Greater London Linux Users Group

headers Alfred Kernaghan | 3 May 2012 16:21

--
Gllug mailing list  -  Gllug <at> gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

On 3 May 2012 15:21, Alfred Kernaghan <alfakern <at> gmail.com> wrote:
>
>
> ---------- Forwarded message ----------
> From: Alfred Kernaghan <alfakern <at> gmail.com>
> Date: Thu, May 3, 2012 at 3:20 PM
> Subject: Information Request: Firewall Kit
> To: gllug <at> gllugg.org.uk
>
>
> Hey all,
>
> I'm looking after 4 racks of servers in London, up until now they've just
> been locked down as much as possible individually using iptables on each
> machine (and blocking/removing public interfaces where they're not strictly
> necessary).  We're in a bit of upheaval at the moment due to going for PCI
> Compliance and improved security, so I'm securing/segmenting the network as
> it stands.  As opposed to a central software based firewall, the company's
> opted to go down the hardware route and get a full fledged firewall.
>
> I don't have a lot of experience with hardware/dedicated firewall
> appliances, but I've had recommendations for a few different brands, Cisco,
> Checkpoint, Watchguard and Barracuda.  As you'd all know, attempts to ask
> our vendor or Google for recommendations has been relatively fruitless in
> that I feel I'm getting up-sold (as much as possible) on very biased
> recommendations!
>
> Our requirements aren't huge, it's for a moderate to high use UK website
> (runs along happily at ~12mbps on our burstable pipe 99% of the time) and
> will simply need to firewall between 3 internal VLANS (1x DMZ and 2x
> private).
>
> It's not money dependant really, I just want to get something recommended by
> someone in the industry who's not in it just for a kick back, and will
> support our simple requirements, with room for growth of course.
>
> Could anyone shed any light on any of the above vendors, or recommend anyone
> else (I'm completely open to ideas).  As a base, I've been looking so far at
> the Watchguard XTM 3 or 5 series and the equivalent model(s) from Barracuda
> Networks.
>

I would go for any firewall that is EAL4+ approved.
Various ones are listed on the CESG (Part of GCHQ) web site.
http://www.cesg.gov.uk/finda/Pages/CCITSECSearch.aspx
http://www.cesg.gov.uk/finda/Pages/CCITSECResults.aspx?post=1&type=Firewall&status=Certified&sort=name
http://www.cesg.gov.uk/publications/Documents/directory.pdf

I have seen cyberguard firewalls used a lot, and they seem to work
well and are easy to use.

Kind Regards

James
--
Gllug mailing list  -  Gllug <at> gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

> > I don't have a lot of experience with hardware/dedicated firewall
> > appliances, but I've had recommendations for a few different brands,
> > Cisco, Checkpoint, Watchguard and Barracuda.  As you'd all know,
> > attempts to ask our vendor or Google for recommendations has been
> > relatively fruitless in that I feel I'm getting up-sold (as much as
> > possible) on very biased recommendations!

The Juniper ISG1000 is a reasonable firewall, and I find ScreenOS really easy to use. 

Be careful about buying an under-powered firewall if you're doing inter-vlan routing on your internal
network. 

Andy
--
Gllug mailing list  -  Gllug <at> gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

On Thu 03 May, Alfred Kernaghan wrote:

> Could anyone shed any light on any of the above vendors, or recommend
> anyone else (I'm completely open to ideas).  As a base, I've been looking
> so far at the Watchguard XTM 3 or 5 series and the equivalent model(s) from
> Barracuda Networks.

www.ipcop.org works well

--

-- 
Chris Bell www.chrisbell.org.uk
Microsoft sells you Windows ... Linux gives you the whole house.

--
Gllug mailing list  -  Gllug <at> gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

On Thursday 03 May 2012 15:21:09 Alfred Kernaghan wrote:
> ---------- Forwarded message ----------
> From: Alfred Kernaghan <alfakern <at> gmail.com>
> Date: Thu, May 3, 2012 at 3:20 PM
> Subject: Information Request: Firewall Kit
> To: gllug <at> gllugg.org.uk
>
>
> Hey all,
>
> I'm looking after 4 racks of servers in London, up until now they've just
> been locked down as much as possible individually using iptables on each
> machine (and blocking/removing public interfaces where they're not strictly
> necessary).  We're in a bit of upheaval at the moment due to going for PCI
> Compliance and improved security, so I'm securing/segmenting the network as
> it stands.  As opposed to a central software based firewall, the company's
> opted to go down the hardware route and get a full fledged firewall.
>
> I don't have a lot of experience with hardware/dedicated firewall
> appliances, but I've had recommendations for a few different brands, Cisco,
> Checkpoint, Watchguard and Barracuda.  As you'd all know, attempts to ask
> our vendor or Google for recommendations has been relatively fruitless in
> that I feel I'm getting up-sold (as much as possible) on very biased
> recommendations!
>
> Our requirements aren't huge, it's for a moderate to high use UK website
> (runs along happily at ~12mbps on our burstable pipe 99% of the time) and
> will simply need to firewall between 3 internal VLANS (1x DMZ and 2x
> private).
>
> It's not money dependant really, I just want to get something recommended
> by someone in the industry who's not in it just for a kick back, and will
> support our simple requirements, with room for growth of course.
>
> Could anyone shed any light on any of the above vendors, or recommend
> anyone else (I'm completely open to ideas).  As a base, I've been looking
> so far at the Watchguard XTM 3 or 5 series and the equivalent model(s) from
> Barracuda Networks.
>
>
> Cheers, and thanks in advance
>
> Kerno

One word IPcop.

--

-- 
TTFN
   Caparo.

--
Gllug mailing list  -  Gllug <at> gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

> 
> One word IPcop.
> 

This sounds like an auditor placating exercise. 

IPcop isn't going to fly, you're pretty much stuck with the "industry leading" Cisco or Juniper.

Andy
--
Gllug mailing list  -  Gllug <at> gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

--
Gllug mailing list  -  Gllug <at> gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

> One word IPcop.

One word? Probably not necessary to quote the entire preceding 272, then...
--

-- 
"You can have everything in life you want if you help enough other people
get what they want" - Zig Ziglar. 

Who did you help today?
--
Gllug mailing list  -  Gllug <at> gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

I've used vyatta in the past - they frontend IPtables with a
cisco/juniper-like interface
--
Gllug mailing list  -  Gllug <at> gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

On 3 May 2012 15:21, Alfred Kernaghan <alfakern <at> gmail.com> wrote:
>
>
> ---------- Forwarded message ----------
> From: Alfred Kernaghan <alfakern <at> gmail.com>
> Date: Thu, May 3, 2012 at 3:20 PM
> Subject: Information Request: Firewall Kit
> To: gllug <at> gllugg.org.uk
>
>
> Hey all,
>
> I'm looking after 4 racks of servers in London, up until now they've just
> been locked down as much as possible individually using iptables on each
> machine (and blocking/removing public interfaces where they're not strictly
> necessary).  We're in a bit of upheaval at the moment due to going for PCI
> Compliance and improved security, so I'm securing/segmenting the network as
> it stands.  As opposed to a central software based firewall, the company's
> opted to go down the hardware route and get a full fledged firewall.
>
> I don't have a lot of experience with hardware/dedicated firewall
> appliances, but I've had recommendations for a few different brands, Cisco,
> Checkpoint, Watchguard and Barracuda.  As you'd all know, attempts to ask
> our vendor or Google for recommendations has been relatively fruitless in
> that I feel I'm getting up-sold (as much as possible) on very biased
> recommendations!
>
> Our requirements aren't huge, it's for a moderate to high use UK website
> (runs along happily at ~12mbps on our burstable pipe 99% of the time) and
> will simply need to firewall between 3 internal VLANS (1x DMZ and 2x
> private).
>
> It's not money dependant really, I just want to get something recommended by
> someone in the industry who's not in it just for a kick back, and will
> support our simple requirements, with room for growth of course.
>
> Could anyone shed any light on any of the above vendors, or recommend anyone
> else (I'm completely open to ideas).  As a base, I've been looking so far at
> the Watchguard XTM 3 or 5 series and the equivalent model(s) from Barracuda
> Networks.
>

"PCI Compliance" is actually quite difficult to get right.
I would be surprised if some open source firewall will be enough.
That is why I suggested EAL4+ firewalls.
For projects I have worked on, PCI Compliance adds millions to the
cost of the project.
For those the PCI Compliance was required due to the processing of
Visa Cards on a web site, and the associated personal data and the
required security assurance around it.
Do not under estimate the cost of PCI Compliance.
Most of the time, it is cheaper to use a PCI compliant 3rd party to
handle the Visa Card Payments.
--
Gllug mailing list  -  Gllug <at> gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug

Fwd: Information Request: Firewall Kit

Re: Fwd: Information Request: Firewall Kit

Re: Fwd: Information Request: Firewall Kit

Re: Fwd: Information Request: Firewall Kit

Re: Fwd: Information Request: Firewall Kit

Re: Fwd: Information Request: Firewall Kit

Re: Fwd: Information Request: Firewall Kit

Re: Fwd: Information Request: Firewall Kit

Re: Fwd: Information Request: Firewall Kit

Re: Fwd: Information Request: Firewall Kit