1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Setting up a physical firewall or UTM for a small (25 user) office?

Discussion in 'Networking' started by spooksmcgee, Dec 11, 2011.

Thread Status:
Not open for further replies.
Advertisement
  1. spooksmcgee

    spooksmcgee Thread Starter

    Joined:
    Feb 23, 2005
    Messages:
    5
    A client is requiring we have a multi-tiered firewall with stateful inspection. So I figure if I add a physical firewall, in addition to Windows Firewall, I can meet their requirement. I have never added anything like that before. Currently, we have a DSL connection. The DSL modem is connected to an HP switch which has about 10 connections on it. That switch is connected by fiber to another HP switch on another floor, which is connected to our Windows 2003 server. I guess that switch is connected two two other switches on different floors to connect the rest of our workstations. We have about 25 users.

    I'm researching UTMs and firewalls. Can I get something for under $1,000? And if I do get something, how does that firewall connect? It looks like there are only 4 LAN ports on it. Would I just run the ethernet from the DSL modem into one of the LAN connections on the firewall, and then run another connection from the firewall into my switch that was previously connected directly to the DSL modem?

    I'm looking at things like the Netgear ProSecure 25-UTM or the Sonicwall.

    Thanks for any help.
     
  2. Rockn

    Rockn

    Joined:
    Jul 29, 2001
    Messages:
    21,334
    Try some open source stuff like Smootwall or Untangle server. I have not tried Untangle in a full blown deployment, but it does look feature rich right out of the box with no subscriptions. It also has pretty detailed reporting. The best part is it is FREE with the exception of the computer you use to run it on.
     
  3. spooksmcgee

    spooksmcgee Thread Starter

    Joined:
    Feb 23, 2005
    Messages:
    5
    So I might not even need a physical firewall and can handle this stuff with software?
     
  4. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,300
    I would seriously look closely into the details of any open source firewall. The free part is only if you have a very good comfort level of networking, firewall/security principles, and the freedom/ability to tinker around. The devil of free anything is in the details such as support. I wouldn't want to be the IT person being called in at 2AM in the morning to have to troubleshoot a problem with the firewall or better yet having problems right in the middle of a busy working day with a bunch of angry users and your boss breathing down your neck. This is the side of open source that doesn't get much visibility on the glamourizing of how open source is the answer to everything.

    In addition, there are some considerations you need to take into account here. One is the UTM requirement. You're not going to get that for free. I glanced at Untangle and I don't see UTM as a supported feature in any of their different feature tiers...even the pay ones. Smoothwall has it but you're buying the corporate version so you're not getting that for free. In addition, loading any of this software into your own PC/server brings another element into the equation. Hardware failures. The chances are higher that you'll have a failure of a purpose built box than a network specific appliance. If you build out a PC or use a server that gives you redundancy, then this again negates any real advantage of using free open source software.

    I would stick with the options you've selected such as Sonicwall or Netgear and see what the ultimate cost will be. Because UTM is subscription based so you'll need to factor in yearly costs in addition to different costs due to licensing models such as number of network nodes/users. The Cisco ASA 5505 is the lowest end firewall but to get IDS/IPS features, you're spending at least double your budget and that doesn't include the required subscription to get the signature files. Juniper SRX100 is in your price range but again requires a license upgrade to activate the UTM feature. I have seat time with both the ASA and SRX line. Of the two, I still prefer the ASA but that's because I've had a lot of experience with Cisco products and am just getting more exposure with Juniper products.

    How you wire up and run the firewalls is dependent on how you want to set your network up. It sounds like the DSL modem is also your edge router. If you want to minimize the impact of adding a more robust firewall into your environment, you can run the firewall (if it supports it) in transparent mode. All routers I've worked with come defaulted in routed mode where the firewall acts as a layer 3 router. Transparent mode turns the firewall into a bump in the wire layer 2 device which gets placed inline with the network traffic. In this mode, it will not route and the only IP address assigned to the firewall is just the management port.

    One other thing, has the client defined what they think is a multi-tiered firewall? What specifically is their security requirement?
     
  5. spooksmcgee

    spooksmcgee Thread Starter

    Joined:
    Feb 23, 2005
    Messages:
    5
    Thanks for the great reply. It doesn't really say the specific requirements, they just ask "Is there a multi-tiered firewall infrastructure? Please describe whether firewall devices are stateful-inspection type firewalls. If not, please describe firewall device. Our business does not really need all of this security they are requiring, and we are a very small business. They are basically asking for $30,000 of network security upgrades for a company that has 25 employees, but since we technically deal with financial records (even though they are all public), they require it of all their vendors. I just want to be able to tell them "yes we have a firewall and it is stateful inspection." It also says "firewalls will be capable of stateful packet inspection of OSI layers 3 (network) and 4 (Transport). I guess a physical hardware firewall is my only option. I had no idea they also required subscriptions to get the UTM features. Do you also need a subscription for the firewall features?
     
  6. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,300
    No. The firewall features if a particular firewall has optional features are licensed. For example, Cisco's ASA 5505 is sold with a base license which gives you 3 forwarding interfaces and a certain number of nodes/users supported. If you need more interfaces and unrestricted number of nodes/users, you would need to upgrade to the security plus license. The license is a one time fee.
     
  7. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1030757

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice