Last week this group was discussing "best low cost firewalls". Here was my (late) response which got burried in the middle of all the other posts:
--------------------------------------------------------------------------------------------------------------- How about the real IP/subnetmask/port firewall built into your DSL/CableModem? It's free, it operates at layer 3, and it is working outside your PC's messy world, inline before the Ethernet frames even reach your PC. The ones I have configured (cisco/linksys) are capable of doing some filtering for the OSI layers
4-7 (anti-virus/ spyware) again *before* the encapslated data even reaches the insecure world of your PC. These kind of devices also can do NAT to hide the IP address of your internal private network.----------------------------------------------------------------------------------------------------------------
Here is my question for the group:
What about low cost NAC devices that inspect layers 4-7 to identify who you are and where you can go on the network? According to InfoWorld (June 2006) Caymas systems has the best upper end product, where prices are in the tens of thousands of dollars, and where there is a need for 4 Gigabit interfaces, strong authentication, and strong encryption for upwards of 5,000 concurrent users. Thus creating VPNs for those clients using LDAP, SecureID, Radius, etc).
Has anyone on the list done research on low cost (< $3k, for example) devices for upper layer protection *before* the data even reaches the insecure world of Windows?
I'm aware of what can be built using UNIX/LINUX but what about low cost off the shelf device that does heavy statefull inspection of layers 4-7 *before* the data even reaches the insecure world of your PC?
Cheers, ~DRH~