Coth?nsumer firewall, any wor

SephStorm

I've seen some consumer grade firewalls at Best Buy, Netgear Prosafe and what not. It's not Cisco but I assume if they are still selling these things, there must be some kind of market for them, Is there any use for getting one of these things, just for experience? The back of the product actually mentioned that one of the models had an IOS, I don't know if it is similar to Cisco IOS.

I also see online some SonicWall firewalls, which has a certification program. Again, no idea if it is worth anything, but w/e.

I also don't know if it is possible to get any good experience with these things in a home lab environment. Right now my lab is 2 laptops and vm's, at least until I move.

dynamik

Just use iptables and/or pfSense if you want to play around with firewalls. They'll do more than those anyway.

docrice

Agreed - I've used Cisco PIX / ASA, Check Point FW-1, Microsoft ISA, as well as your basic IOS packet filter and I think iptables and pf (OpenBSD) fits the bill very well for an Open Source solution. If I had to choose between cheap consumer gear vs. iptables or pf, I'd choose the latter any day of the week (unless I absolutely had to have a GUI, in which case I'd go with pfSense, SmoothWall, m0n0wall, etc.).

In the past, I've found consumer gear to be hardly robust.

Bl8ckr0uter

docrice wrote: »

Agreed - I've used Cisco PIX / ASA, Check Point FW-1, Microsoft ISA, as well as your basic IOS packet filter and I think iptables and pf (OpenBSD) fits the bill very well for an Open Source solution. If I had to choose between cheap consumer gear vs. iptables or pf, I'd choose the latter any day of the week (unless I absolutely had to have a GUI, in which case I'd go with pfSense, SmoothWall, m0n0wall, etc.).

In the past, I've found consumer gear to be hardly robust.

Interesting.


I am migrating my company from a Pix 515e to a Sonicwall NSA 3500. I am also moving my home from a linksys to either a Sonicwall TZ200w or 210w. I think that if we didn't have to worry about our shareholders "freaking out" because we had basically an unsupported firewall, I would have probably gone with pFSense. I actually wrote up a proof of concept doc for my boss and she liked it. Her boss on the other hand.....

SephStorm

I think I can be straight with you guys, I'm a little scared of the open source software, and i've always assumed hardware was better than software anyway.

Let me explain, i'm not scared of using open source software, but i like having a walkthrough the first time, what would you guys suggest for a beginner? I need something, well, for dummies, easy installation, and I need to know if I need a separate machine to use as a firewall, or if I just set it up on a host PC, ect.

edit: I see both of the mentioned firewalls are nix based, so it seems as though I need a separate pc set up with linux running the firewall. Some sort of server perhaps? Sorry guys, I am just moving from windows system admin to security theory, to hands on.

docrice

For your home lab, you're looking at a dedicated network-based firewall, not one that's installed on your workstation PC (that would be a host-based firewall).

Whether it's hardware that's sold as such a device (Cisco ASA, Linksys) or a white box with firewall software on it, all firewalls are a combination of hardware and software. Linksys / Netgear / etc. firewalls use software as well, and ultimately it's a question of the quality / reliability of that software code. I generally don't have a lot of faith in the stuff on Best Buy's shelves.

If you need a GUI for management, I've used m0n0wall in the past and it's real easy to set up. Just boot the disk onto a machine to be used as the firewall (need at least two interfaces, obviously), configure which one's the inside and outside, set up the addresses, and manage the rest via the web interface. Save the config to a floppy. I think pfSense is similar but installs on the hard disk. It's been years since I've used these, so things might be a bit different today.

Now that said, if you really want to get into the filtering game and be able to create rules that look at protocol numbers, ICMP types, TCP flags, etc., you're going to want granularity. If you're comfortable with Linux or BSD, I strongly recommend that route as it will provide plenty of flexibility. BSD's pf provides very flexible configuration and it's an Open Source firewall that provides stateful failover as well as nice features like TCP SYN Proxy which performs the TCP handshake on an incoming connection before patching that through to your DMZ hosts. pf is well-documented and it's actually relatively easy to set up if you're used to CLI work.

Depending on which solution you choose, you'll have to acclimatize yourself to different firewall systems and syntax of each. pf, for example, works on the "best match" system (similar to Windows Firewall with Advanced Security) while iptables does "first match" (like IOS, PIX, Check Point). Everything has pros and cons, but just jump in and try one or two. Or you can implement a front firewall (kind of like a screening perimeter router), then a secondary firewall of a different kind. Labs are fun because you get to experiment and destroy, and hopefully the only ones affected by outages are the ones living in your house.

BTW, if you use VMware ESXi, you can make a virtual lab environment with a virtual firewall installation using any of the above free software and have it pass traffic between your inside network(s) and the public side. I used to do that until I just decided to stick an old Cisco 1721 and use it for the time being. Those things are cheap on eBay so you might want to look into cheaper old gear.

Daniel333

I gotta be honest. I am not 100% sure what you are asking for. But if it's a device to better your fundamental firewall skills? Or just something to goof around with?

Anyhow, I "learned" Firewalls with the Cisco 2621xm routers. They are cheap online and are pretty featureful. Untangle is a good Linux based one with messing with. And my favorite Firewall product is Microsoft ISA 2006.

The real world on the other hand, at least in the SMB market seems to be Cisco ASA's and and SonicWall from what I have run into.

dynamik

SephStorm wrote: »

I think I can be straight with you guys, I'm a little scared of the open source software, and i've always assumed hardware was better than software anyway.

Let me explain, i'm not scared of using open source software, but i like having a walkthrough the first time, what would you guys suggest for a beginner? I need something, well, for dummies, easy installation, and I need to know if I need a separate machine to use as a firewall, or if I just set it up on a host PC, ect.

edit: I see both of the mentioned firewalls are nix based, so it seems as though I need a separate pc set up with linux running the firewall. Some sort of server perhaps? Sorry guys, I am just moving from windows system admin to security theory, to hands on.

pfSense has a very easy to use web-based GUI. Here are some resources to get you started:

pfSense Open Source Firewall Distribution - Documentation

Quick HOWTO : Ch14 : Linux Firewalls Using iptables - Linux Home Networking

This can help beginners too: Firewall Builder 4.0

You can run these in a VM or on any old desktop. Some (pfSense, any Linux distro) have live CDs too.

SephStorm

thanks guys. I will look these over, and hopefully find something I can work with. After I move, i'll have a lot more options.

codeace

SephStorm wrote: »

I'm a little scared of the open source software, and i've always assumed hardware was better than software anyway.

Hardware works on software. Software or hardware depends on how things are implemented. IMHO, a poorly written proprietary firmware is not comparable to 1000+ evaluations of an open-source snippet Maybe you can check for EALs.

dynamik

codeace wrote: »

Hardware works on software. Software or hardware depends on how things are implemented.

Yea, but you get significantly better performance by using ASICs.