Wireless Networks Thread, Hardware vs Software firewall in Technical; Hi,
New NM wants to have a Firewall (we don't currently have one so fair enough (I'm new too!)). We've ...
10th October 2008, 08:45 AM #1
Hardware vs Software firewall
New NM wants to have a Firewall (we don't currently have one so fair enough (I'm new too!)). We've had lots of problems with viruses, so one with scanning options is a must.
He thinks that Hardware firewall is best. I want to ensure that we have the flexibility of something like ISA server, where we can say that these active directory users, can use these websites, on these computers at this time.
We also need filtering and antivirus. Are there Hardware firewalls that can meet these requirements? esp. Active Directory integration.
In the future we'd also need RADIUS for wireless authentication. ISA has this built in.
10th October 2008, 08:50 AM #2
How much money have you got to spend ?
10th October 2008, 09:05 AM #3
Not sure. I suppose it's the classic answer "as little as possible" but, as viruses have caused havoc recently I'd say management would spend whatever they were told on it. (Whether it was going to solve the problem or not! Personally, I think our virus issues are caused by poor network setup in the first place)
Originally Posted by mattx
10th October 2008, 09:11 AM #4
Just a thought - could we have our cake and eat it? I.e. use a hardware and software firewall?
It is likely that we are going to want to host our own web/Exchange servers. Could we:
DMZ With Webservers in
Software Proxy Server (Say ISA)
I don't really understand DMZ, so please correct me if I'm wrong!
10th October 2008, 09:24 AM #5
Have you looked at smoothwall express?
You can make the DMZ easy and it has a built in proxy.
And its free!
10th October 2008, 09:28 AM #6
mattx's reply is very insightful, though without background
Until you spend a LOT of money - 4-zeros plus - there is bog all difference, as most modern hardware firewalls are the same software running on commodity h/w. Some of the real cheapies run on low-end embedded CPUs of course, but the mid range are largely intel. There's a couple of exceptions, but you are not going to get ASIC based firewalling into a "regular" budget, and really, why should you - the advantages are not great unless you are shifting huge amounts of traffic.
Now - the difference between (most) software and hardware firewalls in terms of performance and security, as I have said, is minimal. BUT - a h/w firewall is likely to come in a nicer form factor - with more NICs, ports on the front, etc. Also, the h/w will be optimised for firewall duty. That said, you will pay more for your hardware. Dell or HP will always whup us on their hardware buying power, so our UTM hardware costs more than the same HP (though getting as many NICs in the HP would be nigh on impossible, and they may not be all PCIx). A h/w firewall is also likely to have more pre-configuration out of the box.
Please don't let arguments of performance or security sway you, go for the firewall you think will suit your needs best.
Being (fairly) impartial... there's not many "software firewalls" which will give you content filtering, AV etc. SmoothWall is one of them. ISA you will have to add 3rd party components. No bad thing, but worth remembering. Hardware firewalls... there's a bunch of UTMs out there. Again, we do one, as do many others like watchguard. Not sure of your requirements, but most schools I think want a lot out of their content filter, and rarely push the firewall past its limits. I'd say pick a content filter, and work from there. So if you pick websense, you'd probably go with ISA. If you wanted a SmoothWall filter, well, you might go with our UTM or with one of our software offerings. I'm assuming here, you want to do content filtering and firewalling in the one box. If you don't... well that expands your options.
Sorry for the brain-dump... it is too early in the morning for me to make a huge amount of sense ;-P
Thanks to tom_newton from:
10th October 2008, 09:35 AM #7
As I mention in my rambling response above... yes, that's a bit of a "cake & eat it" scenario, and you can do it. In terms of AV... where you put that depends on your needs. If your email is already AV'd, you can happily put it on the proxy server.
Originally Posted by eean
There are advantages and disadvantages to the "split" method...
Combined, it costs less, and you have less hardware. Also, transparent filtering is easier if you are filtering at the gateway. By and large, when you are talking split setup, you have 2 interfaces, and 2 products to learn.
Split, of course, gives you flexibility. It is harder to set up, but if the proxy fails, it does not take everything else with it. Then again, you have 2 bits of tin to fail OTOH, if you have a BIG school you may want to do 1 firewall & 2 proxies. Especially with AV, which can be quite intensive.
Sorry to burden you with loads of choice. If you or your NM want to talk it through with someone feel free to gimme a bell. Worth noting (again) that I am biased, but I do try to give as fair an opinion as possible!
Thanks to tom_newton from:
10th October 2008, 11:15 AM #8
I would definatly go for using smoothwall!
This is an excellent program, it comes as ISO, burn it to a CD, install and off you go.
All you need is an old workstation of basically any spec with 2 network cards. one RED and one GREEN for you External and Internal Networks.
It can be configured in anyway you like and because its open source you get full access to all the files if you want to change anything.
10th October 2008, 11:46 AM #9
We run schoolguardian and well it copes with 100 full time boarders trying to get through it so cant be all bad
Thanks to dave.81 from:
tom_newton (10th October 2008)
By intrigue in forum How do you do....it?
Last Post: 16th October 2007, 08:11 PM
By ptrainor1 in forum Wireless Networks
Last Post: 22nd October 2006, 10:34 PM
By Mintsoft in forum Windows
Last Post: 22nd March 2006, 10:59 AM
By woody in forum Windows
Last Post: 1st February 2006, 02:02 PM
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)