[Dshield] Preferred firewall
Jon R. Kibler
Jon.Kibler at aset.com
Mon Aug 18 19:10:37 GMT 2003
My personal preference is for hardware firewalls -- that is, routers.
However, IMHO, one of the most flexible software firewalls you can get is SunScreen. For under $1,500.00 you can get a Blade-100 and Solaris 9 that includes SunScreen. It meets and/or exceeds your wish-list. Has a great web interface that uses encrypted paths and strong authentication for remote administration.
Solaris S/W upgrades are free as well.
It supports something like 32 VPNs, NAT-ing, and has a stealth mode that hides its existence.
It also has several high-availability features that support automatic change-over in event of failure. Thus, you can spend another $1,000, get a second Blade and still be under budget.
The only reboot that is required is during initial install to insert its drivers into the network interfaces.
I have been running it for years on a couple of remote systems. Works great.
Hope this helps!
Jon R. Kibler
Charleston, SC USA
Robert Voje wrote:
> As a result of the current threats on the internet, I have aquired an extra
> budget for buying a decent firewall for our company.
> Which model do I choose?
> The following features should be there:
> Remote administration (web/telnet)
> Mac address checking on all rules and on remote admin access.
> Redirection of incoming/outgoing port numbers
> VPN (at least 4-5 channels)
> DMZ zone
> Free access to configuration (I do not want to pay $$ for every change I
> want to make...)
> Well known brand/model
> I would also like to have these features:
> No restart of firewall upon changes (that sucks when making changes during
> working hours...)
> Nice (and fast) administration GUI.
> To add some facts of our line of work - we are software developmers, and
> sometimes we have a need to temporary opening and closing ports due to
> software testing.
> I know, that's a big hole in security, but it's the way we want to do it.
> A really nice thing would be if we were able to run a selected number of
> developer PS's on a shielded subnet, like a second DMZ controlled and routed
> by the firewall.
> My budget is limited to about $3000.
> Feel free to respond if you have any good recommendation.
> Btw. our nearest neighbour is a Cisco dealer... ;-)
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list