[Dshield] Preferred firewall

Jon R. Kibler Jon.Kibler at aset.com
Mon Aug 18 19:10:37 GMT 2003


My personal preference is for hardware firewalls -- that is, routers.

However, IMHO, one of the most flexible software firewalls you can get is SunScreen. For under $1,500.00 you can get a Blade-100 and Solaris 9 that includes SunScreen.  It meets and/or exceeds your wish-list. Has a great web interface that uses encrypted paths and strong authentication for remote administration.

Solaris S/W upgrades are free as well.

It supports something like 32 VPNs, NAT-ing, and has a stealth mode that hides its existence. 

It also has several high-availability features that support automatic change-over in event of failure. Thus, you can spend another $1,000, get a second Blade and still be under budget.

The only reboot that is required is during initial install to insert its drivers into the network interfaces.

I have been running it for years on a couple of remote systems. Works great.

Hope this helps!
Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA



Robert Voje wrote:
> 
> As a result of the current threats on the internet, I have aquired an extra
> budget for buying a decent firewall for our company.
> Which model do I choose?
> 
> The following features should be there:
> 
>   Remote administration (web/telnet)
>   Mac address checking on all rules and on remote admin access.
>   Redirection of incoming/outgoing port numbers
>   VPN (at least 4-5 channels)
>   DMZ zone
>   Free access to configuration (I do not want to pay $$ for every change I
> want to make...)
>   Well known brand/model
> 
> I would also like to have these features:
> 
>   No restart of firewall upon changes (that sucks when making changes during
> working hours...)
>   Nice (and fast) administration GUI.
> 
> To add some facts of our line of work - we are software developmers, and
> sometimes we have a need to temporary opening and closing ports due to
> software testing.
> I know, that's a big hole in security, but it's the way we want to do it.
> 
> A really nice thing would be if we were able to run a selected number of
> developer PS's on a shielded subnet, like a second DMZ controlled and routed
> by the firewall.
> 
> My budget is limited to about $3000.
> 
> Feel free to respond if you have any good recommendation.
> Btw. our nearest neighbour is a Cisco dealer... ;-)
> --
> Robert
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list