Sign in to follow this  
Followers 0

Good firewall for small office?

62 posts in this topic

Posted

Whats a good firewall for a small office? Budget

Share this post


Link to post
Share on other sites

Posted

I'd recommend pfSense (http://pfsense.org) which is the perimeter firewall for my company.

Works really well and easy to setup with a little knowledge, and it's free and open source!

1 person likes this

Share this post


Link to post
Share on other sites

Posted

^ yeah its hard to beat pfsense for "cost" FREE, you just need to provide some hardware to run it on and some setup time.

It will run on pretty much anything, you have a old pc around? There you go - your hardware.

2 people like this

Share this post


Link to post
Share on other sites

Posted

Exactly, and though it's free to use (no strings attached, you can pay for professional support if you want), it's extremely powerful and people have made many extensions for it.

Share this post


Link to post
Share on other sites

Posted

Lets just go with a classic, Cisco, Netgear, etc.......Its a budget which means something more than free :p (Although pfsense is great)

Share this post


Link to post
Share on other sites

Posted

A issue also with pFsense is that other people in the office mostly know how to control it....With most common routers, this is possible With pFsense you have to take 10 minutes.

Share this post


Link to post
Share on other sites

Posted

No ideas?

Share this post


Link to post
Share on other sites

Posted

OK well at least some brands recommendations from Cisco, Dell, Juniper , etc stating your recommendations and expirences....

Share this post


Link to post
Share on other sites

Posted

Depending on your budget IMO you can't go wrong with the Sonicwall TZ series. The TZ 215 is great for small businesses but can be pricey.

Share this post


Link to post
Share on other sites

Posted

Any Cisco ISR will do this. But honestly you should be looking for a combined device with a NIPS, Malware filtering go incoming downloads aswell as the bog standard stateful firewall.

As always its the rules that matter and unless its set to implicit deny its worthless.

Share this post


Link to post
Share on other sites

Posted

Check out SNORT and the subscriber rules, that'll help cut down on the amount of dodgy traffic getting into your place.

Share this post


Link to post
Share on other sites

Posted

Yeah I'd say Sonicwall TZ-210.

Share this post


Link to post
Share on other sites

Posted

Yeah I'd say Sonicwall TZ-210.

The 210 was retired for the 215 back in October. It is the 205 and the 215 now. I believe you can still buy it but Dell doesn't actually make them anymore.

Share this post


Link to post
Share on other sites

Posted

A issue also with pFsense is that other people in the office mostly know how to control it....With most common routers, this is possible With pFsense you have to take 10 minutes.

If you don't give them the admin password they will not be able to control it.

2 people like this

Share this post


Link to post
Share on other sites

Posted

dude I have been trying to help him in the other thread he has started.. If your not talking a 150 router its going to be over budget. Reread what he posted - he wants the other others to be able to control it.

He has no concern with content filtering, talk of SNORT - you might as well be talking talking nuclear physics to a 3 year old.

His clients ask his 10 year old zyxel for dns, and they are members of domain - I would bet this is 99% of his issues. The router his looking for is something you would pick up at your computer store for $20, not a SMB/Enterprise class firewall.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

"A issue also with pFsense is that other people in the office mostly know how to control it....With most common routers, this is possible With pFsense you have to take 10 minutes."

I don't get it. It's a problem when people know how to control it? It takes a whopping 10 min to look at the GUI to figure it out? To me, it sounds like he doesn't want them to be able to figure it out and it is a problem if they can.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

I don't think english is his native language.. screen shots of machines are in spanish I believe.

Notice the "With pFsense you have to take 10 minutes." - and in his other thread he clearly states that he looked at pfsense but it was too complicated ;)

"A way better firewall; pFsense seems complicated so Im thinking Cisco or DD-WRT."

So I take it he wants the office to be able to understand the router, not the other way around.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

pFSense.. it is free.. I am sure you have some old hardware you can put it on.. I am not sure why you would want the whole office to use it..? They'll just have that crap shredded to pieces.. Sonicwalls are ok for the money.. you get what you pay for in that aspect.. If you are dead set against doing what most of everyone here is recommending.. look into getting a nice Cisco Router and loading DD-WRT

Share this post


Link to post
Share on other sites

Posted

I really like WatchGuard.

Share this post


Link to post
Share on other sites

Posted

i think that is a bit overkill for what he is looking for, I think he is more in line for a 20 or 50 which I already suggested in his other thread.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

Let's be real for a second. Unless you're doing Site to Site VPNs, or need a remote access VPN for mobile users, then you might want to consider keeping a simple router setup. You really aren't going to find a "real" firewall that Joe Enduser can understand and operate. NAT, PAT, and VPN cryptography isn't something even the normal "admin" understands. This is just a pill that has to be swallowed. They might be able to set up users or something for remote access, but everything else should probably be left alone. If they don't then who do you think they will end up calling for help?

That being said. If a true firewall solution is what's needed, then if you have the knowledge (and believe me it takes a good bit) then a Cisco ASA 5505 is going to be about the best you can get for a very small office or a spoke site. If the learning curve is to great, then go with SonicWall gear, as others have mentioned. Either way you go, make sure that (as with all technology implemented in a production/business environment) you get a support contract, to get updates/assistance etc.

Don't waste time on unsupported freeware products. Not only is this very unwise, but you'll find yourself tearing all of them out if a merger ever happens because they aren't "standard" gear that most companies use.

Share this post


Link to post
Share on other sites

Posted

Let's be real for a second. Unless you're doing Site to Site VPNs, or need a remote access VPN for mobile users, then you might want to consider keeping a simple router setup. You really aren't going to find a "real" firewall that Joe Enduser can understand and operate. NAT, PAT, and VPN cryptography isn't something even the normal "admin" understands. This is just a pill that has to be swallowed. They might be able to set up users or something for remote access, but everything else should probably be left alone. If they don't then who do you think they will end up calling for help?

That being said. If a true firewall solution is what's needed, then if you have the knowledge (and believe me it takes a good bit) then a Cisco ASA 5505 is going to be about the best you can get for a very small office or a spoke site. If the learning curve is to great, then go with SonicWall gear, as others have mentioned. Either way you go, make sure that (as with all technology implemented in a production/business environment) you get a support contract, to get updates/assistance etc.

Don't waste time on unsupported freeware products. Not only is this very unwise, but you'll find yourself tearing all of them out if a merger ever happens because they aren't "standard" gear that most companies use.

I don't see how you think PFSense, Smoothwall, Monowall, Untangle, etc, aren't REAL firewalls? I agree they aren't at the same level of an ASA, but there is nothing wrong with them. I know a LOT of businesses that use PFSense. For one thing, to get any support with the ASA (including downloads for upgraded firmware), then that will be more money.

For that matter, most of those firewalls have support options available, either through them or someone else. You also don't need a support contract. Just pay when you need it from one of those companies or vendors.

If you can't figure out PFSense, or any other firewall, an ASA isn't going to be any easier.

1 person likes this

Share this post


Link to post
Share on other sites

Posted

I don't see how you think PFSense, Smoothwall, Monowall, Untangle, etc, aren't REAL firewalls? I agree they aren't at the same level of an ASA, but there is nothing wrong with them. I know a LOT of businesses that use PFSense. For one thing, to get any support with the ASA (including downloads for upgraded firmware), then that will be more money.

For that matter, most of those firewalls have support options available, either through them or someone else. You also don't need a support contract. Just pay when you need it from one of those companies or vendors.

If you can't figure out PFSense, or any other firewall, an ASA isn't going to be any easier.

I didn't say that the ASA was the most "simple" solution, nor the most cost effective. I agree that it's quite the opposite. Just saying that amongst most large enterprises it's what I see the most of. If you have the knowledge, you can get a 5505 going for < $1000.

If I couldn't go the ASA route, then I wouldn't hesitate going SonicWall simply because of the quality support and also due to the fact that most enterprise level engineers are familiar with them.

If someone calls me in the middle of the night for a support call, and I have to tunnel into some homebrew PFSense box, then the first thing that pops in my head before I VPN to the customer's site is "Oh man, I wonder what kind of run down gear they are running this on"....

In no way am I bashing PFSense, it's a wonderfull product made by very competent people, but at the end of the day, I'd rather be backed by either Cisco TAC, or Dell Support should something go wrong with the device and I need to have it RMAed out. This and many other reasons, stability, etc.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0

  • Recently Browsing   0 members

    No registered users viewing this page.