Firewall opinions wanted please

I am looking for a good but reasonably priced firewall for a 40 or so server
site. Some people swear by Pix, others swear at it a lot. Also I have heard
good things about Netscreen. Or any others you would recommend for protecting
servers on a busy network. Don't really need anything with VPN just the
standard http, ftp, ssh, https, type traffic up to 100mb throughput.
From what I have heard a proxy firewall would be best?

Thanks in advance!!


As much as I hate to follow up my own post, I suppose I was a bit too vauge
for my own good =]

We do not run any cisco gear and we are in a Class A data facility.

By proxy I did not mean to imply NAT. I cannot remember the proper term but
what I mean is full packet handeling as opposed to packet inspection.

Security is important but the budget limit is only up to about 3K. I have been
trying to get the client a firewall for some time and am just now getting the
go ahead.

Sorry for any vaugeness but I usually like to not say to much as to sway
opinions one way or another and to learn more as any knowlege I have may be
wrong or out of date.


Another important question is who is going to be managing the firewall once it gets purchased and installed? Buying a PIX is great but not if you don't have anyone that knows how to use it. This applies to any vendors solution be it Checkpoint, IPTables, PIX, netscreen, etc..

Also by proxy do you mean statefull packet inspection?


Sonicwall makes a great product that can run in STANDARD (Proxy) mode.

Their prices are pretty good as well, espicially if you buy them through a reseller. We deploy many of these firewalls every year and they are great!



I'll go out on a limb here and say that the actual make and model of the
firewall don't matter anywhere *near* as much as a proper understanding on the
client's part of what a firewall can and can't do.

It can let you know when somebody's poking at your site. But it can't do it on
its own, somebody *will* have to read the logs (even if you use a good
log-filtering package to trim out all the true noise).

It can't automagically secure your site. All it takes is *one* laptop or VPN
connection to the "inside" from a compromised machine and you're history.

The most successful firewall installs I've encountered have invariably
considered the firewall not as a "prevention device" but as an "IDS with a bad
attitude". A firewall is *never* an acceptable substitute for proper end-host
security procedures - the end host *must* be fully prepared to deal with a
total breach of the firewall (remember - a firewall will never stop a
disgruntled employee).

You mean _PROTOCL HANDELING_, I believe.

I do not know, why people are paying so much attention to it. Important
questions are:

- which services are you providing for the public?
- who will handle all your SSL sessions, if any (may be, Load Balancers?
Then you do not bother about FW proxy for them);
- who will handle all http requests (yes, proxy can help here, but it is not
the only way);
- who will inspect mail content (not SMTP protocol, but attachments etc)?
- who will handle your ssh sessions, if you have inbound shh?
- who will handle your inbound VPN or PPTP, if you use it?
- are DDOS attacks dangerous for you (you host SCO, for example) or not (you
provide specific servic for 100 companies, not for wide public);
- do you use host level IDS / change control?

PIX is excellent firewall... for many purposes, but not for others (and not
as a proxy, of course). It is impossible to select anything without knowing
answers on this questions...


As with any product, it's only as good as the support channel behind it
*in your locality* ... we have just removed Sonicwall from the list of
approved suppliers here because of a series of failures that left two
parts of our network unprotected for several weeks (and, if any other
Firewall vendors with _good_ European support are reading this thread,
you're welcome to contact us by mail if you feel you can do better than
Sonicwall's local representatives did :wink: )

Netscreen rocks. They are record-breakingly sexy devices running the gamut
as far as networks they can be configured to service and they burlier beasties
are easily worthy of deployment on a carrier class network.

However, if you're looking to drop small change on a product that will not
be required to withstand the rigors of VPN termination, HA, VRRP, blah
blah blah, and you are trying to cover basic, fundamental firewalling
(port filtering is a very base feature and should open the doors to many
other vendors if that's truly the brunt of what you are trying to achieve),
then take a gander at PIX. Or even Raptor or Checkpoint. All 3 are old
standbys that have seen their days being equally celebrated as leaders
and mourned as losers.

boa sorte,