What firewall would you recommend under 500.00 for about 25+ users?

Are there any special requirments like VPN or such?

No VPN, just nat and SPI.

Any Firewall these days can do NAT. SPI (Statefull Packet Inspection) on the other hand really depends on each vendors definition of it.

I used to work for WatchGuard Technologies on their Support Team. They make a good firewall with exceptional support. For your indicated price range they offer SOHO units. The primary advantage that you get with a WatchGuard product is that they are extremely easy and almost intuitive if you are familiar with TCP/IP.

Most if not all mainstream firewalls use a modified version of the Linux or Unix kernels. They all have the basic NAT/PAT capabilities and what you pay for is extra fluff and support.

I personally would look into an opensource Linux solution. Check out http://www.smoothwall.org and take a look at their feature set. It has an extremely good track record and is backed by a profit earning company. You really can't beat the price, free.

If you absolutely require a paid for firewall I'll give you some good leads, but check out smoothwall first.

Also, if you can put to gether a solid machine with 2 nics a small hard drive in the 300Mhz range you will easily be able to hand 25+ users if not a 100+.

The best I know for the price is http://www.winroute.com/

Thanks,
Julio

I just wonder what to block though. Its hard to know what is a legit access to the internet and what is spyware. I have tried zone alarm in the past and have had all sorts of difficulties with my network afterwards. Are other firewalls more network friendly?

I use Linux servers based on standard PC-hardware on several places, and then some very nice apps for testing the fw's and intrution detection. They work very well (not a single problem in years) and they're esay to replace if something happens with them.

Regards,
Sven

Best bet and better performance vs. money is linux+iptables. You can deploy more than one security subnet (i.e external, DMZ-service, Internal) any as NIC cards you have. Any equipment above PII-500 will be OK if you do not install X, you do not need lot of HD except if you want lot of space for logs and 256-512 MB of ram will be ok. You can -if you dare- deploy IDS (snort) or proxy (squid) in the machine if you need it too.

If you want a pure appliance I'm with mvaughn for watchguard, prices are below 400$ for the entry products:
http://www.securehq.com/vendors.wml&sessionid=200410313154312621&vendorid=53

Benny,

An alternative for end-users is Zone Labs Integrated Desktop (http://www.zonelabs.com). You can set it so it prompts you for allow/block as you do your work. After a while it'll be configured just how you need it and you can turn off prompting. We have it deployed to ~350K desktops and it works great.

Cheers,
Julio

Benny,

An alternative for end-users is Zone Labs Integrated Desktop (http://www.zonelabs.com). You can set it so it prompts you for allow/block as you do your work. After a while it'll be configured just how you need it and you can turn off prompting. We have it deployed to ~350K desktops and it works great.

Cheers,
Julio


Zone Labs and 350K desktops? Umm.. I think both of us are working for the same company ;)

I'm assuming with 25+ users you're going to use a hardware firewall at point of entry, don't consider anything software on the client machines. Having said that the best dedicated hardware firewalls I've used (including my customers, some 150+ installations) are Sonicwall and WatchGuard. Both in one version or another offer plug and go, simple http access to setup and maintain the box from within the network, NAT, SPI, content filtering and you can add spam, VPN etc.

You'd need the SOHO versions from each (tz170 and Firebox?) which bounce around $550 for sonic wall, somewhat cheaper for WatchGuard if you look around. PC connection had a deal for Sonicwall and CDW was running a promo on Watchguard.

The Linux option is a good one too if you've the time to set it up, a box to run it on, two nic's, some linux experience and if you go for it then smoothwall is the product to use. It's more work than a dedicated appliance and will need maintenance and possible fixes later.

I just wonder what to block though. Its hard to know what is a legit access to the internet and what is spyware. I have tried zone alarm in the past and have had all sorts of difficulties with my network afterwards. Are other firewalls more network friendly?

Most hardware firewalls have a hard time distinguishing what is allowed outbound and what is not allowed out. Spyware can be very sneaky and use the same outbound ports as say http traffic. The main purpose for a firewall is to protect a private network from the internet, not from itself.

Zone alarm can be a huge headache just due to the fact that it is an application based firewall. It allows inexperienced end users to control it, bypass it and break it.

Hardware firewall are MUCH more friendly to all parties involved.

Best bet and better performance vs. money is linux+iptables. You can deploy more than one security subnet (i.e external, DMZ-service, Internal) any as NIC cards you have. Any equipment above PII-500 will be OK if you do not install X, you do not need lot of HD except if you want lot of space for logs and 256-512 MB of ram will be ok. You can -if you dare- deploy IDS (snort) or proxy (squid) in the machine if you need it too.

If you want a pure appliance I'm with mvaughn for watchguard, prices are below 400$ for the entry products:
http://www.securehq.com/vendors.wml&sessionid=200410313154312621&vendorid=53

I will agree with Ferenczyg about everything except using a common linux distribution for a stand-alone firewall. There are distributions specifically customized to be a firewall and only a firewall, with a little ids, dns, dhcp, and proxy caching on the side it you want.

I can't say enough nice things about the smoothwall firewall distro. http://www.smoothwall.org I've been running it on a machine in my home for the last five to six years and It's been rock solid. It uses either ipchains or iptables, I'm not posititive at the moment.

The best thing is that it has a web based interface that you manage it with. It saves a lot of resources by not running X or any other nonsense services like sendmail that you would get with a modern distro.

Zone Labs and 350K desktops? Umm.. I think both of us are working for the same company ;)


350,000 desktops with ZoneAlarm..... I'd know I had died and gone to hell if that were me. (chair)

Back in my Linux days I used to swear by smoothwall, so I guess I will just second that! never used the stand alone distro though, sounds good :) Another linux freebie that springs to mind is IP-cop, can't remember it too well, but may be worth a look - http://www.ipcop.org/

Back in my Linux days I used to swear by smoothwall, so I guess I will just second that! never used the stand alone distro though, sounds good :) Another linux freebie that springs to mind is IP-cop, can't remember it too well, but may be worth a look - http://www.ipcop.org/


IPcop is good too. After all, it's only a fork of an older version of smoothwall. They haven't released an updated version in a while... although I hear there is one coming.

Actually, I take that back. It looks as if IPcop released a new version this month.

Hey Kong,

Are you still making and selling those fan grills with your CNC router? You the reason I found and got into this site. I loved your CNC thread on the bit-tech site.

Unbelievable, I have infected hundreds of people right across the world! Nah, no more fan grills, too much effort for too little money. I still get people emailing me requests though!

Smoothwall has for sure made a progress, looks really nice now! :)

--Sven

350,000 desktops with ZoneAlarm..... I'd know I had died and gone to hell if that were me. (chair)


Well, Zone Labs changed a bit from where purchased by checkpoint. And the use of a "pure standalone user fw" in a mandatory basis is a good practice. Of course this must not be the only fw in the chain between the end users and the non trusted network.