Best Corporate firewall software?

[wnied]

Hey Everyone

I might be asked by a friends company to secure up their business network and upgrade its internet connection. As I am kind of new to this field, i was wondering a few things, and hope some of you can relate similiar experiences and recommend some software for me. 1st, what is the best or better corporate firewall program? I use zone alarm at home here, so anything other than that I am sorely behind the times in knowing. I was thinking ARCServeIT? 2nd for a dial up 56k internet connection to the internet, I want to know before they ask me, what would be the best internet connection for a small business server environment currently holding 30 users with the possibility to expand to twice that within the next year? I was thinking SDSL business connection of no less than 784kbps. I'd always heard that SDSL was as good as T-1, and a cheaper solution. Can anyone give me any ideas on whats a more reliable solution? Also the network they have will be totally torn down and rebuilt in the new facility.(same equipment just moved) Anything in particular I should watch out for?

Sorry for the twenty questions guys, but better safe than sorry I believe.
Thanks in advance!
wnied

 

[clonehut]

As far as firewall software I use BLACKICE DEFENDER from Network ICE
They are great and here is my site where you can check it out. PARLINPC.COM
I now use IDSL as that is the only dsl i can get because of my distance from the CO. It is 144/144 and it is like lightning next to dial up.
Also the most new routers have built in firewall and u can use it along with BLACK ICE. I have tried Zone alarm but I like Black Ice much better and it is far easier.

 

[dirtboy]

Cisco's PIX comes to mind, but it is a hardware based solution. I tend to prefer hardware firewalls over software firewalls for corporate use.

 

[ctowle]

Blackice Defender is a winner.

 

[pcmark]

What kind of budget do they have? For 30 users now and possibly twice that next year,I would say get a T1.How many IP's does the DSL come with? A dedicated T1 line is more reliable than a DSL solution. At the company I work for,a new T1 customer gets a free Cisco 1720 router with a T1 csu/DSU card. You can add a second card and run two T1's later when you upgrade for very little cost. They also get up to a full class C(256 IP's). You can probably find a similar deal.I would also get a harware firewall like a Raptor.

 

[Abednigo]

I would also consider the type of business. If they are a service based company (architecture/law/engineering etc) who will use the internet for email and research then the SDSL sounds good. If they are a marketing firm/start up co etc then jump on the T1. You might also consider what kind of internet policy they will have. Some companies want to restrict "loose" time on the internet and a T1 might not encourage that

 

[jmcoreymv]

Umm Blackice is more of a home users solutions.

 

[Windogg]

For a busniess I would suggest a firewall appliance like Watchdog. Software solutions like BlackIce and ZoneAlarm are good for home users but having something more professional and heavyduty for business is good insurance.

NEVER use DSL for businees. DSL is highly unrelible in relation to T1s. T1s are a public utility and there are guarantees on uptime, service quality, and bandwidth. A outage of even a few hours is only annoying to home users but can be deadly for businesses.

Windogg

 

[Damaged]

Thank you Windogg. Might I also suggest Check Point. Why? It's the best. Cheapest? Not by a LONG shot...but it's the best.

 

[andri]

Using Windows (heck, even a PC) as a router is the same as shooting yourself in leg. Stupid.
Grab a nice Cisco router/firewall, and youve got more stable and faster solution. Only problem is that Ciscos can be very expensive and not too easy to configure.

 

[pcmark]

Cisco's aren't so bad to configure. We kind of cheat at work. We have a template for the customers router and you can change a few values,such as IP and passwords and copy and paste the whole configuration into the router. Like so:

hostname myrouter
enable password letmein
int e0
ip address 204.1.171.254 255.255.255.0
no ip directed broadcast
no shutdown
int S0
description connection to my ISP
encapsulation ppp
ip address 199.113.67.66 255.255.255.252
no shutdown
exit
ip domain-name someone.somewhere.net
ip name-server 139.240.35.250
ip name-server 139.240.35.251
ip route 0.0.0.0 0.0.0.0 199.107.67.65
ip classless
access-list 50 permit 192.215.247.45
access-list 50 permit 192.215.247.46
access-list 50 permit 192..215.247.59
snmp-server community mon-cust RO 50
line vty 0 4
password
exit
exit
wr mem

The names and addresses have been changed to protect the innocent

 

[wnied]

Ok thanks everyone.

I have a little bit more detailed information for you now. This company has a total of 15 client computers all running Windows98SE. Their server is a dual processor HP small business server running Win NT 4.0. I setup everything nice and neat, but their internet connection is F*CKED. Seems the person in charge of the move to the new facility, didnt check out what kind of cable/DSL/T-1 service was available. Now a company that has been run using an SDSL connection for the transfer of spread sheets, customer service and such, is left with a total of 6 CLIENT computers which are able to dial out using 56k! This is also a company whose main business is the replacement of direct medical printers. They used their SDSL mainly for remotely configuring these direct printers onsite at the customers request. Oh, and they are also 300 orders behind. Their firewall setup(and this is totally an assumption on my part, due to lack of any visible physical firewall hardware onsite.) is either non-existent or is included on the small business server. When I talked briefly with the companys president, she told me that they didnt know what they would do come monday morning. I inquired as to whether anyone had spoken to the phone company for T-1 service and was met with a scowl. When i asked about this I was told that the phone company wanted to charge a thousand dollars a month. I dont know about you, but I was under the impression, that since DSL was introduced, the cost of T-1 was brought down to compete indirectly with the SDSL option.

Needless to say, Im thankful I am not the IT manager there.
wnied

 

[Marine06]

Black Ice Defender isnt even a true firewall. It only monitors incoming packets while outgoing are left untouched. Zonealarm is nice but it can be easily bypassed

 

[pcmark]

T1's aren't quite as cheap as DSL,but there are options. How about a fractional T1? A T1 can be broken up into 24 channels of 64k each. So you could get 384k or 512k,you get the idea.

 

[CTR]

Wnied:
There are companies that provide affordable business-class DSL. Tell me where your client is located and maybe I can point you to a good provider.

 

[striker99]

here's a good resource on options for hardware firewall solutions: http://www.8wire.com/articles/index.asp?AID=1336. Also, under the review section there's a review of the Checkpoint.

 

[tsunamiracing]

Our company has 30 users and we use WinRoute as our firewall/PC. It works well, it is cheap and well respected as a good Firewall software in the Security community.

 

[wnied]

CTR

They are located in Moorestown New Jersey.


Marine06

How can you bypass ZoneAlarm? Using the Web browsers like a pipeline per say? Both please respond and let me know.

Thanks,
wnied

 

[Sunner]

If you can afford it, go with Firewall-1 from checkpoint on a Solaris box, FW1 is a bit costly but its about as high end as you get.

And whatever you do, dont go with some home user software, though fine for low end users, they're not sufficent for real business use.

 

[Abednigo]

At my company - a medium sized architectural firm - we've had some good success with a program called wingate. It comes in a home, standard, and professional model and acts as a proxy server and firewall. We have 10 computers running and share a ADSL connection through the wingate program. We aren't internet power users, we use the internet for email and product research, but it works nicely and has many features for security than we've found need to use. you can read about it at:
http://wingate.deerfield.com/
p.s. the reason I mentioned it is the initial setup only requires that you have internet connection on the server machine, and is very simple in nature - which would mean you could get them up and running quickly. It has built in DHCP etc.

 

[andri]

Don't put Windows-based operating systems where network speed and stability are critical. When it comes to packet mangling and routing, Windowses have the WORST TCP/IP stack on this planet... this doesn't come out on desktop systems, but when load gets higher the stack just can't handle the load and starts skipping packets, and gets VERY slow (from already slow).

 

[wnied]

Andri

All clients and Server run windows programs. Clients are all Win98SE, and Server is Win NT Server Enterprise. These people are Power users on the internet and their connection is important. Not just for themselves, but for the type of business they do. So the point of whether or not to use windows is moot. I am just trying to help them with what I believe will be their biggest obstacle, their crappy internet connection, and their lack of a good business firewall.

wnied

 

[bdog]

Have a look at Winroute Pro. It is good software. Here is a review I did on it.

 

[Sunner]

I agree, dont go windoze for the FW.
But if you dont feel like shelling out money for a Sun box, you could allways go with Linux, most vendors support it officially these days.

And in Linux you'd have the choice between cheaper free stuff(such as ipchains) and not so cheap stuff(I believe there's a firewall called "Fuego" based off ipchains for instance), and if you're feeling rich, again, there's allways Firewall-1, which is AFAIK also available for Linux.