Setting up a physical firewall or UTM for a small (25 user) office?

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

spooksmcgee

Thread Starter
Joined
Feb 23, 2005
Messages
5
A client is requiring we have a multi-tiered firewall with stateful inspection. So I figure if I add a physical firewall, in addition to Windows Firewall, I can meet their requirement. I have never added anything like that before. Currently, we have a DSL connection. The DSL modem is connected to an HP switch which has about 10 connections on it. That switch is connected by fiber to another HP switch on another floor, which is connected to our Windows 2003 server. I guess that switch is connected two two other switches on different floors to connect the rest of our workstations. We have about 25 users.

I'm researching UTMs and firewalls. Can I get something for under $1,000? And if I do get something, how does that firewall connect? It looks like there are only 4 LAN ports on it. Would I just run the ethernet from the DSL modem into one of the LAN connections on the firewall, and then run another connection from the firewall into my switch that was previously connected directly to the DSL modem?

I'm looking at things like the Netgear ProSecure 25-UTM or the Sonicwall.

Thanks for any help.
 
Joined
Jul 29, 2001
Messages
21,334
Try some open source stuff like Smootwall or Untangle server. I have not tried Untangle in a full blown deployment, but it does look feature rich right out of the box with no subscriptions. It also has pretty detailed reporting. The best part is it is FREE with the exception of the computer you use to run it on.
 

spooksmcgee

Thread Starter
Joined
Feb 23, 2005
Messages
5
So I might not even need a physical firewall and can handle this stuff with software?
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,660
I would seriously look closely into the details of any open source firewall. The free part is only if you have a very good comfort level of networking, firewall/security principles, and the freedom/ability to tinker around. The devil of free anything is in the details such as support. I wouldn't want to be the IT person being called in at 2AM in the morning to have to troubleshoot a problem with the firewall or better yet having problems right in the middle of a busy working day with a bunch of angry users and your boss breathing down your neck. This is the side of open source that doesn't get much visibility on the glamourizing of how open source is the answer to everything.

In addition, there are some considerations you need to take into account here. One is the UTM requirement. You're not going to get that for free. I glanced at Untangle and I don't see UTM as a supported feature in any of their different feature tiers...even the pay ones. Smoothwall has it but you're buying the corporate version so you're not getting that for free. In addition, loading any of this software into your own PC/server brings another element into the equation. Hardware failures. The chances are higher that you'll have a failure of a purpose built box than a network specific appliance. If you build out a PC or use a server that gives you redundancy, then this again negates any real advantage of using free open source software.

I would stick with the options you've selected such as Sonicwall or Netgear and see what the ultimate cost will be. Because UTM is subscription based so you'll need to factor in yearly costs in addition to different costs due to licensing models such as number of network nodes/users. The Cisco ASA 5505 is the lowest end firewall but to get IDS/IPS features, you're spending at least double your budget and that doesn't include the required subscription to get the signature files. Juniper SRX100 is in your price range but again requires a license upgrade to activate the UTM feature. I have seat time with both the ASA and SRX line. Of the two, I still prefer the ASA but that's because I've had a lot of experience with Cisco products and am just getting more exposure with Juniper products.

How you wire up and run the firewalls is dependent on how you want to set your network up. It sounds like the DSL modem is also your edge router. If you want to minimize the impact of adding a more robust firewall into your environment, you can run the firewall (if it supports it) in transparent mode. All routers I've worked with come defaulted in routed mode where the firewall acts as a layer 3 router. Transparent mode turns the firewall into a bump in the wire layer 2 device which gets placed inline with the network traffic. In this mode, it will not route and the only IP address assigned to the firewall is just the management port.

One other thing, has the client defined what they think is a multi-tiered firewall? What specifically is their security requirement?
 

spooksmcgee

Thread Starter
Joined
Feb 23, 2005
Messages
5
Thanks for the great reply. It doesn't really say the specific requirements, they just ask "Is there a multi-tiered firewall infrastructure? Please describe whether firewall devices are stateful-inspection type firewalls. If not, please describe firewall device. Our business does not really need all of this security they are requiring, and we are a very small business. They are basically asking for $30,000 of network security upgrades for a company that has 25 employees, but since we technically deal with financial records (even though they are all public), they require it of all their vendors. I just want to be able to tell them "yes we have a firewall and it is stateful inspection." It also says "firewalls will be capable of stateful packet inspection of OSI layers 3 (network) and 4 (Transport). I guess a physical hardware firewall is my only option. I had no idea they also required subscriptions to get the UTM features. Do you also need a subscription for the firewall features?
 

zx10guy

Trusted Advisor
Spam Fighter
Joined
Mar 30, 2008
Messages
6,660
No. The firewall features if a particular firewall has optional features are licensed. For example, Cisco's ASA 5505 is sold with a base license which gives you 3 forwarding interfaces and a certain number of nodes/users supported. If you need more interfaces and unrestricted number of nodes/users, you would need to upgrade to the security plus license. The license is a one time fee.
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top