|Need your Firewall advice please|
Firewall advice for new business
| 3:19 pm on Jan 4, 2005 (gmt 0)|
Hi - I'm going to be installing a single server for a small e-commerce venture. I need a firewall - but I'm reluctant to spend a large amount on a 1U firewall when it seems that SOHO firewalls from D-Link et al. seem to do all I need. Which is, to filter out all non 80/443 traffic (except my own), and some basic protection agains DoS attacks. I don't need 256 VPN tunnels etc. etc.
I may be wrong though - has anyone had any suceess/failure with a simple box in this scenario, or any recommendations?
Thanks very much, AJP
| 3:40 pm on Jan 4, 2005 (gmt 0)|
If you're running Linux on the server you can use a software Firewall like Netfilter on that server. Redhat Linux comes with standard software firewall for these purposes. On my server I trust Netfilter and I use fwbuilder to configure it. Most soho routers don't have advanced features like stateful inspection. Other than that I don't see a conceptional argument against them. Some may have poor throughput, some may crash under load and some may even have vulnerabilities. Buy one, test it and return it if it doesn't work properly. Also make sure to keep the firmware updated. Oh and BTW, Zyxel came out with a nice line of firewalls recently.
| 4:00 pm on Jan 4, 2005 (gmt 0)|
Welcome to WebmasterWorld!
I like to keep the firewall/router function separate from any wireless functions, simply because wireless technology is improving so fast. The same applies to other combination-type units -- I like to keep the functions separate so I can upgrade parts independently as technology improves. I looked at Cisco and Sonicwall firewalls, but they are in a higher price class than what my budget allows for a small office set-up. With their e-mail and web-content filtering subscription costs, they are really set up for bigger operations.
So, after reading lots of reviews, posts on various forums, and user manuals, I finally settled on the NetGear FVS318, which combines a router with a stateful packet inspection firewall function. It's intended for use with ADSL or cable broadband modems, in that it uses ethernet-only interfaces. It supports eight VPN tunnels, in case I need VPN for a future project, but the price is much lower than the models that support hundreds of VPN connections. A newer model is coming out soon, so I got one for $93, plus a $10 rebate and free shipping.
I've only had it running for a few days and haven't seen any intrusion attempts, so I'll have to let you know later how well it works from a practical standpoint after I see a little abuse and see how well the unit handles it. In conjunction with Norton Anti-Virus on the client machines, I believe it will be sufficient for my needs. If not, I can always use Zone Alarm, Norton firewall, or Win XP firewall as a second layer of firewall protection while I save up for an "enterprise-class" unit.
| 4:58 pm on Jan 4, 2005 (gmt 0)|
I would highly recommend a watchguard firebox. they are very nice, we use them for almost all our clients, they aren't the cheapest, running from about 250 to well over 1000, but they are very good firewalls.
| 5:30 pm on Jan 4, 2005 (gmt 0)|
Thanks very much for the input everybody.
I should clarify: this firewall is to sit in front of a Windows box will be located remotely in a server house.
My current favourite is the D-Link DFL-200 (approx 150 GBP) because it offers a dedicated DMZ port. That's what won it over the Netgear. My main concern is how much throughput matters. For instance, on the comparable Watchguard products, the Firebox V10, the Firewall is 75Mbps. I've previously used a sonicwall quoted at 200 with no problems. There's no figure quoted for the D-Link, nor Netgear.
So - is there any way of guaging / guessing how much you may need? Obviously no individual is going to connect at that speed.
[My normal configuration is to have to network connections on the server, one with an public address, and one with a private address; the public is routed through the DMZ and appropriately locked down, and the priavate is accessible through the VPN.]
Thanks everyone again.
| 7:15 pm on Jan 4, 2005 (gmt 0)|
and do you use 75 megs per second currently? thats a big number. and would require an extremely fast connection, either T3 DS3 or OC48 in order to acheive the maximum bandwidth that firewall will allow... that or a lot of t1's. Anyway I don't know what you run behind it so maybe you need more then 75 megs a second, but when you look at it thats. 4,500mb a minute, 270,000mb an hour, 6480,000mb a day and about 194,400,000mb a month, who needs 194 terabytes of transfer a month?
| 9:27 am on Jan 5, 2005 (gmt 0)|
It's going to be a web server. The 'demand' at this stage is unknown, but I don't anticipate huge traffic. Clearly, no one individual is going to be using the whole lot, but there will be lots of simultaneous hits (I hope) so I suppose the question is how one might estimate how many concurrent connections this sort of firewall might handle.