How much money have you got to spend ?
New NM wants to have a Firewall (we don't currently have one so fair enough (I'm new too!)). We've had lots of problems with viruses, so one with scanning options is a must.
He thinks that Hardware firewall is best. I want to ensure that we have the flexibility of something like ISA server, where we can say that these active directory users, can use these websites, on these computers at this time.
We also need filtering and antivirus. Are there Hardware firewalls that can meet these requirements? esp. Active Directory integration.
In the future we'd also need RADIUS for wireless authentication. ISA has this built in.
How much money have you got to spend ?
Just a thought - could we have our cake and eat it? I.e. use a hardware and software firewall?
It is likely that we are going to want to host our own web/Exchange servers. Could we:
DMZ With Webservers in
Software Proxy Server (Say ISA)
I don't really understand DMZ, so please correct me if I'm wrong!
Have you looked at smoothwall express?
You can make the DMZ easy and it has a built in proxy.
And its free!
mattx's reply is very insightful, though without background
Until you spend a LOT of money - 4-zeros plus - there is bog all difference, as most modern hardware firewalls are the same software running on commodity h/w. Some of the real cheapies run on low-end embedded CPUs of course, but the mid range are largely intel. There's a couple of exceptions, but you are not going to get ASIC based firewalling into a "regular" budget, and really, why should you - the advantages are not great unless you are shifting huge amounts of traffic.
Now - the difference between (most) software and hardware firewalls in terms of performance and security, as I have said, is minimal. BUT - a h/w firewall is likely to come in a nicer form factor - with more NICs, ports on the front, etc. Also, the h/w will be optimised for firewall duty. That said, you will pay more for your hardware. Dell or HP will always whup us on their hardware buying power, so our UTM hardware costs more than the same HP (though getting as many NICs in the HP would be nigh on impossible, and they may not be all PCIx). A h/w firewall is also likely to have more pre-configuration out of the box.
Please don't let arguments of performance or security sway you, go for the firewall you think will suit your needs best.
Being (fairly) impartial... there's not many "software firewalls" which will give you content filtering, AV etc. SmoothWall is one of them. ISA you will have to add 3rd party components. No bad thing, but worth remembering. Hardware firewalls... there's a bunch of UTMs out there. Again, we do one, as do many others like watchguard. Not sure of your requirements, but most schools I think want a lot out of their content filter, and rarely push the firewall past its limits. I'd say pick a content filter, and work from there. So if you pick websense, you'd probably go with ISA. If you wanted a SmoothWall filter, well, you might go with our UTM or with one of our software offerings. I'm assuming here, you want to do content filtering and firewalling in the one box. If you don't... well that expands your options.
Sorry for the brain-dump... it is too early in the morning for me to make a huge amount of sense ;-P
There are advantages and disadvantages to the "split" method...
Combined, it costs less, and you have less hardware. Also, transparent filtering is easier if you are filtering at the gateway. By and large, when you are talking split setup, you have 2 interfaces, and 2 products to learn.
Split, of course, gives you flexibility. It is harder to set up, but if the proxy fails, it does not take everything else with it. Then again, you have 2 bits of tin to fail OTOH, if you have a BIG school you may want to do 1 firewall & 2 proxies. Especially with AV, which can be quite intensive.
Sorry to burden you with loads of choice. If you or your NM want to talk it through with someone feel free to gimme a bell. Worth noting (again) that I am biased, but I do try to give as fair an opinion as possible!
I would definatly go for using smoothwall!
This is an excellent program, it comes as ISO, burn it to a CD, install and off you go.
All you need is an old workstation of basically any spec with 2 network cards. one RED and one GREEN for you External and Internal Networks.
It can be configured in anyway you like and because its open source you get full access to all the files if you want to change anything.
We run schoolguardian and well it copes with 100 full time boarders trying to get through it so cant be all bad
tom_newton (10th October 2008)
There are currently 1 users browsing this thread. (0 members and 1 guests)