Moving from IPTABLES to SonicWall

Most of the real Firewall Appliances can easily replace a nix solution, but, you need to make sure that you get enough of an appliance that your rules/solution does what you need.

Some small firewall appliances don't have as many features/rules/etc as the larger units.

Leythos,

Thank you for the speedy response.

Do you mean the number of rules set in the appliance could be limited? IPTABLES does not have any limits on how many routing rules one can encode (at least, I've never run into any constraints). If so, we may have a problem, with about 100 rules in our current firewall.

Or are you talking about some syntax limitations?

Alex.

firmware-based

Some of the cheaper units don't have as much capacity as the higher end units. Normally, for a small office, I budget about $1200 for the firewall, and that gets me all the more advanced features and all the proxy filtering I need to protect them.

I can't say if the one you've picked allows all that your IPTables allows in the same level, but if you call them, send them a list of what you are doing, they will provide you with a part number of one that would meet your requirements.

Just for being interested: why?

Yours, VB.

Maybe, because like many, they want a certified solution, they want something that they are sure is doing what they want with the protection they need, with a support contract, with features not found in IPTables.

I'm curious what the certification buys you. If you have a certified firewall and you get hacked, can you sue somebody? And not have the case dismissed out of hand?

The true reason is that the Linux machine with IPTABLES is growing old, and will sooner or later fail. We need to find a stand-by replacement for it, without necessarily shutting it down right away. Mirroring the existing environment on another box, as well as making changes to the existing rules from time to time, requires some understanding of what one is doing, and at the present time there is no-one in the office with skills to do so.

I used to do this myself, but I am on an assignment far away from the office, and cannot provide any maintenance and support to the firewall. So, we thought that the firmware-based solution is less prone to failures, and might require less maintenance.

Features provided by IPTABLES are sufficient for our needs. But maintaining it is beyond the skill level of people left behind in the office.

Thank you for looking into this.

Alex.

firmware-based

If you have a Certified firewall you have a very great expectation that the solution is going to do what is stated by the certification. If you have a home built solution, or uncertified solution, you only have your own expectations, which are unproven in many cases, of what protection you have.

Certification means that it's been tested and has passed the testing.

What sonicwall model? IME, all the "TZ" models (tz 150, tz 170) have issues every time there is a new major firmware release. My 4060 on the otherhand has been rock solid. The saying "you get what you pay for" applies.

Yes. Easily. That's like asking a professional concert pianist if he is proficient enough to be able to play chopsticks.

The enhanced OS boxes (don't get the "standard" OS if you can afford the enhanced) will do plain old NAT by address and by port (nat to completely different IP depending on port), bi-directional NAT, etc. Pretty much any NAT scenario you can think of.

Also available are snort like IPS, anti-virus at the gateway level, and the ability to integrate with web content filtering solutions.

FortiGates or NetScreens can do this easily enough, it's called Policy Routing. Also called Source Routing. The various NATing is also not a problem.

-Russ.