Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
User Journal

Journal sillypixie's Journal: Firewall Appliances 25

Hi all,

Well enough of the emotional crap -- let's do some geeking!!!

My company has been running an OpenBSD firewall for a long time, but now we're experiencing tough-to-diagnose intermittent problems. I have a cold failover I'm going to move to here right away, but the bottom line is that I don't have the time or desire to maintain these machines any more, and so we're looking to shell out a bit of cash to purchase an appliance instead.

Does anyone have recommendations as to what kind of appliance would work? We have a small office, 20 people -- at any given time, 10 of them are on the outside, wanting to retrieve email & files, and possibly VPN in, and 10 of them are on the inside, trying to get out :) We are all power users, of course.

I appreciate the help!

This discussion has been archived. No new comments can be posted.

Firewall Appliances

Comments Filter:
  • by grub ( 11606 )

    I'm looking at ways of getting rid of our Cisco PIXs (8 in total) from here and our regional offices to put OpenBSD units in place. PIX is overpriced shit, IMHO.
    • by nizo ( 81281 ) *
      I concur with my bitching about cisco. Yeah the new firewall is the best thing since sliced bread, but it is way way way too unintuitive to setup and use. And for the price I could have paid someone to come in and set up a custom linux or bsd firewall (with a spare) and openvpn server and still saved a pile of money. I will say the cisco vpn that cost extra gobs of cash has worked flawlessly.
      • by grub ( 11606 )
        The VPNs work great site-to-site but for the 'road warriors' it can be a bit more difficult. We have several Mac laptops and a few Linux users who need VPN access so we use OpenVPN and dumped the Cisco VPN for end users. I do like the Cisco networking gear but that damn PIX stuff is just so overpriced for what amounts to a packet filter it makes me sick.
        • Comment removed based on user account deletion
          • by grub ( 11606 )
            I'm not complaining about the gear itself, I said I do like it (a lot!) but the PIX firewalls are overpriced and the support plans can eat up a lot of my budget, hence the desire to go to an OpenBSD setup. (the PIX 525 is a glorified PC inside, /. had a story about making your own a few years ago.)
          • by nizo ( 81281 ) *
            Oh yeah I am sure Cisco stuff works great for high load; but for us it was a waste since our connection won't ever be able to cause a high load...


            Actually both windows and linux worked great with the cisco vpn on the firewall, so I will certainly give them the thumbs up there. Configuration of the client machines was a snap, but I don't know how hard it was to configure the cisco firewall, since we outsourced that part.

          • by ces ( 119879 )
            1. People complain about Cisco gear until they have massive traffic loads, at which time they realize very little else will substitute.

            True for routers and related gear.

            For firewalls or midrange switches not so much.

            Juniper's firewalls will handle just as much traffic as a Cisco and they are much easier to configure.

            HP switches are fine for everything except specialized needs or carrier class situations.
    • Hey grub... here's something you might know. Our company is looking to get some servers at ServerBeach which offers Red Hat, CentOS, or Debian... but we'd like to depenguinize those and put on OpenBSD to act as the front-end firewall/vpn to several other machines using their Private Net. Normally quite easy if someone were able to slip in an install CD and run through the prompts, but the only thing that's available is trying to do it all remotely over SSH using the equivalent of a Linux rescue CD. Any i
      • by grub ( 11606 )
        I seem to recall this being asked on the misc@ list a few times. If memory serves you're SOL unfortunately, best to gooooogle it out in case that has changed. I had a box at Rackspace about 5-6 years ago, they installed it but I had to update it. Performing system upgrades from a zillion kilometers north was always nerve-wracking as I gave the reboot command. :)
        • Yeah, I didn't get much luck searching the archives. Some interesting possibilities (eg: http://www.daemonology.net/depenguinator/ [daemonology.net]) but nothing solid. I was thinking there's a way to preconfigure it and then do an unattended install along these lines:

          http://www.openbsd.org/cgi-bin/man.cgi?query=diskl ess&sektion=8 [openbsd.org]

          I have some time to play with the OS and have it reinstalled if it doesn't work, but it just might have to be penguins after all.
        • Performing system upgrades from a zillion kilometers north was always nerve-wracking as I gave the reboot command.

          It's statements like that where I say to myself: Thank God I work on Sun boxes. Barring a hardware failure, I still have a console server and the serial console to OpenBoot and a LOM to power-cycle the box that's 2000 km away.
          • by grub ( 11606 )
            Yeah, that's handy. I've fixed SGI machines that were effectively dead (not booting) from a remote boot console. Lots of OSs offer a serial console config now but that doesn't do much good if the OS isn't booting to start ;)
  • Make sure to get one with a ceramic cooktop, rather than the traditional burners. It makes a few things tougher, but quite a bit easier to clean up.

    What do you mean, not that kind of appliance? :-)
  • Comment removed based on user account deletion
    • The primary need is for exactly what you said in that last sentence - simple firewall that can be clamped down. If I could have something good there in the appliance dept, where throughput is good and maintenance of OS and patches are no longer my problem, and where it doesn't cost an arm and a leg, that would be enough for me.

      The VPN stuff is a nice-to-have, right now we have various web apps configured to give us access to our windows fileserver, and that is enough for most people. If the cost either
  • http://www.lok.com/products/function.htm [lok.com]

    Those are appliances built from OpenBSD... might be a bit overkill for a few dozen people though. Of course, things like Cisco PIX aside, if reliability of your system is an issue you could always setup another machine and use CARP to provide redundancy.
     
    • Hm, whenever the manufacturer refuses to quote a price, but instead refers to resellers, I always expect to be out of my league... what is something like that worth, do you know? My google attempts haven't given me any idea.
      • Good old Froogle to the rescue... their products used to be called AirLok (which returns hits) but it looks like they've switched to calling them LokBox (which doesn't).

        http://froogle.google.com/froogle?q=airlok [google.com]

        Looks like they start at about $3K and the one company has the base model for $2300. I haven't investigated this much as to whether or not it's suitable for what you want to do, but since it's also based on OpenBSD it may have a good chance of being reasonably familiar anyway. I also found an old P
  • This was our firewall before we upgraded to a Cisco, and it actually seemed to do just fine. Theoretically it can do vpn, though we never used that feature. Easy to configure and ran like a champ (still works fine; we use it for testing still).
    • by ces ( 119879 )
      Not sure under what circumstances I would consider going from a Netscreen firewall to a PIX an "upgrade". Mostly due to the extreme user-hostile interface on the PIX.
  • The Nokia boxes run Checkpoint. The firewall admins love the Checkpoint software, compared to the Cisco PIX software. However, we have a Cisco VPN concentrator for remote access into the network. So I expect that VPN isn't something the Nokia boxes do.
    • by ces ( 119879 )
      I the Nokia boxes will do VPN just fine, or at least the underlying Checkpoint software does.

      Checkpoint's VPN like their firewalls is _MUCH_ easier to configure and integrate into your network than Cisco.
      • by Degrees ( 220395 )
        Yeah - could be that we just stuck with the Cisco VPN concentrator because we already had the authentication scheme in place, and wanted to embrace the KISS principle with the Checkpoint.
  • In rough order based somewhat on personal biases:

    * WatchGuard Firebox: either the X Edge or the X Core though the SOHO 6 would likely meet your needs. Good solid product and much smarter than a mere packet filter. (full disclosure, I used to work for them so I like their products)

    * Checkpoint: Real firewalls with a good interface and decent integration with enterprise and windows networks. Not sure what there is for affordable appliance based solutions using checkpoint software. Checkpoint is pretty much _t
    • by Kalgash ( 158314 )
      I don't work for them but I will second your recommendation. We do multi site VPN across 2 continents and 3 countries. The Watchguard X-Core is easy to setup and maintain. The Soho series is also great and the options for wireless bridging are easy to enable and use. If you don't have any interest in getting Cisco certification and just want to get up and running quickly WG is your product.

FORTUNE'S FUN FACTS TO KNOW AND TELL: #44 Zebras are colored with dark stripes on a light background.

Working...