I am looking for a small 1U or 2U security appliance that has at least 12 gigabit ethernet network segments (not 12 shared ports on the same network, but 12 firewall controlled networks) and would run on under 40Watts. Total budget is under $1K including software licenses. I am okay with buying a used product that is two generations old, as long as software license is reasonable.
Any recommendations? I know there are small Linux based boxes, but I prefer to get an off the shelf solution that will not make me spend time building the OS, hardening the OS, installing software, debugging, etc.
Yes thats what I already mentioned, I guess you won't come around to use Vlan's. I use it since years in Datacenters, depending on the hardware you're using, it's pretty reliable and nice to control. You also can use the following scenario: Segment on a switch 12 ports 802.1.g (port based vlans) and set on as uplink to the firewall, only port 1-12 can access the fw uplink, 13 to n can't use it. This should fit your requirements, if you are still uncomfortable with vlans, leave all other ports empty or use a 12 port switch ( not even sure if they exist for professional environments, the smalles I've seen have at least 25). In this case you have 7 ports left on your firewall and you can connect port2 to a seperate switch, so every packet from the second switch needs to pass hen your fw rules before it would have access to the network bound to port1. Should give you the control you may want.
As luck has it, I picked up a Watchguard X750E at $300, new in box.
Having said that, so far I don't like the Watchguard software at all. It's extremely buggy, and the user interface feels very fragile and not well organized.
I would use the six-port NICs that we use at work and that isn't the problem. The problem is finding a 2U server that eats 60W of energy or less. Most of the HP / Dell models I have found are 350W or higher.
If Apple can make a Mac Mini operate at 20W, there ought to be someone who can do something similar for a server at 50W. So far I cannot find it.
For example, say you have a public web server. By putting it on a subnet by itself, you can control which other machines on your internal network that web server can access. If someone plants a trojan on that web server, it won't be able to acquire any IP on your network except for the firewall IP because there will be no ARP traffic on the isolated segment. If that trojan wants to explore your network, you can effectively isolate it and prevent any UDP or TCP or ping traffic from reach any other part of your internal network. You may not need or want that level of protection. It's a free world and you can make your own design.
You are correct on that.
Figure 20 to 30 watts for the server and 2 watts for each gigE port, so probably 50 to 60 watts would be more conservative.
That is not entirely true, if you have already plant a binary on the webserver you see also all the client connections/routing tables. As soon as somebody from your LAN connects you know already the IP, which is not necessary anyway but you know in this case that there is more connected and you have to pass a firewall. The webservers logfile shows you what OS, what browser connected. Now be creative and embed code within the website this client has accessed. If you find a hole in the victims browser you can execute code, upload a shell which back connects to whatever server you want now. Bam you won't need the webserver anymore since now the LAN client connects directly to you.
But this is another story, back to your topic. Vlans would be the solution for you.
So then either you build your own or you can't have it this way.
It depends on your hardware and the OS/Firmware on your systems.
Hehehe, in every network has to be an open port to the outside. Mostly it's port 80, so what you're basically doing is to back connect from the victims client TO the internet, with a shell placed onto the victims machine you just are the within the LAN, I think this is very useful as long as you can hide yourself. Yes, you can encapsulate the payload within http or https, just in case your stream goes over a proxy.
What I wanna say is, that the reasons he is listing to have every network on a physical port, doesn't improve the security at all compared to vlans.
Ok, whats the point if I can attack the webserver sucessfully and be able to execute code there I'm then also able to establish a connection to the internet and it diesn't matter if there is a static IP or a dynamic IP is in place. As I said it would improve the security like W thinks.
The only thing is that all the packets from NET1 needs to pass the firewall rules before they can access NET2 and you have that feature already with 802.1q vlans.
But anyway, as far as I can see W has at least 3 options:
looking for the appliance which probably doesn't exist
Our firewall appliances AV check HTTP inbound and outbound between networks and external connections, dropping any connection that presents a AV or IPS violation. There are many other things you can do to help prevent an infected server from spreading malware.