Linux Firewall?

[The Mailman]

We recently had a company come in to do some tech support, and in finding that our security was entirely insufficient now that our old dedicated firewall is a brick, offered to make us a linux firewall for like $600

for someone who has never really touched linux before, would this be hard for me to do myself? or should we just shell out and let these guys take care of it...or should we just buy something like a Cisco ASA5505?

thanks in advance

 

[MedicBob]

Not hard to do yourself for a simple firewall. When you start adding "feature" is where it can get very complicated and confusing.

If you have an older box laying around give it a try. There are several "out there."

Ask the vendor if the $600.00 includes on site support 24x7x365 and for how long. Also ask what they planned on using.

 

[The Mailman]

ill ask about the support but i doubt they offer any included, ill give em a call tomorrow

is this a sufficient form of security for a business though? or should we just ante up for something like the above mentioned Cisco?

 

[MedicBob]

Depends on the place you work. How comfortable you are doing this, etc. Who fixes what when there is a problem or breach.

Not trying to steer you away from Cisco, Sonicwall, or the like. I have played with several open source Firewalls and most are good and pretty similar. I also have a Cisco ASA 5505 and a couple of Sonicwalls. They all work well and do their job.

First thing to ask yourself or the bosses is, what do you want this device to do? Just a firewall/gateway? VPN either site-to-site or client-site? Do you need a DMZ?

There are way too many variables to just recommend a firewall, esp. for a business without more details.

 

[The Mailman]

its a small business, under 10 here

just need a firewall for security. they are going to set up a VPN as an option,but who am i kidding, nobody here will want to work from home. If I can set up VPN later, sure, but it's not hardly a priority.

I also need to get a load balancing router, I guess this is a separate piece, or could I include the feature in a linux build?


I'm the only one fixing things here. If we go with that company, they will likely charge to come in and take a look if something screws up. Last guy who came in was a total hack. Ugh.

I'm not adverse to trying to set one of these up on the weekend, as long as theirs a manual to follow I can usually figure things out. Sure beats spending hundreds for someone else to do the same. If we are spending, I would assume a name brand appliance would be more bang for the buck?

 

[Crusty]

What are you trying to achieve with the load balancing?

If you're looking for a simple failover solution with dual WAN and a single default route than the ASA55XX can do that no problem, but if you're looking for a more robust round-robin load balancing for dual WAN then I would look at the Cisco 18XX series routers.

 

[The Mailman]

What are you trying to achieve with the load balancing?

If you're looking for a simple failover solution with dual WAN and a single default route than the ASA55XX can do that no problem, but if you're looking for a more robust round-robin load balancing for dual WAN then I would look at the Cisco 18XX series routers.

just looking for simple failover if the cable goes down so we can go on DSL

 

[Crusty]

I've got an ASA5505 setup to do exactly that. You can track a route(by pinging something upstream) and if you get no response the ASA will drop that route moving to the next one.

So you just setup your routes for your two connections to have a different metric(1 for primary, 2 for backup) and in case the route tracking fails on the primary route the secondary route will take over sending your traffic out the DSL as it is now the highest ranking route in the table.

Since you'll be switching IPs most sessions will be broken and have to be reestablished, but that really only presents a problem for streaming connections.

 

[The Mailman]

hm, the cisco page says no load balancing, right?http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

 

[Crusty]

That's what i was getting at earlier. If you want to do load balancing(actively using both WAN connections) you need to get a 1800 series router, but if you just want failover in case your primary connection goes down then the ASA is all you need.

http://www.cisco.com/en/US/products...s_configuration_example09186a00806e880b.shtml

 

[The Mailman]

photos im looking at dont have 2 wan ports on the back, is this just a matter of configuring it?
do i need this "security package" stuff they are offering? would getting a unit off ebay be an issue? just curious

 

[sourceninja]

I've had great success installing monowall and ipcop into local small businesses.

 

[AtlantaBob]

From the business side -- what do you make per hour (after taxes, etc.), and how much will it cost your employer to set up this solution? $600 seems pretty reasonable (assuming your provider knows what they're doing) to set up this system (unless, of course, you have lots of free time in your current job).

 

[theevilsharpie]

its a small business, under 10 here

Less than 10 users? Go buy a dual-WAN Linksys and be done with it; it will have much of the same functionality as a Linux firewall, without sucking up 100 watts of power and making a lot of noise. Hell, depending on the model you get, it technically is a Linux firewall.

If you truly want to spend $600 on a firewall, get an all-in-one filtering appliance like the FortiGate-50B.

Avoid the ASA. Unless you install expensive modules, it's little more than a packet filter, and Cisco will nickel and dime you on licensing. Also, you WILL tear your hair out attempting to get it to work.

 

[Iron Woode]

I used a simple linux firewall/router for years. It was an old celeron 366 system on an integrated board. 2 nics and an 8 port switch. It was quiet and reliable.

I used Freesco.

downsides are no real USB support and no native wireless support.

However wireless can be added using a Wireless Access Point.