Re: Firewall Suggestions ?

SPG wrote:
> Anyone have any input on software vs appliance firewalls for small
> businesses (10 or less users) ? How about 3 users ?
> Any personal experience with any firewall you like or dislike and why.


HARDWARE:
=============

I've installed Linksys BEFSX41, BEFSX81 and some
Netgear, Dlink DSL/firewall appliances.

- Strong Points:
PRICE: Under $200 USD in most cases
DHCP default and almost no thinking to install,
up to 100 client with multiple Hubs or switches.
Fast, easy, no thinking required. HTML interface
for sysadmin.
Limited features: turn off, turn on, some are
only 16 tables deep for filter purposes...

Time: Pretty quick.

You even have a 1800 number and website to
visit.

- Weak points:
1 to 8 port limitations, depending
on what you buy, all ethernet, no WAN
connections possible.

Your stuck at internal IP's starting at 192.168.1.2-254

IPv6 capability is possible, but that would be up to the
manufacturer to provide you with that particular upgrade.


Comments: A MS mouse monkey could install it, strange, since
all these appl. run on LINUX for the packet filtering
portion of the firewall and HTTP/apache webserver for
the graphical System admin. If you need more than
5 minutes installing this, your not cut out for any
System Admin work for the near future.

=======

SOFTWARE:

=======

LINUX
------

SENTRY FIREWALL http://www.sentryfirewall.com

This is a SLACKWARE CD ROM-BASED FIREWALL/SERVER/IDS

(Intrusion Detection System)


Heavily modified installation CD-ROM based firewall, it
has the most current linux kernel and networking software
packaged in such a way to create a secure firewall or
server type for intel installation.

STRONG: Price => still free. You provide the hardware.
386 with 16 megs ram, a 350meg hardrive and
2 nics.

CAN run IPV6, via kernel recompile.

Security: IPTABLES => packet-filtering

Weak: Knowledge: You need to have a small knowledge base
of LINUX. It is fairly secure, and updates
are availble via sourceforge. Reading the material
availble is a must.

Support: Internet and email, newsgroups.


Comment: Although it is free, one requirement is that you have
at least a boot floppy, or a bootable CDROM to make the
installation go faster.

However, you are responsible for performing the
upgrades. You must also install the IDS tools to
ensure protection, and also upgrade these packages
as well.


OPENBSD
--------

http://www.openbsd.org

The Unix, BSD based operating system. It's primary existance
is to fufill the need for securely programmed software, via
re-editing and extensive code modification and correction.


- Strong: This is what the big boys run, like DARPA and
the USAF, Price Waterhouse, etc...

If your client has a old computer collecting dust
sitting idle, then this is a strong selling
point, since it will *RECYCLE* the old hardware.

All you need are 2 nics, floppy and/or CDROM,
16 megs of ram, and a Harddrive

OS is free: download and create the disk from
the website, at http://www.openbsd.org
Disks cost $40 bucks. It's worth it.

IPV4 and IPV6 running and enabled.

Man pages are very upto date, in comparision to
other Unix flavours and variants. Reading the
material is very important, especially the
FAQ guide.

Security: Automatically comes with crypto, unlike
LINUX ( well, until kernel 2.4.22 and 2.6.X )

Uses Packet Filtering. Does not require monitor
or video card ( your BIOS must be set for this ).

Propolice pre-compiled for GCC 2.95.3, so it will
*NOT* be hampered by Ping and DOS attacks like other
Unix versions.

Drawbacks: Time consuming: If you don't know about OpenBSD,
or any type of UNIX in general, your have a steep
but attainable learning curve to achieve. If you
do attampt it, you'll learn alot about networking
in the process to boot.

Support: newsgroups; email; web accessable man pages.

I've installed old 386DX40, 486/DX50, Pentium I/II's
with 16M Ram and 2.0 Gig HD running OpenBSD 3.3
( takes less than 250 megs ), on more that 20 places
thus far. These systems don't let anything in so far.

=========
=========

Good luck,

dave

I use a Linksys BEFW11S4 V2,(with NAT protection) and recommend this type of
product. There are newer models out there that support "G" technology
wireless speed. But beware, I think that Win 2000 is not compatible with
Linksys equipment.
It is a Wireless router/switch with 4 ports and wireless connection, but it
is bridgeable to add additional routers/switches to support up 253 computers
via ethernet cable or wireless. I have found this to be a very cost
effective means to network and provide a Firewall.

Allen
No certification yet, I'm just a hobby pc/network builder

"dave" <> wrote in message
news:OOf4b.114974$K44.46095@edtnps84...
> SPG wrote:
> > Anyone have any input on software vs appliance firewalls for small
> > businesses (10 or less users) ? How about 3 users ?
> > Any personal experience with any firewall you like or dislike and why.
>
>
> HARDWARE:
> =============
>
> I've installed Linksys BEFSX41, BEFSX81 and some
> Netgear, Dlink DSL/firewall appliances.
>
> - Strong Points:
> PRICE: Under $200 USD in most cases
> DHCP default and almost no thinking to install,
> up to 100 client with multiple Hubs or switches.
> Fast, easy, no thinking required. HTML interface
> for sysadmin.
> Limited features: turn off, turn on, some are
> only 16 tables deep for filter purposes...
>
> Time: Pretty quick.
>
> You even have a 1800 number and website to
> visit.
>
> - Weak points:
> 1 to 8 port limitations, depending
> on what you buy, all ethernet, no WAN
> connections possible.
>
> Your stuck at internal IP's starting at 192.168.1.2-254
>
> IPv6 capability is possible, but that would be up to the
> manufacturer to provide you with that particular upgrade.
>
>
> Comments: A MS mouse monkey could install it, strange, since
> all these appl. run on LINUX for the packet filtering
> portion of the firewall and HTTP/apache webserver for
> the graphical System admin. If you need more than
> 5 minutes installing this, your not cut out for any
> System Admin work for the near future.
>
> =======
>
> SOFTWARE:
>
> =======
>
> LINUX
> ------
>
> SENTRY FIREWALL http://www.sentryfirewall.com
>
> This is a SLACKWARE CD ROM-BASED FIREWALL/SERVER/IDS
>
> (Intrusion Detection System)
>
>
> Heavily modified installation CD-ROM based firewall, it
> has the most current linux kernel and networking software
> packaged in such a way to create a secure firewall or
> server type for intel installation.
>
> STRONG: Price => still free. You provide the hardware.
> 386 with 16 megs ram, a 350meg hardrive and
> 2 nics.
>
> CAN run IPV6, via kernel recompile.
>
> Security: IPTABLES => packet-filtering
>
> Weak: Knowledge: You need to have a small knowledge base
> of LINUX. It is fairly secure, and updates
> are availble via sourceforge. Reading the material
> availble is a must.
>
> Support: Internet and email, newsgroups.
>
>
> Comment: Although it is free, one requirement is that you have
> at least a boot floppy, or a bootable CDROM to make the
> installation go faster.
>
> However, you are responsible for performing the
> upgrades. You must also install the IDS tools to
> ensure protection, and also upgrade these packages
> as well.
>
>
> OPENBSD
> --------
>
> http://www.openbsd.org
>
> The Unix, BSD based operating system. It's primary existance
> is to fufill the need for securely programmed software, via
> re-editing and extensive code modification and correction.
>
>
> - Strong: This is what the big boys run, like DARPA and
> the USAF, Price Waterhouse, etc...
>
> If your client has a old computer collecting dust
> sitting idle, then this is a strong selling
> point, since it will *RECYCLE* the old hardware.
>
> All you need are 2 nics, floppy and/or CDROM,
> 16 megs of ram, and a Harddrive
>
> OS is free: download and create the disk from
> the website, at http://www.openbsd.org
> Disks cost $40 bucks. It's worth it.
>
> IPV4 and IPV6 running and enabled.
>
> Man pages are very upto date, in comparision to
> other Unix flavours and variants. Reading the
> material is very important, especially the
> FAQ guide.
>
> Security: Automatically comes with crypto, unlike
> LINUX ( well, until kernel 2.4.22 and 2.6.X )
>
> Uses Packet Filtering. Does not require monitor
> or video card ( your BIOS must be set for this ).
>
> Propolice pre-compiled for GCC 2.95.3, so it will
> *NOT* be hampered by Ping and DOS attacks like other
> Unix versions.
>
> Drawbacks: Time consuming: If you don't know about OpenBSD,
> or any type of UNIX in general, your have a steep
> but attainable learning curve to achieve. If you
> do attampt it, you'll learn alot about networking
> in the process to boot.
>
> Support: newsgroups; email; web accessable man pages.
>
> I've installed old 386DX40, 486/DX50, Pentium I/II's
> with 16M Ram and 2.0 Gig HD running OpenBSD 3.3
> ( takes less than 250 megs ), on more that 20 places
> thus far. These systems don't let anything in so far.
>
> =========
> =========
>
> Good luck,
>

Allen Howell

On Sun, 14 Sep 2003 16:24:58 -0500, "Allen Howell"
<> wrote:

>I use a Linksys BEFW11S4 V2,(with NAT protection) and recommend this type of
>product. There are newer models out there that support "G" technology
>wireless speed. But beware, I think that Win 2000 is not compatible with
>Linksys equipment.


I've got the same router but v1, and Win2000 works fine for me.

Outgoing V. Incoming

Sorry, I new I had read something about incompatibility issues. As it turns
out, its the wireless "G" card (pcmcia) that is incompatible with Win95 and
NT.

Allen

"Outgoing V. Incoming" <> wrote in message
news:...
> On Sun, 14 Sep 2003 16:24:58 -0500, "Allen Howell"
> <> wrote:
>
> >I use a Linksys BEFW11S4 V2,(with NAT protection) and recommend this type
of
> >product. There are newer models out there that support "G" technology
> >wireless speed. But beware, I think that Win 2000 is not compatible with
> >Linksys equipment.
>
>
> I've got the same router but v1, and Win2000 works fine for me.

Allen Howell