Small Form Factor Firewall

you could use a small soncwall (tz170)

it doesn't have a button but you can disable http/https managment on any interface (e.g. disable for inside/outside interface, enable for opt interface, if you need to change config, connect with laptop to opt interface or console)

i think they are about $400-500

not sure, check specs

4) Support for mail alerts as well as alerting back to a GUI gadget on the

it can send mail alerts and I think syslogging

M

Almost every "Firewall Appliance" does what you want - check with WatchGuard, call them to get the specifics you need to handle. Don't settle for a NAT box, you will need a real firewall appliance.

What specifically do you expect the firewall to tell you and detect?

To a management station, I would expect no incoming connections, so I want that policy enforced and reported.

From the management station, I would expect some standard interactions to a domain controller (DNS, Kerberos, file share on port 445, RPC (unfortunately)). Web access might be restricted to a specific internal network or to Microsoft for updates (a security hole, but not of much use if the software they plant on your machine cannot get back out). Again, I want that policy enforced and reported.

The bottom line is that no matter how malware is introduced onto that machine, it would be nearly impossible for anyone to get any benefit from that infection. That policy would be enforced in a way that no software running on the affected machine could do anything to change.

Most small (low end) firewalls can do that, but I'm not talking about NAT Routers, I'm talking about firewalls specifically.

We use a number of firewall solutions to isolate Accounting and Medical from Office users, from Research, from a public wireless (protected) setup, etc... In one location we have clients with 4 different firewalls, so that other business partners in the building can connect to their CAT/XRAY/MRI systems, but they can't connect to anything else...

Will wrote: : To a management station, I would expect no incoming connections, so I want : that policy enforced and reported.

Where are you planning on utilizing this? Internally or for SOHO users? I believe most SOHO boxes doesn't currently support GigE. For small remote offices I have utilized small firewall boxes from Sofaware

If you're using Checkpoint firewalling you will recognize these. Sofaware is a Checkpoint daufgter company. You can also manage these centrally from a Checkpoint SmartConsole (or you can use a web interface on each individual one if you choose to).

For internal networks you also have the options of Cisco NAC This requires you to have Cisco switches etc and will handle gigabit load etc. If you're not using cisco you can get a product such as Trend Viruswall

Trend also have a hardware module that can be used in Cisco ASA equipment.

Other solutions that will give you such functionality on the Client is Checkpoint Integrity

or MS NAP You can also combine several of these and they can work together for optimal protection.

Good luck!

Lars

Corporate use internally, way behind the main firewall.

You hit the nail on the head. 95% of the product on the market for cheap firewalls is for home users who have slow WAN connections. There are lots of small firewall applications on a corporate network where you want to do something special purpose, with a server or group of servers, or a critical management workstation. Sometimes you just don't have a clean way to attach that to a main firewall segment and you have to put something with the machine locally. As you point out, there isn't a whole lot of product offering out there for a small intra-corporate firewall with gigE interfaces on both sides of the firewall.

And to be honest with you, what I really need is something closer to an ethernet bridge that does firewall-like packet inspection. It would be awfully nice if for example I could use the corporate DHCP from behind the small firewall I want to buy.

Probably a major expense.

Software firewalls are cheap but easily defeated by any sophisticated rootkit trojan.

Will wrote: [..] : Corporate use internally, way behind the main firewall. [...] : And to be honest with you, what I really need is something closer to an : ethernet bridge that does firewall-like packet inspection. It would be : awfully nice if for example I could use the corporate DHCP from behind the : small firewall I want to buy.

: > For internal networks you also have the options of Cisco NAC This : > requires you to have Cisco switches etc and will handle gigabit load

: Probably a major expense.

Protecting your infrastructure with GigE performance doesn't come for free. If you're already having descent cicso equipment, adding NAC might not be too expensive.

A free solution would be to use snort and maybe set it up to talk to your checkpoint firewall (snortsam). You would have to choose span ports wisely and it's also possibly to monitor packets at gigE speeds. Sourcefire (the developer of snort) almost became a Checkpoint company, but CFIUS blocked the merger. To use snort you would need dedicated hardware, probably quite new (fast) hardware.

There are also host based IDS/IPS software that might be able to block trojans/worms (and spyware) that normal AV software doesn't. ISS has several such host based products for servers:

: Software firewalls are cheap but easily defeated by any sophisticated : rootkit trojan.

MS NAP is not a software firewall. https://209.34.241.68/nap/archive/2006/09/29/460008.aspx Good luck!

Lars