I'm setting up a webserver at a colocation and I need to put a VPN firewall in front of it. I'm on a fairly tight budget and I have about $100 - $500 to spend on the firewall. I need to allow the web traffic in of course, also FTP and SQL Server access, so port forwarding will be needed. Initially I'll only have one machine behind it but I may add another box later.
Does anyone have any suggestions on firewalls? I've looked at the BEFSX41 which looks like it would work for me but I'm not sure about liability. I've also seen good reviews on the Daytek Vigor 2900 but the review was several months old and it said to wait fro new updates. Finally I've seen really good reviews on the Sonicwall TZ 170, but I'm having a heck of a time trying to tell if I'm buying hardware or a software license.
Can someone point me in the right direction on this?
The 10 user license version of the Cisco PIX 501 sells for less than $300 dollars. You can use PPTP, L2TP, or Cisco's IPsec VPN client to connect to the network behind it. If you plan to have more than one public IP address and don't want to NAT your systems behind one IP w/ port forwarding, you could use one-to-one NAT to map a static public IP to the static private IP of the server(s).
You're not going to get a quality firewall for that amount, at least not a new-in box one. You can get close, and D-Link makes a DI-804HV unit that has features you can use, including the ability to remotely PPTP into the D-Link and access the LAN side without running a VPN setup on your computers.
The PPTP to the D-Link would make this easy - can access the entire LAN once you connect.
One thing - DO NOT EXPOSE MS SQL PORTS TO THE NET, DO NOT EXPOSE 1433,
1434 to the internet under any circumstances. If you require those ports to be exposed you designed a bad solution. If you want to give remote users access to the SQL server, let them do it through a VPN session.
Also, don't allow FTP via an anonymous user, you're server will be hacked sooner than you think. Take a look at FileZilla for FTP server software, I use it on many servers and it's very stable.
The units in your price range are almost always just NAT boxes and don't offer real firewall features. The DI-804HV unit, is the same as the NAT boxes, but allows you to setup a PPTP inbound connection directly to the D-Link, and the PPTP pass-through config (for inbound, I'm not talking about outbound sessions) also works (the Linksys units don't seem to pass GRE back to the remote user since CISCO started branding the firmware). I have the BEFSX41, it's a nice unit, but it's just a glorified NAT Router. Get the D-Link DI804HV if you are going to go cheap.
Both Sonic and WatchGuard make SOHO Firewall units in your price range, but they are often licenses per IP (on the LAN side) that is connected to them. As an example, a WatchGuard SOHO 6 or SOHO 6tc can protect your systems for under $500, but they are small units and limited (without additional license cost) to 10 IP on the LAN segment. They do offer Mobile User VPN connections for an additional license fee, but the 6TC will allow you to build dedicated IPSec tunnels between locations - meaning you could setup the SOHO6tc for the server farm, and then buy a Linksys BEFVP41 unit and create a dedicated IPSec tunnel between your home and the server network.
The only reliable, cheap, VPN device I've found, that also acts as an END-POINT, is the DI-804HV unit from D-Link.
I'm a little new at this, with this one-to-one NAT would I use one IP address to acccess the machine on some ports and another for the other ports? I guess I'm just wondering how it would work. We do have two static IP addresses available and I can see some advantages to reserving one IP for admin purposes and the other for public. Can you give me a little more explanation? Thanks for Cisco suggestion. I'll check it out.
I may be confusing the price of the PIX 501 -- it might be less than $300 for new units on eBay but maybe closer to $400 elsewhere.
As for one-to-one NAT, a single virtual IP bound to the public interface on the firewall maps directly to a single private network IP. So let's say you've got 12.214.236.127 as a public IP. You could config the public interface of your firewall then map it to the host at
192.168.1.127 on your LAN. Also see the diagram for Static NAT on this page:
formatting link
or Static NAT works for both inbound and outbound traffic
I skimmed the entire manual and it seems like a nice low end unit. I think the Firewall VPN 800/2 would better serve you, since it can also support IPSec tunnels (it can act as an end-point) so that you can access the unit directly through a VPN.
From what I read, it appears to have all the markings of a true firewall device.
I may have to purchase one for my own testing, I had not used one of these before. The manual seems clear, the unit supports multiple public IP, and seems to have a nice selection of user/device grouping methods with which to work.
There are some differences between the Linksys models in the UK (for the same model numbers!) I've used the BEFSX41 as a VPN endpoint for a Watch guard Server: it proved highly unreliable where the MVPN client running on a W2K machine through a simpler router worked fine. In the UK, from what I've read the Linksys routers either work well or not at all!
I haven't tried that one, I'm about to try this:
formatting link
Not exactly a well know brand! But at least one well known brand doesn't seem to be good at making low price gear.
Interesting, with the Linksys units, I didn't know there was a difference in firmware based on country. Was your connection via a T1 or some other type?
I own a WatchGuard Firebox II personally and have a bunch of II and III and even a couple SOHO6tc units installed around the country, the Linksys units have been painless (the BEFSX41 and the BEFVP41) when making the connections and then the rules for their subnets.
Could your problems have been MTU related?
Did you experience a connection problem with the WAN or just the IPSec problem?
Yes, there is if you look at the firmare for the US and UK, there are two different versions
No, ordinary ADSL
I didn't get that far (it was set at the default)
The Linksys spontaneously rebooted several times after I'd configured it for the Wan only. Others (in the UK) seem to have similar problems with this and other lInksys routers. I get the feeling that if you're prepared to accept the defaults then it simply works. However if (for instance) you don't want to use DHCP then there can be problems.
If DHCP on the LAN side, you can leave it enabled, set the scope to 100~
150, and that still leaves you with almost 200 addresses you can use in a fixed IP mode on the LAN side.
If you set the LAN IP Subnet to 192.168.10.0/24, with the router at
192.168.10.1
you could set the first server/device with a fixed IP at:
IP 192.168.10.10 MSK 255.255.255.0 GW 192.168.10.1
DNS1 192.168.10.1 DSN2 Your ISP DNS1 DNS3 Your ISP DNS2
If you have a DSN server in your LAN, you would set DNS 1 to it, and assuming that it has DSN Forwarding enabled, you would not need DNS 2/3.
As for the defaults on the WAN, almost every DSL connection I've setup has required a FIXED MTU of around 1400~1430 in order to be stable. The only unstable DSL connection we've ever seen was from a company called Adelphia, and it's unstable anywhere in the country.
One more thing, it seems like the last firmware update, at least in the US, was a little unstable, the current one seems to be stable. I found this latest updates seems to be rock stable.
Netscreen 5GT, putting SQL on the net is a bad idea, but eventually the Netscreen Deep Inspection will probably do SQL protection (it already does HTTP and FTP).
The Sonicwall TZW170 does its equivilant IPS which does SQL protection, but its quite expensive for the yearly sub (Netscreens is really well priced).
I would go the Cisco PIX path, whats the point of a firewall that doesn't pick up 80% of the attacks hitting your network? You might as well put a cardboard box around you server and hope for the best.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.