best Hardware Firewall?

[desy]

Not interested in SW based one I don't see how they could be as good as a HW one and if you have a updated Virus product its kind of redundant isn't it?
I've seen Sonicwall but $$
So who makes a good one thats good for home use?
I've got soooo many staff who have come to me since high speed has hit the sticks out here with monthly virus crashes they are starting to suck up all my time for none work related issues!!

 

[jfall]

A hardware firewall isn't really going to help computer illiterate users from getting viruses/spyware or other worms. Seems like a waste IMO. A regular home user doesn't have much need for a hardware firewall unless they are running some sort of a server. Also hardware firewalls come at a price. A cheap would would probably run you at least $300

 

[randomlinh]

if it's for home, just tell them to go to best buy and pick up a netgear or linksys... and buy norton AV or something and keep the damn thing updated. print this on a card, if anyone asks, hand it to them

 

[Dulanic]

Originally posted by: desy
Not interested in SW based one I don't see how they could be as good as a HW one and if you have a updated Virus product its kind of redundant isn't it?
I've seen Sonicwall but $$
So who makes a good one thats good for home use?
I've got soooo many staff who have come to me since high speed has hit the sticks out here with monthly virus crashes they are starting to suck up all my time for none work related issues!!

Software is as good or better IMO... reason being a software one will tell you exactly what programs are trying to access something etc...

 

[Czar]

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html
this

 

[thorin]

You could try the Linksys BEFSX41 (or 81)

Any FW from Cisco, WatchGuard, SonicWall, etc.....

But as jfall already pointed out a FW isn't going to suddenly make your users get a clue. The problem isn't your network it's between the chair and the keyboard.

As for this comment:

if it's for home, just tell them to go to best buy and pick up a netgear or linksys...

A ROUTER is NOT a FIREWALL. Router != firewall

Thorin

 

[bozo1]

Software is as good or better IMO... reason being a software one will tell you exactly what programs are trying to access something etc...

Software firewalls will tell you what programs are trying to phone home, etc.

The major flaw with software only firewalls is that a hacker, program, whatever, is getting to your computer and you are depending on a piece of software to detect and defend. As soon as they find an exploit for the firewall program you are using, and they do often, you're a sitting duck if someone tries to go after you. With a hardware firewall, they aren't touching your PC.

 

[thorin]

Originally posted by: bozo1

Software is as good or better IMO... reason being a software one will tell you exactly what programs are trying to access something etc...

Software firewalls will tell you what programs are trying to phone home, etc.

The major flaw with software only firewalls is that a hacker, program, whatever, is getting to your computer and you are depending on a piece of software to detect and defend. As soon as they find an exploit for the firewall program you are using, and they do often, you're a sitting duck if someone tries to go after you. With a hardware firewall, they aren't touching your PC.

Not to mention the fact that HW firewall have these wonderful things called LOGS.

Thorin

 

[bozo1]

A ROUTER is NOT a FIREWALL. Router != firewall

I totally agree however, I feel that the battle may be lost on trying to get people to use the correct terms. Just like BPS != Baud issue was lost years ago when even modem manufacturers started using the terms interchangeably.

If I have a small customer or a home user that doesn't want to spend money, I give them a cheapo Linksys to at least give them some sort of protection. My larger customers, or those that are medical offices, law offices, etc., all have Cisco's or Sonicwalls.

 

[Need4Speed]

debian + netfilter

 

[randomlinh]

Originally posted by: thorin
You could try the Linksys BEFSX41 (or 81)

Any FW from Cisco, WatchGuard, SonicWall, etc.....

But as jfall already pointed out a FW isn't going to suddenly make your users get a clue. The problem isn't your network it's between the chair and the keyboard.

As for this comment:

if it's for home, just tell them to go to best buy and pick up a netgear or linksys...

A ROUTER is NOT a FIREWALL. Router != firewall

Thorin

I understand that, but like you said the X and the netgears have basic, whatever "firewalls." This is for home users (co-workers) and whatever... not anything mission critical. He's not getting paid to support their home.. and like you said... it's the user that needs more attention than the hardware in most cases.

 

[desy]

OK it went around consensus seems HW is better, like I asked , so how much is a HW firewall.
I thought of a NAT box as well but like you all said weak, they aren't opposed to spending the money she's a doctor
They already have Mcaffee on and updated daily which has been doing the job this last week detecting and deleting files.
I just wanted to know what was the best bang for buck personal HW firewall.
Shes not a bad user just getting a lot of hacks into her system from a cable modem, I told them they shoulda went with DSL but some never listen.

 

[bozo1]

If your are supporting a doctor's office and you are in the U.S., you really need to read up on HIPAA. You will need procedures (and the proper equipment) in place to log network activity (access attempts, etc.) - inside and out.

 

[BoberFett]

What the hell are you talking about? A router isn't a firewall? Most routers on the market these days have basic firewall features built in. They can block inbound traffic, open traffic on certain ports, block IP ranges, etc.

Just because it's not a $15K standalone stateful inspection box doesn't mean it's not a firewall.

 

[thorin]

Originally posted by: BoberFett
What the hell are you talking about? A router isn't a firewall?

Nope it isn't

Most routers on the market these days have basic firewall features built in.

Thus firewall != router or perhaps more specifically NAT'ing != firewall.

They can block inbound traffic, open traffic on certain ports, block IP ranges, etc.

So can a managed switch but you don't call it a firewall.

Thorin

 

[BoberFett]

So I guess you aren't using a computer because it doesn't have vacuum tubes and punchcards?

Definitions change. Get used to it.

 

[desy]

Now boys , help me with my problem instead of arguing semantics.
I'll recommend a Linksys BEFSR41 unless any see a problem with this, she probably just needs a little more to keep the sniffers out esp on cable.
Its not for her office its for her HOME pc, and we are in Canada so same said legalities don't apply.
Her brother works at Future Shop/Best Buy and could easily get her something like the Linksys.
Its just shes super paranoid now that she has been brought down 3X in the last 6 months.
I'll recommend this box to all on the web if you guys think this has any merit.
They get the Virus sheild free for home use I'd just like to kill a few calls from the staff home PC's

 

[oldfart]

The Linksys BEFSR41 router will do just fine.

 

[BoberFett]

Only on the internet.

Q: "So what kind of firewall should I use to protect my eMachine at home?"

A: "First you need to get rid of the eMachine and build yourself a Dual Xeon 3.06 with a Geforce 5900. Then install download an ISO of one of the linux distros. Be sure to compile it with only the options you need to conserve RAM. Then just get yourself a Cisco Catalyst and Pix."

 

[WarCon]

Surprised no one suggested digging out an old Pentium/Pentium II class machine out of the trash or from some place like Goodwill for $25 and putting two cheap NIC's in it and setting up a secured Linux box. Be pretty cheap, just needs a bit of Linux expertise.

P.S. if anyone has a quick setup guide for something like this I would appreciate it as I am not good in Linux. (Can barely get it installed and hooked to the internet before I give up on it )

 

[Sunner]

Originally posted by: BoberFett
So I guess you aren't using a computer because it doesn't have vacuum tubes and punchcards?

Definitions change. Get used to it.

I agree that definitions change, but I definately disagree that the definition of a firewall has changed into "Any device that can route packets, and that may or may not have certain firewall-like features".
Would make 90% of the devices out there with two or more media connectors a firewall.

 

[HokieESM]

I'm by NO means a networking expert, but for better security "home" use, I would use a router with stateful packet inspection (SPI). Several of the routers out there (like this Netgear) are SPI capable, and are around $100. I'm sure Linksys offers something similar. SPI will help with the security a bit more... although its far from buying a true hardware firewall like a SonicWall (but we're talking $300+).

Good luck!

 

[randomlinh]

Originally posted by: WarCon
Surprised no one suggested digging out an old Pentium/Pentium II class machine out of the trash or from some place like Goodwill for $25 and putting two cheap NIC's in it and setting up a secured Linux box. Be pretty cheap, just needs a bit of Linux expertise.

P.S. if anyone has a quick setup guide for something like this I would appreciate it as I am not good in Linux. (Can barely get it installed and hooked to the internet before I give up on it )

the problem w/ this is if it ever breaks, who do you think she's gunna call? now, if he's a friend, or doesn't mind... fine... but for a casual co-worker aquaintance, I want the go out there and fix it

 

[mboy]

Originally posted by: Dulanic

Originally posted by: desy
Not interested in SW based one I don't see how they could be as good as a HW one and if you have a updated Virus product its kind of redundant isn't it?
I've seen Sonicwall but $$
So who makes a good one thats good for home use?
I've got soooo many staff who have come to me since high speed has hit the sticks out here with monthly virus crashes they are starting to suck up all my time for none work related issues!!

Software is as good or better IMO... reason being a software one will tell you exactly what programs are trying to access something etc...

Disagree. I can shut down a software based firewall with a 1 line batch script. Try shutting down my sonicwall.

A NAT router is NOT a firewall. NAT in and of itself provides firewalling type features by it's very nature, but it is CERTAINLY being MISmarketed by all the SOHO vendors. 1st off, a firewall doesnt router packets (altho some firewalls like a Cisco Pix or sonicwall CAN route (they dont make very good routers),2nd a good firewall FILTERS packets, allows you to create Access Control Lists that allow you to deny/allow packets based on LAN/WAN port destination, service and actual port). Most will also do content filtering by list,domain name or IP filtering. The higher end ones will allow you to create a TRUE DMZ where the DMZ is a 3rd subnet seperate from the LAN and WAN subnets unlike the SOHO DMZ's (again mismarketed) where it just places 1 LAN IP out in the open for all packets to get forwarded to.

For all of thse home users asking you for advice, one of the Netgear, Linksys etc SOHO boxes with basic SPI (for $35)should be fine. If they want a HIGHER end box on the cheap, tell them to go to ebay and buy a flashed webramp 700 (falshed to Sonicwall SOHO firmware) that will give u not only the true firewal properties I listed, but will allow u to create a VPN endpoint with 3DES goodness U should be able to find one with multi user and VPNenabled for <$100.

 

[HeinekinMan]

I've been using a Netgear RO318 firewall/router for the past 3 years or so. It's been EOL'd but it still packs a very nice feature set for money (paid around $120.00 for it but I've seen it listed for under a 100 bucks):

1. Stateful Packet Inspection (SPI); this is one of the key features of a true firewall
2. NAT for broadband sharing (like most available now)
3. 8 10/100 SWITCHED ports (I only needed 4 so 8 is a bonus for me)
4. setup via web browser (at the time, some were still doing this via telnet/terminal so this was nice!)
5. emailing of log entries (pings, intrusion attempts, normal system events, etc.)
6. flashable firmware

PracticallyNetworked.com tested this unit a few years back and they rated it very well if I remember correctly; the one test that I keyed in on was the fact that the throughput doesn't seem to be affected by using this product (I've done with/without speed tests and they confirm the same, no hit on my connection speeds using this box)...