Hardware Firewall For Small Office Network

[Crushdepth]

Can anyone recommend a hardware firewall for a small office network (20 PCs). At the moment, for reasons that elude me, our computers all have public IPs and the staff all have admin access to their own machines. There is no IT budget and we will have to go argue our case, so budget is an issue.

Also, is there any reason why we could not just use a router as a NAT gateway/firewall? We have a fairly substantial looking Cisco router sitting as entry point to the network, but our IT guy is opposed to using it this way for reasons that elude me. He insists that we should have a separate firewall, which should sit behind the router. Is it really necessary?

[Tywais]

Perhaps the IT person is territorial or doesn't want to chance messing up the router. The Cisco router should be able to perform as a firewall also but if the IT guy is reluctant to do so then you can do what I do. Our office has over 100 hundred computers and our gateway/firewall is a medium level PC running Linux - specifically Slackware and use Shorewall as the firewall software. You can build the computer for around 12000-15000 baht if you don't add a keyboard/mouse/monitor since those aren't necessary once setup.

Mine is setup with Intel core duo, 2GB Ram 2-250GB drives setup as RAID 1. I just finished setting it up and testing it and will switch out the old FW/gateway/server.

//edit - just to add to what the server does: Besides being the gateway/firewall it also is the web server (Apache) e-mail (pop3/IMAP/SMTP) server, DHCP server, mySQL server, Name server (DNS - we are primary domain server for our domain), NTP server (Time server). And it doesn't even breathe hard.

[Guest Reimar]

Just for to give you some idea about the cost:

NetScreen 25 Firwall app. THB 170,000.00

Cisco Firewall used start's by aboyut THB 100,000.00 and cost of new from THB 250,000.00 up

Tywais is right with his choice.

If you go for Freeware, the cost of the computer starts by app. THB 3,000.00 2. hand up to THB 10-12,000.00 for a new one.

Cheers.

[Crushdepth]

Thanks for your feedback, 100K is definitely out of our price range, so I'll be having a look at the open source alternatives. Any thoughts on IPCop? (I bought a book on this a while back).

[tjo o tjim]

We use shorewall as well, and are pretty happy with it. Attack logging crashed the server once (even with log rotation), and for security reasons it is best to not have the firewall running other services.

Try asking the admin to just set up NAT and DMZ with the Cisco router. If he balks at that, buy a cheap router with firewall functions and sit that in the middle. It isn't as good as a real firewall by a longshot, but it is a lot better than having public IP addresses on windows boxes with end-user admin rights!

[Guest Reimar]

The use of an Firewall Software running on an dedicated computer, maybe together with some Web Serber pp, has the advantage of better ability to check what's happen. The Log's are much more detailed and you're able to program for your use as deep as possible.

I'm just in the process to setup Kerio Winroute Firewall at a customers place and have already found who's use most of the Traffic.

Something like that is more difficult to do with an Hardware Firewall. And the Software Firewall running on dedicated computer is minimum as good as the Hardware Firewall.

Cheers.

[Crossy]

Have a look at Zeroshell http://www.thaivisa.com/forum/Zeroshell-t2...54#entry2426854 another open-source Linux router/firewall app

http://www.zeroshell.net/eng/

[stumonster]

for 20 computers why not just a WRT54 running and open firmware

[Crushdepth]

It is tempting. I asked our computer guy to get some quotes but he doesn't seem to be communicating the 'we are on a budget' idea very well - he came back with one for 400,000 baht yesterday!

In terms of 'features' we have very basic needs and I'm happy with IPCop. What worries me about using an old PC though is recovery from power outages - its got to restart automatically and reliably, otherwise we get much abused and called in on nights and weekends. So there is a certain appeal in having a 'box' that just quietly comes back up with the power.

(We used to use an old PC as a gateway once before, but it was horrendously unreliable. Mind you, so was the guy who set it up/looked after it!)

[Guest Reimar]

It is tempting. I asked our computer guy to get some quotes but he doesn't seem to be communicating the 'we are on a budget' idea very well - he came back with one for 400,000 baht yesterday!

In terms of 'features' we have very basic needs and I'm happy with IPCop. What worries me about using an old PC though is recovery from power outages - its got to restart automatically and reliably, otherwise we get much abused and called in on nights and weekends. So there is a certain appeal in having a 'box' that just quietly comes back up with the power.

(We used to use an old PC as a gateway once before, but it was horrendously unreliable. Mind you, so was the guy who set it up/looked after it!)

If you use an IBM or DELL or NEC or so from the "japanese series" (some 2. hand staff you find here and that's just about 3-4 years old), I doubt you'll have the problem with the recovery from power loss. That machines has the Bios function for to auto restart the computer after power outages.

I use some of that computer now by an customer, even as Load Balancer, and run Kerio Winroute Firewall on it which works just great. But any good Freeware Firewall will do the Job as well, maybe exclude the load balancing.

You can even take a look at http://www.pfsense.org which is a great Freeware with included Firewall as well and highly configurable. I didn't use that software because ouir customer has Kerio Mail Server already and was like to have the Firewall from the same company because of the service from them.

Cheers.

[Tywais]

That machines has the Bios function for to auto restart the computer after power outages.

Most current BIOSes support that feature now. My old server, about 5 years old, runs 24/7 for nearly 5 years and auto-restarts from power failure with no problem. Also, no failures in that time. The new one cost about 10K to replace it and has the same features (auto start from power failure). The old one will hang around as an emergency replacement in case of anything catastrophic happening.