I'm in a similar situation to the original requestor...
I'm installing a new firewall at my current workplace.
We've currently got crippled Watchguard Soho boxes, and I want to swap
them out for something a bit beefier...
The options I've been looking at (other than building up either a Debian
& Iptables or OpenBSD & pf from scratch) are IPCop, pfSense & Endian
Firewall.
At home I decided to go with pfSense because it has much better Wireless
Access Point support, but at work, I'm definitely going to go with
Endian.
It is based around IPCop, but has a whole host of extra features...
If you take all the add-ins to IPCop and shipped an iso pre-compiled, it
would still have more features...
It's on about the 9th release candidate before its launch, but it should
be out any day now...
Check it out, because it's pretty impressive...
www.efw.it
Cheers,
Jx
-----Original Message-----
From: chris [mailto:christiaan.theron@virgin.net]
Sent: 29 April 2006 10:26
To: rmillisl@millis-it.com
Cc: firewalls@securityfocus.com; security-basics@securityfocus.com
Subject: Re: What firewall for small medical research lab
rmillisl@millis-it.com wrote:
<snip>
Cost is a very important factor so suggested solutions have been:
- Pay someone to set up a PC based firewall running on surplus hardware
using either Fedora Core 5 and Shorewall 3.0.6 (to allow easy
configuration of iptables rules). The hardware and software cost are
low.
The time could add up. I have considerable experience with this so this
would be the lowest learning curve. Problem is Fedora with its frequent
updates may make managing this more of a chore.
If you need a ready to go iptables solution www.ipcop.org is your best
bet because it has a mature community with a huge amount of addons
available, if business needs change and its free.
- Pay someone to set up a a PC based firewall running on surplus
hardware
using either OpenBSD 3.7 or 3.8 and pf. The hardware and software cost
are
low. The time could add up. I have some OpenBSD experience and no pf
background.
This is not necessary, www.pfsense.com is a drop and go pf PC solution
and its free. If you have specialised requirements the developers have a
bounty option.
- Pay someone to set up a a Linksys or D-Link broadband
switch/firewall/router. The hardware cost is low. The time to set up
may
be minimal (Plug&Play + some common sense and provided firewall/filter
capabilities). Are these a serious and secure enough solution?
Too expensive and feature limiting, ipcop can run on 133mhz and pfsense
does not require expensive hardware.
- Some other low cost hardware or software based alternative. What else
might be out there that I don't know about that might be comparable in
cost to the D-Link or Linksys options.
No need to look any further ipcop and pfsense have all the features you
are likely to need.
The PC based solutions I personally have the most confidence in with
respect to hand crafting a minimal OS build and hardening and patching
the
OS and doing rules mostly by hand. With pf there is some concern of
errors
introduced due to learning curve.
Ok, ipcop minimal learning curve- GUI based aimed at entry level
networkers, however maximum feature set with a huge amount of addons
available such as copfilter for email and www.mhaddons.tk.
Pfsense higher learning curve- GUI based aimed at experienced
networkers, advanced feature set.
Comments? Suggestions?
-------------------------------------------------------------------------
This List Sponsored by: Webroot
Don't leave your confidential company and customer records un-protected.
Try Webroot's Spy Sweeper Enterprise(TM) for 30 days for FREE with no
obligation. See why so many companies trust Spy Sweeper Enterprise to
eradicate spyware from their networks.
FREE 30-Day Trial of Spy Sweeper Enterprise
http://www.webroot.com/forms/enterprise_lead.php
--------------------------------------------------------------------------
