saying the firewalls in routers are not really firewalls and are very basic. I want a real firewall so I have a new toy to play with. :)

Reply to
Garrot

[snip]

Find an old PC and some network cards for much less than $200.

formatting link
Jason

Reply to
Jason Edwards

In most cases, unless you actually get a firewall that knows the difference between HTTP and DNS, you're not really getting much more than a NAT Appliance.

What I mean is that many of the cheap Firewall Appliances don't really know the difference between HTTP or FTP or DNS or HTTPS, they only let you create rules by port number (TCP/UDP) and in/out. Most of them don't allow you to filter content in a HTTP session or a FTP session and I don't know of any cheap ones that filter content/headers from inbound SMTP sessions.

Considering that most of the cheap firewalls also have some form of user (IP) limit unless you purchase additional licenses, you don't gain a lot.

Now, if you consider the last two paragraphs, a NAT Appliance, like the almost firewall device DFL-700 by D-Link, becomes a really nice device. Even a quality NAT Appliance is doing almost as much as the cheap firewall appliance. Just look at what each does yourself and you'll see that there really isn't a lot of difference between the quality NAT Appliances (that claim to be firewalls) and the cheap firewalls (and I'm talking under $300 USD).

My mother inlaw uses a Linksys BEFSX41 unit, has used it for 4 years, and has never had an uninvited intrusion that we could detect/see traces of. The unit is connected to another PC that she doesn't use, that runs WallWatcher and sends me logs every night. I've also seen the same protection provided to group users (20 to 30 people in an common building). We've even got one office building with a CISCO switch (so we can track traffic, connected to 12 Linksys BEFSR41 units, that provide service to 12 clients in a building. None of the clients have access to the admin pages of the routers, but we ensure that the clients understand that this is NOT a firewalled solution and they are welcome to install a firewall if they want.

Most of our clients, and my own business and home, have what I consider firewall appliances - they know the difference between protocols and filter content out of HTTP/FTP/SMTP sessions, block websites based on categories of provided content, allow dedicated branch office VPN solutions, etc...

So, if you already have a NAT solution, unless you move way up the chain, or install some software based solution on a dedicated box, you are not going to gain much.

Reply to
Leythos

OK, thanks for the info, maybe I'll save some money then and just stick with my router. I'm using a D-Link DI604 router. How would you rate that one?

Reply to
Garrot

I've thought of doing that before but I don't want another big box taking up space and increasing the noise pollution. I already have two PC's besides my desk and don't really have room for a third. I'll consider it though and thanks for the links.

Reply to
Garrot

I consider the 604 to be a standard NAT Router. As long as it has available firmware updates, still supported by the vendor, I consider it viable for home use and that every home user with an internet connection should have at least a NAT Router as their first layer.

I would also suggest that you block outbound ports 135-

139,445,1433/1434, and any others that you like.
Reply to
Leythos

-Checkpoint's Safe@Office ( one of the easist boxes out there to set up)

-Sonicwall TZ170

-Watchguard X10/X20E

are all excellent choices for SOHO Firewalls, which offer VPN, and integrated AV and content filtering capabilities

Garrot wrote:

Reply to
franosk

Leythos wrote

and Leythos wrote

Thanks. looks like good info

Reply to
q_q_anonymous

Two boxes "inside" on what - a residential cable connection? Think how much traffic/speed that you need. The traffic _between_ your two systems shouldn't be hitting the firewall, and unless you are paying a LOT of bux for your connection, it's probably limited to something under 100 Megabit per second. My provider supplies a dual speed Ethernet connection (10 or

100BaseT), and I've connected that to a 10BaseT NIC in what remains of an ancient 386SX-16 laptop - no case, no display, no keyboard (it's admin'ed over the LAN with a backup connection via the serial port). A second NIC connects to a dual-speed HUB to allow multiple systems access. It's in a cardboard box, and there are two sources of noise - the hard disk, and a four inch fan, neither of which are audible above the noise from the desktop systems. You don't _need_ a Quad Xeon with a Gig of RAM for this function. In my case, the lap-doggy only has 8 Megs of RAM. As for the electrical load, the _fan_ is consuming about a third of the total power into the box (about 15 watts total).

Old guy

Reply to
Moe Trin

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.