IT guy's I have a question

[CNCadmin]

What firewall would you recommend under 500.00 for about 25+ users?

[mvaughn]

Are there any special requirments like VPN or such?

[CNCadmin]

No VPN, just nat and SPI.

[mvaughn]

Any Firewall these days can do NAT. SPI (Statefull Packet Inspection) on the other hand really depends on each vendors definition of it.

I used to work for WatchGuard Technologies on their Support Team. They make a good firewall with exceptional support. For your indicated price range they offer SOHO units. The primary advantage that you get with a WatchGuard product is that they are extremely easy and almost intuitive if you are familiar with TCP/IP.

Most if not all mainstream firewalls use a modified version of the Linux or Unix kernels. They all have the basic NAT/PAT capabilities and what you pay for is extra fluff and support.

I personally would look into an opensource Linux solution. Check out http://www.smoothwall.org and take a look at their feature set. It has an extremely good track record and is backed by a profit earning company. You really can't beat the price, free.

If you absolutely require a paid for firewall I'll give you some good leads, but check out smoothwall first.

[mvaughn]

Also, if you can put to gether a solid machine with 2 nics a small hard drive in the 300Mhz range you will easily be able to hand 25+ users if not a 100+.

[JRoque]

The best I know for the price is http://www.winroute.com/

Thanks,
Julio

[ynneb]

I just wonder what to block though. Its hard to know what is a legit access to the internet and what is spyware. I have tried zone alarm in the past and have had all sorts of difficulties with my network afterwards. Are other firewalls more network friendly?

[svenakela]

I use Linux servers based on standard PC-hardware on several places, and then some very nice apps for testing the fw's and intrution detection. They work very well (not a single problem in years) and they're esay to replace if something happens with them.

Regards,
Sven

[Ferenczyg]

Best bet and better performance vs. money is linux+iptables. You can deploy more than one security subnet (i.e external, DMZ-service, Internal) any as NIC cards you have. Any equipment above PII-500 will be OK if you do not install X, you do not need lot of HD except if you want lot of space for logs and 256-512 MB of ram will be ok. You can -if you dare- deploy IDS (snort) or proxy (squid) in the machine if you need it too.

If you want a pure appliance I'm with mvaughn for watchguard, prices are below 400$ for the entry products:
http://www.securehq.com/vendors.wml&...21&vendorid=53

[JRoque]

Benny,

An alternative for end-users is Zone Labs Integrated Desktop (http://www.zonelabs.com). You can set it so it prompts you for allow/block as you do your work. After a while it'll be configured just how you need it and you can turn off prompting. We have it deployed to ~350K desktops and it works great.

Cheers,
Julio

[Ferenczyg]

Originally Posted by JRoque Benny, An alternative for end-users is Zone Labs Integrated Desktop (http://www.zonelabs.com). You can set it so it prompts you for allow/block as you do your work. After a while it'll be configured just how you need it and you can turn off prompting. We have it deployed to ~350K desktops and it works great. Cheers, Julio

Zone Labs and 350K desktops? Umm.. I think both of us are working for the same company

[fyffe555]

I'm assuming with 25+ users you're going to use a hardware firewall at point of entry, don't consider anything software on the client machines. Having said that the best dedicated hardware firewalls I've used (including my customers, some 150+ installations) are Sonicwall and WatchGuard. Both in one version or another offer plug and go, simple http access to setup and maintain the box from within the network, NAT, SPI, content filtering and you can add spam, VPN etc.

You'd need the SOHO versions from each (tz170 and Firebox?) which bounce around $550 for sonic wall, somewhat cheaper for WatchGuard if you look around. PC connection had a deal for Sonicwall and CDW was running a promo on Watchguard.

The Linux option is a good one too if you've the time to set it up, a box to run it on, two nic's, some linux experience and if you go for it then smoothwall is the product to use. It's more work than a dedicated appliance and will need maintenance and possible fixes later.