I would love to get my hands on a Fortigate 60 box for my home network. I am really looking for something that will do FW, IDS, shaping as well as virus and malware filtering... on one platform. Is there another company i can look at that isn't as expensive as Fortinet? I'd rather not spend about $700 on it. Thanks.
For a home network, or any small network, a NAT box running ICS, or some other NAT software, plus Tiny Personal Firewall on the NAT box will do nicely.
Netscreen and Sonicwall, but both are similar pricing. Although I understand theres a new entry level Sonicwall with all that on it due for release shortly - should be at least half that price.
Tiny has application level protection. Tiny, for example, is the only way you can stop File sharing programs, like Kazaa. I just restrict everything to Socks and HTTP proxies, and block ports 80, plus
1000-5300 on the Socks proxy and that shuts down Kazaa. I can do that while opening port 80 on the HTTP server to let Web traffic through.
Do yourself a favor and do not buy a Fortinet. Both NetScreen and SonicWALL (newer firmware) are doing EVERYTHING better than Fortinet can / will ever do. Believe me, I've monkied with Fortinet and used to be a huge proponent at first, but I hate their support and their so called named IDS is the same functionality as NetScreen calls 'Screen' which you can enabe independently on different zones, on top of that you can get actual DPI (IDS) on the NetScreen. The SonicWALL has impressive IDS as well that is protocol agnostic which is far better than anything in one box right now. Dig?
I am going on my training in college. I was trained as a bean-counter, and had a computer networking class once, where we had to set up a Windows NT 4 Server, running NAT, which is very much like ICS. We were taught that ICS, or a similar software based NAT, is the best way to do it. ICS on Win9x and XP machines is just a slimmed-down version of the NAT found on NT/2000 and 2003 server machines. The main difference is that NT/2000 and 2003 server machines will let you set up a domain, where the 9x and XP versions will not. I advocate ICS, becuase it is very much like what I was taught when I was in college. They did not teach about hardware firewalls, becuase we were taught that software based NAT and firewalls were superior.
Well, what I am talking about is setting one computer up as an ICS box, and then connecting client machines behind it. Tiny Personal Firewall can sunccessfully shut down Kazaa, where your hardware appliances cannot. Its just simply a matter of restricting what the Socks and HTTP proxies can do. On my network, I just simply told Tiny to not allow the application running the Socks proxy to do outgoing connections on ports 80, and on
1000-5300. That effectively shuts Kazaa down. The only outbound connection on port 80 allowed is on the HTTP proxy. Because Kazaa has no central server, there is no one address you can use to shut down Kazaa, so the only way is to require everything to use Socks/HTTP proxies, and then wholesale shut down calls to ports 80 and 1000-5300 from the Socks server. I have tested this, and with those ports blocked, there is no way Kazaa can connect.
And a lot of what you were taught in College concerning computers is currently out-dated, in fact, much of what it taught in College is out of date while it's being taught.
Firewall appliances are superior for home users and unmanaged environments, and even in most managed environments, as the primary border protection device.
Since we're talking about home systems in this thread, we'll talk about firewall software running on a system that the user is also running their applications from - which means that the firewall/NAT can be compromised easily and is also subject to daily misconfiguration by the user.
If the user were running an appliance, even a simple NAT box, the user would not be subjected to daily misconfiguration problems, daily chances of compromising the appliance from the workstation, and would not be spending valuable CPU cycles to maintain the firewall state.
Anything you tell Tiny to do running on an ICS box I can also tell a firewall appliance to do, and I can do more in every case. You need to learn a LOT more about firewalls - we're not talking simple NAT boxes.
As for outbound port blocking, I can setup most NAT routers to only allow specific outbound destination ports also - so a simple NAT box can block your P2P apps. In fact, I block that type of stuff at a Sorority and have no problem with it, using a NAT only box.
And you can do the same with a firewall appliance.
Well, the big sticking point is port 80. Your hardware appliance, being seperate from the server machine, cannot tell whether the traffic is coming from the Socks server or HTTP server. The folks at Kazaa know this, that is why port 80 is attempted after all the other ports fail. They know that without cutting off port 80 it is impossible to shut down, in most enviroments. .
Ah, but I have one thing that your personal firewall doesn't have - that's the web-blocker function that allows me to specify only web sites that provide content type information or to specify sites that are on the white list. So, my stick is really BIG, it can tell the difference.
Leythos wrote in news:MPG.1c24bb7ae2411af6989c4e@news- server.columbus.rr.com:
You might as well be talking to a wall. The day that something like Tiny can match the power of a FW appliance will be the day the Chicken Little falls out of the sky. ;-)
If you are filtering your mail via POP you have already spent the money on infrastructure to support the spammer, the only way to help reduce your infrastructure needs is filtering during the SMTP conversation.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.