Archived from groups: comp.security.firewalls (More info?)

Greetings,

I've been charged with the task of picking out a firewall appliance for
a group of about 100 systems. We don't need anything too fancy, but we
would like an easy to use VPN setup. I can spend ~$1000. If anybody
could point me to a few models to look at, that'd be great. I've
searched for reviews and feature comparisons, but I haven't had much
luck. Thanks!

--Steve

Archived from groups: comp.security.firewalls (More info?)

In article <caqjf0$v2$1@kestrel.csrv.uidaho.edu>, staylor@uidaho.edu
says...
> Greetings,
>
> I've been charged with the task of picking out a firewall appliance for
> a group of about 100 systems. We don't need anything too fancy, but we
> would like an easy to use VPN setup. I can spend ~$1000. If anybody
> could point me to a few models to look at, that'd be great. I've
> searched for reviews and feature comparisons, but I haven't had much
> luck. Thanks!

The firebox III/700 from WatchGuard is a good unit, but it's about $1600
retail (USD). It has everything you could need including VPN remote user
and branch office VPN ability. One of the nicest features, if you have
your own email server, is the ability to strip attachments by extension
from inbound email (before it gets to the server) - which prevents most
virus's and worms from getting to your local computers.

The Sonic units are also good, but I don't have current pricing on them.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

On Wed, 16 Jun 2004 16:00:47 -0700, Steve Taylor <staylor@uidaho.edu>
wrote:
>
>I've been charged with the task of picking out a firewall appliance for
>a group of about 100 systems. We don't need anything too fancy, but we
>would like an easy to use VPN setup. I can spend ~$1000. If anybody
>could point me to a few models to look at, that'd be great. I've
>searched for reviews and feature comparisons, but I haven't had much
>luck. Thanks!
>

As a reseller of the ZyXEL ZyWALL series of Firewall Appliances, I
can't help it but recommend the ZyWALL 70.

You may find more info about it at the ZyXEL website:
http://us.zyxel.com/products/model [...] 1021873683

For pricing, have a look at our website:
http://shopping.nowthor.com/0760559104146.html

Thanks!

Carlos Antunes
Nowthor Corporation

Archived from groups: comp.security.firewalls (More info?)

Steve,

I've worked with a WatchGuard Firebox recently. I was managing a WAN
comprised of just a half dozen LANs connected by frame-relay--just a small
network really. However, I must say I was rather impressed with the
Firebox--great interface, set-and-forget configuration, etc. If you haven't
been to their Web site, they have a Flash presentation. I think this is the
link:

http://www.watchguard.com

Best regards,

Todd Shillam
Information Technology Consultant
Shillam Technology
WWW: http://shillamtechnology.point2this.com




"Steve Taylor" <staylor@uidaho.edu> wrote in message
news:caqjf0$v2$1@kestrel.csrv.uidaho.edu...
Greetings,

I've been charged with the task of picking out a firewall appliance for
a group of about 100 systems. We don't need anything too fancy, but we
would like an easy to use VPN setup. I can spend ~$1000. If anybody
could point me to a few models to look at, that'd be great. I've
searched for reviews and feature comparisons, but I haven't had much
luck. Thanks!

--Steve

Archived from groups: comp.security.firewalls (More info?)

"Steve Taylor" <staylor@uidaho.edu> wrote in message
news:caqjf0$v2$1@kestrel.csrv.uidaho.edu...
> Greetings,
>
> I've been charged with the task of picking out a firewall appliance for
> a group of about 100 systems. We don't need anything too fancy, but we
> would like an easy to use VPN setup. I can spend ~$1000. If anybody
> could point me to a few models to look at, that'd be great. I've
> searched for reviews and feature comparisons, but I haven't had much
> luck. Thanks!
>
> --Steve

Unfortunately, for a network of that size, I think that realistically you
should probably look at spending closer to about twice that, more in the
$1500 - $2000 range. 100 systems is a decent number of systems, and you want
gear that is designed for that type of environment rather than trying to
shoehorn a cheaper, SOHO or 10 user type device into an actual network. Some
gear you might want to check out:

Sonicwall Pro 2040
NetScreen 25 Baseline
Watchguard Firebox X700

Archived from groups: comp.security.firewalls (More info?)

Alec wrote:

> "Steve Taylor" <staylor@uidaho.edu> wrote in message
> news:caqjf0$v2$1@kestrel.csrv.uidaho.edu...
>
>>Greetings,
>>
>>I've been charged with the task of picking out a firewall appliance for
>>a group of about 100 systems. We don't need anything too fancy, but we
>>would like an easy to use VPN setup. I can spend ~$1000. If anybody
>>could point me to a few models to look at, that'd be great. I've
>>searched for reviews and feature comparisons, but I haven't had much
>>luck. Thanks!
>>
>>--Steve
>
>
> Unfortunately, for a network of that size, I think that realistically you
> should probably look at spending closer to about twice that, more in the
> $1500 - $2000 range. 100 systems is a decent number of systems, and you want
> gear that is designed for that type of environment rather than trying to
> shoehorn a cheaper, SOHO or 10 user type device into an actual network. Some
> gear you might want to check out:
>
> Sonicwall Pro 2040
> NetScreen 25 Baseline
> Watchguard Firebox X700
>
>

Everybody, thanks for the suggestions so far.

I think I could manage $1500-$2000. The Firebox certainly looks like a
good candidate. Anybody else have an opinion on the Firebox?

Thanks.

--Steve

Archived from groups: comp.security.firewalls (More info?)

In article <casd0g$h8$1@kestrel.csrv.uidaho.edu>, staylor@uidaho.edu
says...
> I think I could manage $1500-$2000. The Firebox certainly looks like a
> good candidate. Anybody else have an opinion on the Firebox?

I hate to follow my own recommendation, but I've installed them at two
state agencies, a utility company, a medical center, and about 30
factories. I've also installed them at many assisted living centers,
residences, small businesses, and know of one university that uses them
in several areas.

I have one in my own office and could not imagine anything better for
the money.

If you get one, and you have your own email server, make sure that you
look into the SMTP Proxy for filtering attachments on inbound email - it
will removed infectious attachments based on file extension (not
actually detecting a virus) which has kept every client from being hit
by any of the email viruses in the last 5 years.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

>look into the SMTP Proxy for filtering attachments on inbound email - it
>will removed infectious attachments based on file extension (not
>actually detecting a virus) which has kept every client from being hit
>by any of the email viruses in the last 5 years.

How did you manage Wallon.A? Just curious. I blocked the rds.yahoo
addresses and had no problems. Logged several attempts from (l)users
clicking on the e-mail links, but their interest died as the link
timed out.

Also, I believe you manage multiple firewalls, so how do you push
updates like that to them?

Archived from groups: comp.security.firewalls (More info?)

In article <77p4d0ha0ms0ca1hdhrrbfd2njugm59tdh@4ax.com>, mrozium@XSPAMX-
yahoo.com says...
> Leythos wrote:
>
> >look into the SMTP Proxy for filtering attachments on inbound email - it
> >will removed infectious attachments based on file extension (not
> >actually detecting a virus) which has kept every client from being hit
> >by any of the email viruses in the last 5 years.
>
> How did you manage Wallon.A? Just curious. I blocked the rds.yahoo
> addresses and had no problems. Logged several attempts from (l)users
> clicking on the e-mail links, but their interest died as the link
> timed out.

Here is a description (from Symantec) of how it works:

W32.Wallon.A@mm arrives as an email with a link in the message body. The
email uses an Internet Explorer vulnerability, described in Microsoft
Security Bulletin MS04-004, to display an obfuscated link. Clicking the
link redirects the user to a Web site to download "wmplayer.exe" into
the Windows Media Player folder. The Web site may attempt to exploit an
Outlook Express vulnerability, described in Microsoft Security Bulletin
MS04-013, to download and execute the file. Because the worm attempts to
overwrite the Windows Media Player executable, any attempts to run
Windows Media Player on an infected computer will execute a copy of the
worm.


Our users would have seen the email, since there was nothing but a link
to it in a site, most would have just deleted the email - we send out
messages every month about following links to things outside their
company that come in email.

For those that did select it, they would not have had a problem - we
don't allow .exe or other types through the HTTP proxy service in the
firewall.

The WatchGuard firewalls have a HTTP proxy service that lets me
deny/approve the following:

1) Settings:
Remove Client Connection Info
Remove Cookies
Deny Submissions
Deny Java Applets
Deny ActiveX Applets
Remove unknown headers
Log accounting/auditing information
Require content type
Idle timeout xxxxxx seconds

2) Safe Content:
Allow only safe content types
(you can add types based on mime specs)
Deny Unsafe Path Patterns
(add site paths you want to block, not sites)

3) Web Blocker - used to specify what content can be viewed
4) Web Blocker Schedule - enable/disable at programmed times
5) Web Blocker Operational Controls (what to filter when ON)
6) Web Blocker non-Operational Controls (what to filter when OFF)
7) WB Exceptions (permitted, denied) Add IP as needed

For SMTP I have two filters - one is the Firewall SMTP service and the
other is (depending on what email server they have, is to use Symantec
Small Business Edition with Exchange Filter).

WG SMTP Options includes some of the following:

INBOUND RULES
1) General
Idle Timeout (XXXXXX seconds)
Max Recipients (XXXX)
Maximum Size (xxxxxxx KB)
Line Length (xxxxx bytes)
Address Validation (RFC-822 Compliance)
Allow Characters (list of chars you permit in email addresses)
Allow 8-Bit characters
Allow Source-Routed Addresses
2) Content Types
Allow only safe content types
(specify permitted types)
Deny Attachments based on file name patterns
(you can specify any pattern, includes wildcards)


There are many more, but you get the idea from this set. With these two
rules (and I didn't show how I have them setup, sorry) We've been able
to block 100% of all virus's and worms to date.

> Also, I believe you manage multiple firewalls, so how do you push
> updates like that to them?

We've not had to update the firewalls, the rules, once in place, are
something that covers all of the problems that already come up. If you
block .EXE you never have to go back and update the firewall to keep
users from downloading and running .EXE over HTTP/HTTPS or SMTP.

One more thing that we do is set "Auto block sites that attempt to
connect to this service" and we set rules for ports 135, 139, and 445
for these auto-block sites. Just another way to make sure that infected
machines don't get past the firewall.

Most of our customers either installed Exchange 2000 or already had
Exchange servers, the SBE/Exchange filter from Symantec has done wonders
for those users - even without the firewall it includes RBL functions,
key word filters, subject and body word filtering, virus scanning,
attachment blocking, etc... Great product for Exchange.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

>For those that did select it, they would not have had a problem - we
>don't allow .exe or other types through the HTTP proxy service in the
>firewall.

Hmmm...I'm not so sure I'd feel safe running non-firewall programs
like a HTTP proxy on my firewall. I feel more comfortable using Squid
or ISA behind the firewall on a separate device.

>We've not had to update the firewalls, the rules, once in place, are
>something that covers all of the problems that already come up. If you
>block .EXE you never have to go back and update the firewall to keep
>users from downloading and running .EXE over HTTP/HTTPS or SMTP.

I see. That would never work in any environment I've seen, as all the
companies and government entities I provide security for *must* be
able to download files, including executables. Especially for M$
updates. Users are only allowed to run approved programs, but that
rarely ever stops today's worms/viruses. Of course, that's one reason
why it's so important to employ a good anti-virus solution.

Also, I'm surprised you don't update your firewalls (patches, not
rules). I'd sleep better knowing my firewalls and the computers
behind them were up-to-date.

>One more thing that we do is set "Auto block sites that attempt to
>connect to this service" and we set rules for ports 135, 139, and 445
>for these auto-block sites. Just another way to make sure that infected
>machines don't get past the firewall.

I'm with you there, 100%, but I go way past that. Time and rule wise.
Almost any kind of hostile activity will immediately ban that IP
address for roughly 3 days.

Archived from groups: comp.security.firewalls (More info?)

On 19 Jun 2004 00:19:57 -0500, Micheal Robert Zium spoketh

>Leythos wrote:
>
>>For those that did select it, they would not have had a problem - we
>>don't allow .exe or other types through the HTTP proxy service in the
>>firewall.
>
>Hmmm...I'm not so sure I'd feel safe running non-firewall programs
>like a HTTP proxy on my firewall. I feel more comfortable using Squid
>or ISA behind the firewall on a separate device.

Some firewalls use application proxies rather than packet filters. So,
that would make it very much a "firewall" program on the firewall.


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

Archived from groups: comp.security.firewalls (More info?)

In article <rvc7d0tk3ua56p917sa8vt0tb99uhgj6kt@4ax.com>, mrozium@XSPAMX-
yahoo.com says...
> Leythos wrote:
>
> >For those that did select it, they would not have had a problem - we
> >don't allow .exe or other types through the HTTP proxy service in the
> >firewall.
>
> Hmmm...I'm not so sure I'd feel safe running non-firewall programs
> like a HTTP proxy on my firewall. I feel more comfortable using Squid
> or ISA behind the firewall on a separate device.

The appliance has the proxy as one of the rules you can use - it's a
better option than a system running a app to do it. Less chance of it
breaking or being misconfigured - less chance of a parts failure too.

> >We've not had to update the firewalls, the rules, once in place, are
> >something that covers all of the problems that already come up. If you
> >block .EXE you never have to go back and update the firewall to keep
> >users from downloading and running .EXE over HTTP/HTTPS or SMTP.
>
> I see. That would never work in any environment I've seen, as all the
> companies and government entities I provide security for *must* be
> able to download files, including executables. Especially for M$
> updates. Users are only allowed to run approved programs, but that
> rarely ever stops today's worms/viruses. Of course, that's one reason
> why it's so important to employ a good anti-virus solution.

AV is a day late in most cases - the definition files don't come out for
the new viruses until a day after they hit the mainstream.

The updates from MS can easily be configured to pass through the
firewall - as I mentioned earlier, the blocking has exception lists and
it's easy to configure exceptions for all blocking. We run updates every
night.

If you have your block rules setup properly your people will not be
stopped from doing anything they are permitted to do, including updates,
but they will be protected from almost all of the bad files out there.
Remember, virus updates are reactionary, they don't protect you until
the virus is "known" but the vendor that provides your updates.

> Also, I'm surprised you don't update your firewalls (patches, not
> rules). I'd sleep better knowing my firewalls and the computers
> behind them were up-to-date.

Up to date and needing an update are two different things - we don't
blindly apply updates, even Windows updates, on every machine. When you
look at the update, unless it does something for your needs you don't
have to apply it. In the case of WG, there have not been any security
related updates to the firmware in a long time. Yes, they've come out
with newer rev's and nicer features, but the updates don't change
anything in the security options that most of our clients setups.

I'm sure you've seen updates, esp. from MS, cause problems - In general,
every workstation at a generic desk updates every evening. Developers
workstations update as the update is tested on a test machine. Servers
get updates after the update is tested also.

> >One more thing that we do is set "Auto block sites that attempt to
> >connect to this service" and we set rules for ports 135, 139, and 445
> >for these auto-block sites. Just another way to make sure that infected
> >machines don't get past the firewall.
>
> I'm with you there, 100%, but I go way past that. Time and rule wise.
> Almost any kind of hostile activity will immediately ban that IP
> address for roughly 3 days.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

Archived from groups: comp.security.firewalls (More info?)

Lars M. Hansen wrote:

>Some firewalls use application proxies rather than packet filters. So,
>that would make it very much a "firewall" program on the firewall.

Really? Could you provide some examples? Thank you.

Archived from groups: comp.security.firewalls (More info?)

Leythos wrote:

>The appliance has the proxy as one of the rules you can use - it's a
>better option than a system running a app to do it. Less chance of it
>breaking or being misconfigured - less chance of a parts failure too.

Understand that I'm not trying to be argumentative, but claiming that
an appliance has the exclusive distinction of being less likely to
fail or be misconfigured is taking great liberties with the truth.
Anything that can be configured can be misconfigured. Just because
it's "point-and-click" doesn't make it less likely to be
misconfigured. The person responsible for the configuration is the
mitigating factor here, not software. Untrained people should not
configure firewalls. Parts failure is pretty much a non-issue. Do
you run your servers on appliances? I've heard those battle cries,
and quite frankly, neither hold much water today.

>> >We've not had to update the firewalls, the rules, once in place, are
>> >something that covers all of the problems that already come up. If you
>> >block .EXE you never have to go back and update the firewall to keep
>> >users from downloading and running .EXE over HTTP/HTTPS or SMTP.
>>
>> I see. That would never work in any environment I've seen, as all the
>> companies and government entities I provide security for *must* be
>> able to download files, including executables. Especially for M$
>> updates. Users are only allowed to run approved programs, but that
>> rarely ever stops today's worms/viruses. Of course, that's one reason
>> why it's so important to employ a good anti-virus solution.
>
>AV is a day late in most cases - the definition files don't come out for
>the new viruses until a day after they hit the mainstream.

I agree, but I still use it. Don't you? Besides, it's hardly a
firewall's job to provide anti-virus solutions. Otherwise, we'd be
constantly updating our firewalls, right?

>The updates from MS can easily be configured to pass through the
>firewall - as I mentioned earlier, the blocking has exception lists and
>it's easy to configure exceptions for all blocking. We run updates every
>night.

No, you didn't mention it. You said you block .EXE. I took you at
your word. To quote your earlier post:
>For those that did select it, they would not have had a problem - we
>don't allow .exe or other types through the HTTP proxy service in the
>firewall.
And then later in the same post you said:
>If you block .EXE you never have to go back and update the firewall to keep
>users from downloading and running .EXE over HTTP/HTTPS or SMTP.
I wondered how you managed not allowing downloading .exe files. Now
you have me wondering about why you would claim "set-and-forget", yet
talk about configuring exceptions. Quite perplexing indeed. Please
understand that I'm not trying to nit-pick you to death, but you've
made some great claims, and I was wondering if I should jump ship. I'm
far from being convinced. Maybe it's just me, but I see some glaring
inconsistencies in your statements.

>If you have your block rules setup properly your people will not be
>stopped from doing anything they are permitted to do, including updates,
>but they will be protected from almost all of the bad files out there.

I couldn't agree more. But now you're straying waaaaay away from the
simple "Less chance of it breaking or being misconfigured...".
Unless, of course, your customers have simple needs when it comes to
downloading executable files. A single customer of mine may have more
than two dozen different programs on different computers and/or
servers requiring updates or patches from as many (or more) sites
and/or service providers. I guess my customer's requirements are much
different than yours. Or, maybe your appliance has a magical rule
applicator? Seriously, how would you manage without creating an
exception for each requirement?

>Remember, virus updates are reactionary, they don't protect you until
>the virus is "known" but the vendor that provides your updates.

I agree. You're preaching to the choir.

>> Also, I'm surprised you don't update your firewalls (patches, not
>> rules). I'd sleep better knowing my firewalls and the computers
>> behind them were up-to-date.
>
>Up to date and needing an update are two different things - we don't
>blindly apply updates, even Windows updates, on