looking for a better firewall

Hello to all and to all a good holiday

I been looking for a better firewall. Currently in use is a smc barricade wired and a d-link 624 wireless. I do not think these do deep state{layer ?} inspection. I been looking at Cisco 500 series or Sonic wall 150 or 170. anyone who has one I would love to hear what you think of it. far as that goes am I overlooking any better ones? I like to be under eight or nine hundreds dollars{USA}price, not msrp. hardware based but better than what I have. Also sonic wall confused me talking about number of nodes allowed. Do they mean machines total or active. That is when there say ten nodes do they mean ten active machines out the gateway or ten machines period. I never before had to consider this as any machines behind the firewall would go. Seems like every time I google I either get very expensive ones five to thidty thousand dollars or software ones. What I want is a better hardware firewall than I presently have if there is an advantage. Oh I do have firewall protection on the boxes, 3 fedore core 4, 6 windows mostly 2000 or xp.

Reply to
spamkill at charter dot net
Loading thread data ...

Why pay $800 for something unless you feel you need to do that. You can get them used and refurbished with warrantee I would think and get a standalone WAP new. They usually come with a 10 user licenced meaning ten devices can use the appliance like computers, printer server, etc. etc can connect at onetime.

I use a Watchguard myself. You should get one where you can use Wallwatcher (free) that works with many applinces and you can check the list I know the T170 is in the list.

Duane :)

Reply to
Duane Arnold

Fortigate makes very, very deeply features firewalls in your price range without node counts/limits. Antivirus, Intrusion Protection, VPN, SPAM, Web filters,... starting around $600US with all subscriptions I think for a 50A. If you get a 60, you can put your wireless device in a completely separate interface, or even buy a unit with Wifi built in.

I have extensive experience with these from single office on adsl to large retail chains to Gigabit pipes in front of Universities. Superb boxes.

formatting link

-Russ.

Reply to
Somebody.

Usually 10 machines means 10 MAC addresses. As soon as the 11th machine is 'known' it blocks connections. So unless you want to be swapping NICs every time you want to connect machine 11 you will effectively need 1 licence per device. Cheers, E.

Reply to
E.

that's typuically 10 active devices at any one instance if you use DHCP and allow a trusted range of IPs. If you config specific rules per IP, then you'll likely start mapping MACs and run into limits.

btw: what's the need for 'deep SPI?' usually, trapping unsolicited packets is sufficient.

Reply to
Jeff B

Sufficient for what? Deep Inspection and the like from various manufacturers has the purpose of identifying nefarious in-band packets, in either direction, for example, contained within http traffic. This is not "unsolicited" traffic, as you have visited the site in question of your own accord (or at least a garden variety "firewall" thinks you have) but it is a damaging payload that should be dropped from the data stream.

Any $49 soho router can stop unsolicited inbound connections, but that is only a part of the exposure most machines have.

-Russ.

Reply to
Somebody.

ok, but SPI is not an alternative implementation of an antivirus solution. 'Statefull' is relative to the TCP/IP protocol, not the data payload.

Reply to
Jeff B

All the ones I've seen count MAC's up to n, and n+1 is blocked. Whether one of the MAC's held in the original n is active is irrelevant. E.

Reply to
E.

No, SPI is not an alternative to AV, nor is AV an alternative to SPI, they're both different and important layers of protection, neither of which is offered by a $49 router.

Notice that Deep Inspection is different from SPI also. SPI looks at the header, DI looks inside the packet data.

The Fortinet firewalls that I like to install do content reassembly, that is, they reassemble the data stream and scan them in memory, to catch bad payloads that span many packets, which is another level again past Deep Inspection.

"Deep SPI" is some sort of frankenstien term coined by the OP I suspect, or perhaps somebody out there is using it, but Stateful Packet Inspection and Deep Inspection have both been around for years as working terms for inspecting the header and inspecting the packet data respectively. I'm not sure which one he thought he was asking for. But he can get SPI, DI, and Content Reassembly in a Fortinet Firewall for under $1000.

-Russ.

Reply to
Somebody.

Devices I've worked with that have node counts allow an older MAC to be dropped when the11th shows up. However they also have an annoying tendancy to give node "seats" out to devices like TCP/IP printers that show up on the network all the time but don't actually traverse the firewall.

Seat limited devices tend to be very annoying in real life unless you are well, well under the seat limit.

However, putting a $49 router in front of a handful of your machines before they hit your "real" firewall is sufficient to fool the firewall into calling them one node, if communication *to* those machines is not required from elsewhere on the network, ie, they are only clients and not servers of any type.

-Russ.

Reply to
Somebody.

too bad. I have 10 mapped MACs and still dishout DHCP addresses

192.168.0.11 and above as long as all 10 are not active at the same time. This gives me a 'trusted subnet' of 0.1 thru 0.10 and any guest user is controlled by separate firewall rules.

emperical evidence shows otherwise.

Reply to
Jeff B

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.