Security Appliance With 12 Network Segments

I am looking for a small 1U or 2U security appliance that has at least 12 gigabit ethernet network segments (not 12 shared ports on the same network, but 12 firewall controlled networks) and would run on under 40Watts. Total budget is under $1K including software licenses. I am okay with buying a used product that is two generations old, as long as software license is reasonable.

Any recommendations? I know there are small Linux based boxes, but I prefer to get an off the shelf solution that will not make me spend time building the OS, hardening the OS, installing software, debugging, etc.

Reply to
W
Loading thread data ...

Hi,

take a look at pfSense at

formatting link
- it should be capable of doing this, and it's free.

Regards Thomas

Reply to
Thomas Keusch

This is software, and it requires integration with hardware, which is specifically what I do NOT have the time to do.

The hardest part of my request is finding the hardware that has the sufficient number of segments together with low energy consumption.

Reply to
W

If you can find any appliance, segement it vi 802.1q on a single interface and/or segment 802.1g on your switches. Should seperate your networks pretty well.

cheers BTW: In a low cost segment I don't believe that you're gonna find an appliance with more then 10 physical ports.

Reply to
Burkhard Ott

I don't trust VLANs. I have seen too many buggy switches that pass broadcasts and odd traffic across different VLANs.

They are also a giant hassle to configure both for the end equipment and the switch/firewall.

They are also hugely error prone, and it's very easy for a junior admin to put something sensitive onto a public segment.

Nothing beats the simplicity of taking a cable from the end device and plugging it into a unique port on the firewall.

Reply to
W

I see.

Don't agree.

Thats not entirely true, depending on your config you can make it impossible.

Nothing else defines 802.1g. But anyway, there are devices like core switches where you can do exactly that, but I suppose they are far away from your price range expectations.

cheers

Reply to
Burkhard Ott

Something like a 1U Watchguard firewall seems to do what I want for up to about eight segments.

12 segments has been hard to find.
Reply to
W

Yes thats what I already mentioned, I guess you won't come around to use Vlan's. I use it since years in Datacenters, depending on the hardware you're using, it's pretty reliable and nice to control. You also can use the following scenario: Segment on a switch 12 ports 802.1.g (port based vlans) and set on as uplink to the firewall, only port 1-12 can access the fw uplink, 13 to n can't use it. This should fit your requirements, if you are still uncomfortable with vlans, leave all other ports empty or use a 12 port switch ( not even sure if they exist for professional environments, the smalles I've seen have at least 25). In this case you have 7 ports left on your firewall and you can connect port2 to a seperate switch, so every packet from the second switch needs to pass hen your fw rules before it would have access to the network bound to port1. Should give you the control you may want.

Hope it helps you.

cheers

Reply to
Burkhard Ott

fortigates have some quite high port densities, and several of them let you turn the LAN switch ports into individual interfaces. probably higher power draw than you want though.

Reply to
Lord Edam de Fromage

I don't know of ANY 12 network port firewall appliances, 8 is the most I've seen.

I happen to have a couple 8 port WatchGuard X1250's and 6 port X700 units that I use all the time, but even their cheapest unit with all GB ports is far more expensive than what you're looking for.

Your best bet is to build a Nix box and install a Nix firewall application on it, one that supports Quad-Port NIC's as you're not going to get 12 network cards in a typical computer either.

Reply to
Leythos

As luck has it, I picked up a Watchguard X750E at $300, new in box.

Having said that, so far I don't like the Watchguard software at all. It's extremely buggy, and the user interface feels very fragile and not well organized.

I would use the six-port NICs that we use at work and that isn't the problem. The problem is finding a 2U server that eats 60W of energy or less. Most of the HP / Dell models I have found are 350W or higher.

If Apple can make a Mac Mini operate at 20W, there ought to be someone who can do something similar for a server at 50W. So far I cannot find it.

Reply to
W

[...]

formatting link
Maybe something like that.

Regards Thomas

Reply to
Thomas Keusch

Why do you want 12 separate sub-nets? That sounds like bureaucratic b.s. to me! You will not find that in a single OTC hardware product.

You're running 12 subnets and you can only have 40 watts? That's pretty strange.

You're running 12 subnets and your budget is $1k ? That's ...

Software license, but you don't want to build your own h/w? That's...

Me too!!

Reply to
me again

There a networks they have more subnets but seperated via VLAN or MPLS, not wasting a phys. port per network.

cheers

Reply to
Burkhard Ott

I've been using WG interfaces for a decade and fon't find it to be Buggy at all.

The X750e at $300 new in box most likely doesn't come with LSS or any updates. The latest version for that unit is 11.something you should be using it.

As for the interface, it's as easy as it get and very clear to understand.

Reply to
Leythos

For example, say you have a public web server. By putting it on a subnet by itself, you can control which other machines on your internal network that web server can access. If someone plants a trojan on that web server, it won't be able to acquire any IP on your network except for the firewall IP because there will be no ARP traffic on the isolated segment. If that trojan wants to explore your network, you can effectively isolate it and prevent any UDP or TCP or ping traffic from reach any other part of your internal network. You may not need or want that level of protection. It's a free world and you can make your own design.

You are correct on that.

Figure 20 to 30 watts for the server and 2 watts for each gigE port, so probably 50 to 60 watts would be more conservative.

Reply to
W

That is not entirely true, if you have already plant a binary on the webserver you see also all the client connections/routing tables. As soon as somebody from your LAN connects you know already the IP, which is not necessary anyway but you know in this case that there is more connected and you have to pass a firewall. The webservers logfile shows you what OS, what browser connected. Now be creative and embed code within the website this client has accessed. If you find a hole in the victims browser you can execute code, upload a shell which back connects to whatever server you want now. Bam you won't need the webserver anymore since now the LAN client connects directly to you.

But this is another story, back to your topic. Vlans would be the solution for you.

So then either you build your own or you can't have it this way.

It depends on your hardware and the OS/Firmware on your systems.

cheers

Reply to
Burkhard Ott

I agree with Mr. Ott, but you are talking about LAN IP address and those would not be of any use to an attacker. You have also only justified 1 subnet not 2.

If you get "commercial internet" service, you can have 2 external IP addresses on a single modem. Use a router to limit port forwarding to your server and you're done. Or are there other needs? VPN?

Reply to
me again

Hehehe, in every network has to be an open port to the outside. Mostly it's port 80, so what you're basically doing is to back connect from the victims client TO the internet, with a shell placed onto the victims machine you just are the within the LAN, I think this is very useful as long as you can hide yourself. Yes, you can encapsulate the payload within http or https, just in case your stream goes over a proxy.

What I wanna say is, that the reasons he is listing to have every network on a physical port, doesn't improve the security at all compared to vlans.

Ok, whats the point if I can attack the webserver sucessfully and be able to execute code there I'm then also able to establish a connection to the internet and it diesn't matter if there is a static IP or a dynamic IP is in place. As I said it would improve the security like W thinks.

The only thing is that all the packets from NET1 needs to pass the firewall rules before they can access NET2 and you have that feature already with 802.1q vlans.

But anyway, as far as I can see W has at least 3 options:

  1. looking for the appliance which probably doesn't exist
  2. build his own solution
  3. implementing vlans

cheers

Reply to
Burkhard Ott

Our firewall appliances AV check HTTP inbound and outbound between networks and external connections, dropping any connection that presents a AV or IPS violation. There are many other things you can do to help prevent an infected server from spreading malware.

Reply to
Leythos

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.