Geek help.. Firewall Appliance recommendations??

[Thanatos340 1]

I am looking to buy a new Hardware Firewall for my Small Office. (5 Employees, T1 Line,)

Any one have particular favorites or Ones that I should completely avoid? Features that I just cant live without?

[PhreeZone 20]

How geeky is the administrator? Able to handle a PIX or need something with a point and click GUI interface? Doing anything fancy like VOIP, VPN, etc?

Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

[SuFantasma 0]

Go open source! Try LEAF

Y yo, pa' vivir con miedo, prefiero morir sonriendo, con el recuerdo vivo".
- Ruben Blades, "Adan Garcia"

[Thanatos340 1]

The office is full of Engineers (2 nukes, 2 IE`s and A Pompous PE) all pretending to be programmers. (Company philosophy is you can teach Engineers to program but you can not teach Programmers to engineer)

The "Admin" is whoever is annoyed enough by whatever problem to go fix it.

Short answer is GUI would be nice. The last thing I want is "A new toy" for everyone to figure out and play with.

Nothing fancy here. No VOIP, VPN or other. Even our Mail server is hosted by our Web hosting (Offsite). We do run a FTP site occasionally when our customers need to send us Files too large for Email attachments. Even that is only turned on on an as needed basis. Otherwise just needs to be simple.

[normiss 898]

Am I mistaken that all the PIX line is end of life and replaced by ASA's? The PIX were easier to admin....

But - small business? SonicWall is easiest and least expensive - for an effective one - for "non-geeks" - with a GUI interface and built in rules.
And if you need VPN, you can have it as part of the initial purchase price.

YMMV.

***add - free support for 1 year I believe - should be plenty of time to iron out any issues....***

[Lindercles 0]

Quote

Company philosophy is you can teach Engineers to program but you can not teach Programmers to engineer

Hey! I take offense to that! I'm a programmer and I spent three semesters as an engineering major before I failed out!

Oh wait, I think that's your point.

[Thanatos340 1]

Our T1 provider also suggested Sonicwall.
Any particular Models you would suggest?

[normiss 898]

wireless?

the TZ series are geared for the environment you're in.
IIRC, they have a nice chart on the website to help you select based on your needs.

It has been 6 months or more since I've worked with them. We have customers with them that love them (especially since we charge for firewall admin services - they can admin their own).

[PhreeZone 20]

I thought the smaller 501 series stuff was not EOL yet. I might be wrong on that one since I haven't looked at a 501 in a while.

I'll second that SonicWall is a good option if you want an appliance.

I've played with SideWinder appliances and they seem to work also but your best bang for the dollar is with the SonicWalls probably.

Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

[normiss 898]

Yea, I'm not sure about the PIX either....but for a non-geek the PIX and ASA's are a PITA!
It's right up there with learning Unix.
Wait...it is Unix!

[labrys 0]

Quote

Yea, I'm not sure about the PIX either....but for a non-geek the PIX and ASA's are a PITA!
It's right up there with learning Unix.
Wait...it is Unix!

The ASA isn't remotely a PITA. The newer ASDM is a much better tool than Cisco's previous SDM / web interfaces (which truly sucked) for the CLI impaired types out there.

And FYI, neither the PIX nor the ASA run Unix. Older PIXs ran an OS called Finese and the newer versions run a modified IOS that's Cisco proprietary and nothing at all like Unix except for the inclusion of a few optional command like the ability to grep and a VI-like editing system.

Owned by Remi #?

[normiss 898]

so you're trying to tell me the Netranger OS isn't based on Unix???
Nor Cisco IOS????

[labrys 0]

Quote

Nor Cisco IOS????

No more or less than DOS is. There are only so many options for designing a CLI. IIRC, One of Cisco's first aquisitions was a multi-protocol router called the "ship in the night" and it's OS was the foreunner of IOS.

Owned by Remi #?

[bwilling 0]

Quote

Our T1 provider also suggested Sonicwall.
Any particular Models you would suggest?

Look at this one...

It's a little bit overkill now, but you won't likely outgrow it like you might the less expensive TZ150. I've had several of the smaller units over the years (Tele2, Tele3, XPRS2), and a couple of the bigger units (Pro 1260, Pro 2040), and think Sonicwall makes a pretty good product. I'd recommend them.

"If all you ever do is all you ever did, then all you'll ever get is all you ever got."

[normiss 898]

Going back to the original IOS creators, it has long been believed (given they came from DEC PDP backgrounds) that the IOS was at the very least DEC/PDP11 and later the Vax's/Xerox- LISP kernel based. Being ksh based has led a lot to feel it was Unix based. It did come from DEC roots though.
As did a lot of the early Unix efforts when AT&T released it.
DOS came from CP/M efforts via the QDOS and 86-DOS.
Unless I smoked too much weed in the 70's and 80's - but that's my memory of it without researching it.

[Tuna-Salad 0]

The best type of firewall is simply unplugging the lan cable from the box.

Millions of my potential children died on your daughters' face last night.

[normiss 898]

Scissors!

[livendive 8]

You wanna know what's sad? I haven't been a computer geek since the early 80's and read every post in this thread despite the fact that I understood very little of it.

Blues,
Dave

"I AM A PROFESSIONAL EXTREME ATHLETE!"
(drink Mountain Dew)

[ryoder 1,590]

The PIX does not run IOS, nor anything related to Unix. Some time back, Cisco bought a company called Packet Internetwork eXchange (PIX), and that is where the PIX OS came from. It's a shame they haven't put it out of it's misery.

The ASA is nothing but the PIX OS with the functionality of the VPN3000 gw's thrown in. Both the PIX and the ASA can run 7.x code. 7.x configs look a little bit like IOS, but PIX ain't IOS, no way, no how!!!

Now here is something to try:
- Take a 7.x PIX image and run a checksum on it.
- Do the same with the same rev of an image for the ASA.
THEY ARE THE SAME DAMN CODE! AFAIK, the ASA devices are really just PIX's with some add'l crypto hw thrown in for better performance on VPN services. And just in case someone isn't already aware, the PIX/ASA is just a glorified x86 PeeCee. Amazingly, in an age when other vendors (e.g. Juniper/Netscreen), are moving packets in hw ASIC's, Cisco is still doing it all in sw, and the performance shows it. A PIX/ASA is *far* more vulnerable to a DOS attack than our Netscreens.

And the bottom line is: PIX/ASA SUCKS ROCKS!!! We have an installation in which we tried for days to get the damn thing to do fw'ing, NAT'ing, client<->server VPN, and peer-to-peer VPN all at the same time. We have had to have Cisco TAC come in THREE different times to get it working right. We have a guy with the CCIE Security certification who will tell you flat out that the PIX/ASA functionality does not work the way the configuration documentation claims it does.

If you need a *hw* fw device, get a Netscreen/Juniper product.
If you can get by with a *sw* fw, use something like Linux/FreeBSD/OpenBSD.

"There are only three things of value: younger women, faster airplanes, and bigger crocodiles" - Arthur Jones.

[labrys 0]

Quote

Cisco bought a company called Packet Internetwork eXchange (PIX), and that is where the PIX OS came from.

Yes, and the name of the original OS for the PIX was Finesse. I think the company name was NTI and the device was PIX though.

Quote

We have an installation in which we tried for days to get the damn thing to do fw'ing, NAT'ing, client<->server VPN, and peer-to-peer VPN all at the same time.

This a very basic, very common set of tasks. I work for a very small VAR and still I have probably 100 clients doing all those things. There had to have either been a gross misunderstanding of what was going on with the TAC or something external at an ISP that was interfering.

AFA the documentation sucking. Hell yeah. It's full of holes and assumptions, granted.

Owned by Remi #?

[Thanatos340 1]

I am right there with you.

Looks like I will be buying the Sonicwall. Thanks everyone.

I just have to remember to throw away the manual after I set it up to keep my guys from "trying to Improve it" once it comes in.

[BIGUN 1,488]

Quote

"trying to Improve it"

That would HAVE to be the two IE guys.

EDIT: and they'd prefer it if you threw that manual away anyway...

Nobody has time to listen; because they're desperately chasing the need of being heard.

[normiss 898]

meh...disagree somewhat, but not enough of a geek to give a shit.

Pricewise and non-geek functionality-wise, he's best with the Sonicwall.

[Thanatos340 1]

Quote

Quote

"trying to Improve it"

That would HAVE to be the two IE guys.

EDIT: and they'd prefer it if you threw that manual away anyway...

Naaaa. The IE`s are too freeking lazy to break things. They prefer to watch others break things and then make suggestion on how they can improve the process.

It is the PE that you have to keep away from things (Especially the Clients).

Last time we let him near a Manual, He wrote a 10 page letter back to manufacturer correcting their mistakes.

Now I just throw all manuals away. It really helps productivity.

[pwln 0]

Just go to the tech republic web site and watch one of the web casts on internet security, then someone from sonicwall will e-mail you and not leave you alone. I did get a lot of useful information from that guy, the products they have really are the best bang for your buck.

I don't go to tech republic anymore. I didn't ask for more information but I sure got it.