Hello,
If you're comfortable using commandline and /or PC based firewalls, i
can suggest using Gentoo or any Linux distro you're comfortable with,
and Firewall Builder. Presuming you use Gentoo (though you could easily
use any BSD you care to mention), you can build your machine in headless
mode with only Iptables, iproute2, and the OpenSSH daemon to support it.
Once this is done, all you need is a workstation from which to run the
FwBuilder gui, which will connect to your firewall via SSH (read: work
from home.) after compiling the rulebase for you, and inject it into the
machine. You can even do things like test runs, which reboot after X
seconds and revert back to their old policy so you can test it. The
gui's got a pretty shallow learning curve, as it's easy to understand
and well written. Support is available from the developer, but bear in
mind it requires a license for the windows version of the GUI.
HTH
On Wed, 26 Apr 2006 20:55:29 -0600 (MDT), rmillisl@millis-it.com said:
I have been asked to research what good, low cost, firewall solutions
might prove suitable for a medical research lab at a local University to
protect confidential patient data from outsiders.
In addition to other research I though I would ask here.
I realize a firewall is just one component of an overall security policy
/
implementation.
Basically what is needed is a simple NAT box that generally keeps
outsiders out, and allows authorized lab servers and workstations to
access certain services out on the main building network (DNS, IMAP, POP,
SMTP, HTTP, HTTPS, FTP, SSH) and through that network to the Internet
(through the main building campus/network).
Cost is a very important factor so suggested solutions have been:
- Pay someone to set up a PC based firewall running on surplus hardware
using either Fedora Core 5 and Shorewall 3.0.6 (to allow easy
configuration of iptables rules). The hardware and software cost are
low.
The time could add up. I have considerable experience with this so this
would be the lowest learning curve. Problem is Fedora with its frequent
updates may make managing this more of a chore.
- Pay someone to set up a a PC based firewall running on surplus hardware
using either OpenBSD 3.7 or 3.8 and pf. The hardware and software cost
are
low. The time could add up. I have some OpenBSD experience and no pf
background.
- Pay someone to set up a a Linksys or D-Link broadband
switch/firewall/router. The hardware cost is low. The time to set up may
be minimal (Plug&Play + some common sense and provided firewall/filter
capabilities). Are these a serious and secure enough solution?
- Some other low cost hardware or software based alternative. What else
might be out there that I don't know about that might be comparable in
cost to the D-Link or Linksys options.
The PC based solutions I personally have the most confidence in with
respect to hand crafting a minimal OS build and hardening and patching
the
OS and doing rules mostly by hand. With pf there is some concern of
errors
introduced due to learning curve.
Comments? Suggestions?
