Higher-End Home FW Question

I would love to get my hands on a Fortigate 60 box for my home network. I am really looking for something that will do FW, IDS, shaping as well as virus and malware filtering... on one platform. Is there another company i can look at that isn't as expensive as Fortinet? I'd rather not spend about $700 on it. Thanks.

Reply to
bPstyles
Loading thread data ...

For a home network, or any small network, a NAT box running ICS, or some other NAT software, plus Tiny Personal Firewall on the NAT box will do nicely.

>
Reply to
Charles Newman

Netscreen and Sonicwall, but both are similar pricing. Although I understand theres a new entry level Sonicwall with all that on it due for release shortly - should be at least half that price.

Reply to
Mark S

But that stuff has no malware, AV, shaping, or application level protection at all.

Reply to
Mark S

Tiny has application level protection. Tiny, for example, is the only way you can stop File sharing programs, like Kazaa. I just restrict everything to Socks and HTTP proxies, and block ports 80, plus

1000-5300 on the Socks proxy and that shuts down Kazaa. I can do that while opening port 80 on the HTTP server to let Web traffic through.
Reply to
Charles Newman

^^^^^^^^^^

For malware, you can install Ad-aware For AV, there is a program, Avast, that is free for home use.

That should solve the AV and malware/adware problem

Reply to
Charles Newman

Do yourself a favor and do not buy a Fortinet. Both NetScreen and SonicWALL (newer firmware) are doing EVERYTHING better than Fortinet can / will ever do. Believe me, I've monkied with Fortinet and used to be a huge proponent at first, but I hate their support and their so called named IDS is the same functionality as NetScreen calls 'Screen' which you can enabe independently on different zones, on top of that you can get actual DPI (IDS) on the NetScreen. The SonicWALL has impressive IDS as well that is protocol agnostic which is far better than anything in one box right now. Dig?

Reply to
Munpe Q

Please ignore Mr Newman, his grasp of the subject matter is rather limited.

If you have a spare quiet PC with two network cards.

The free version of

formatting link
will do what you require, an active AV subscription to go with it is not expensive.

greg

Reply to
Greg Hennessy

I am going on my training in college. I was trained as a bean-counter, and had a computer networking class once, where we had to set up a Windows NT 4 Server, running NAT, which is very much like ICS. We were taught that ICS, or a similar software based NAT, is the best way to do it. ICS on Win9x and XP machines is just a slimmed-down version of the NAT found on NT/2000 and 2003 server machines. The main difference is that NT/2000 and 2003 server machines will let you set up a domain, where the 9x and XP versions will not. I advocate ICS, becuase it is very much like what I was taught when I was in college. They did not teach about hardware firewalls, becuase we were taught that software based NAT and firewalls were superior.

Reply to
Charles Newman

Well, what I am talking about is setting one computer up as an ICS box, and then connecting client machines behind it. Tiny Personal Firewall can sunccessfully shut down Kazaa, where your hardware appliances cannot. Its just simply a matter of restricting what the Socks and HTTP proxies can do. On my network, I just simply told Tiny to not allow the application running the Socks proxy to do outgoing connections on ports 80, and on

1000-5300. That effectively shuts Kazaa down. The only outbound connection on port 80 allowed is on the HTTP proxy. Because Kazaa has no central server, there is no one address you can use to shut down Kazaa, so the only way is to require everything to use Socks/HTTP proxies, and then wholesale shut down calls to ports 80 and 1000-5300 from the Socks server. I have tested this, and with those ports blocked, there is no way Kazaa can connect.
Reply to
Charles Newman

And a lot of what you were taught in College concerning computers is currently out-dated, in fact, much of what it taught in College is out of date while it's being taught.

Firewall appliances are superior for home users and unmanaged environments, and even in most managed environments, as the primary border protection device.

Since we're talking about home systems in this thread, we'll talk about firewall software running on a system that the user is also running their applications from - which means that the firewall/NAT can be compromised easily and is also subject to daily misconfiguration by the user.

If the user were running an appliance, even a simple NAT box, the user would not be subjected to daily misconfiguration problems, daily chances of compromising the appliance from the workstation, and would not be spending valuable CPU cycles to maintain the firewall state.

Reply to
Leythos

What is it with you and Kazaa? One can shut Kazaa down by not installing it in the first place. ;-)

Duane :)

Reply to
Duane Arnold

Anything you tell Tiny to do running on an ICS box I can also tell a firewall appliance to do, and I can do more in every case. You need to learn a LOT more about firewalls - we're not talking simple NAT boxes.

As for outbound port blocking, I can setup most NAT routers to only allow specific outbound destination ports also - so a simple NAT box can block your P2P apps. In fact, I block that type of stuff at a Sorority and have no problem with it, using a NAT only box.

And you can do the same with a firewall appliance.

Reply to
Leythos

Well, the big sticking point is port 80. Your hardware appliance, being seperate from the server machine, cannot tell whether the traffic is coming from the Socks server or HTTP server. The folks at Kazaa know this, that is why port 80 is attempted after all the other ports fail. They know that without cutting off port 80 it is impossible to shut down, in most enviroments. .

Reply to
Charles Newman

Ah, but I have one thing that your personal firewall doesn't have - that's the web-blocker function that allows me to specify only web sites that provide content type information or to specify sites that are on the white list. So, my stick is really BIG, it can tell the difference.

Reply to
Leythos

Leythos wrote in news:MPG.1c24bb7ae2411af6989c4e@news- server.columbus.rr.com:

You might as well be talking to a wall. The day that something like Tiny can match the power of a FW appliance will be the day the Chicken Little falls out of the sky. ;-)

Duane :)

Reply to
Duane Arnold

That's not 'training'. Having a computer networking class, is not training.

NAT has SFA to do with ICS.

See above.

ROTFL!

Which has absolutely SFA to do with NAT or ICS.

Given that you're clearly unable to comprehend the basics of IP addressing, how in the name of would you know exactly ?

greg

Reply to
Greg Hennessy

Oh puhleeze, enough with the asinine uninformed bollocks already.

You have absolutely no idea of what you are talking about.

greg

Reply to
Greg Hennessy

What is wrong with POP access. It has been the standard for several years.

Reply to
Charles Newman

If you are filtering your mail via POP you have already spent the money on infrastructure to support the spammer, the only way to help reduce your infrastructure needs is filtering during the SMTP conversation.

John

Reply to
John Mason Jr

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.