Can someone let me know what company makes the most secure and strong
small office firewall.
Sonicwall looks good for about $500 but I know there are others.
It would be even better if the interface was easier to use.
I presently have a Sonicwall in one office and it works great but I am
not sure about how secure they are. I need strong securtity to protect
a machine that is running IIS. IIS is running a service for my
business. I need to secure the system from attack.
Everybody is jumping in this thread shouting out their favorite
firewall, which is fine I guess, but it doesn't really address the
question properly. While we're shouting out favorites, m0n0wall
(http://m0n0.ch/wall/) is as good as anything if it has all the
features you require (most likely does). Open source, based on a
stripped down FreeBSD installation. But that's beside the point.
My point is all the firewalls everybody is talking about are layer
3-4, which isn't going to get you any more protection for your IIS box
than your Sonicwall. You still have to open TCP port 80 and/or 443
inbound to the IIS box, which is more than enough to compromise it.
The only thing these firewalls know is that traffic is destined for
port 80 or 443, so per its ruleset it's "safe" to pass. Doesn't
matter if it does contain the latest IIS exploit within the packet.
You can't really say which firewall is "most secure". It depends on
how it's configured. Protecting IIS itself isn't typically the job of
a firewall, since you're letting that traffic through. The firewall
is protecting other services on that server from being exposed to the
internet, but that's not enough.
On whatever firewall you use, only open the minimum required inbound
ports to the server. Implement egress filtering, to the extent of
blocking all outbound traffic from the IIS server if possible (opening
up when necessary for Windows Updates and the like). Not foolproof by
any means, but another layer of protection is always good.
Another option you can consider is one of many available reverse
proxies, or firewalls that perform so-called "deep packet inspection",
not assuming that all traffic destined to TCP 80/443 is ok to pass.
Typically you're going to go over your $700 budget on something along
those lines, and it's probably overkill for your situation.
The most important thing to protect IIS is to follow best practices
for securing IIS. Google for 'securing IIS' and you'll come up with a
bunch of resources, from Microsoft and elsewhere. Lock down IIS and
keep your patches up to date, and maintain as strong a firewall
configuration as possible, and you'll be in far better shape than
most.
Regards,
-Chris
--------------------------------------------------------------------------
FREE Download - The Future in Desktop Firewalls is Available Now
NEW NetOp Desktop Firewall, the world's first driver-centric
firewall software - protecting your laptops and corporate PCs at
ring-zero! NetOp features sophisticated process & application
control, centralized management and multiple network user profiles -
NetOp is able to increase security when mobile users plug back
into your network. Step into a more secure future - Try it FREE
http://www.securityfocus.com/sponsor/CrossTec_firewalls_050315
--------------------------------------------------------------------------
