Which Firewalls are suitable for protecting 5 webservers (Windows and
Linux)co located at a datacentre (connected to a Cisco 2950 switch). I
am interested in finding info on suitable software and hardware
firewalls. I would like to know the models and manufacturer and costs
along with resons why they are suitable for this type of application.

jonhalton-ga,

Before I start, I would just like you to know that I am willing to
work until you are completely satisfied with the answer. If you have
any questions, feel free to request clarification.

Based on the parameters of your configuration, I consulted a CCIE
(Cisco Certified Internetwork Expert) and I have determined that there
are three possible configurations for your setup. In the order from
most to least optimal: placing a firewall between the switch and the
outside world, placing a firewall between your servers, using a
software firewall on each server and placing a firewall between your
servers and the switch. As a general note, hardware firewalls tend to
be much better at protecting web server configurations than software
as many provide protection against SYN attacks, has SMTP and HTTP fix
up protocols, etc, which software firewalls do not.

The first option is the most common configuration in the business/web
hosting world. Firewalls are designed to facilitate huge volumes of
traffic through a few ports. The firewalls that I list should easily
be able to handle the traffic to five webservers. This solution is
probably the easiest to configure and maintain, and is probably the
least expensive of the hardware solutions. An alternative to this
solution (if you have no control over what occurs after the switch)
would be to connect the servers to a high throughput hub (which is
essentially a switch) which feeds into the firewall. With this
solution, the firewall does not necessarily require 5 ports. In fact,
it really only requires 1. (Solution #1)

The second option, software, is probably not so great for your setup
since you have a mix of Linux and Windows computers. This requires
licensing two different pieces of software, which is more expensive
than volume licensing a single piece. Also, this implies that there
will be two different interfaces which may not be compatible. And just
because you've patched a security hole for one piece of software, does
not mean that the other piece doesn't have the same hole still
exposed. This solution will probably the be the most difficult to
maintain, but will be cheaper than any hardware solution. (Solution
#2)

The last option functions in a way similar to solution #1 and is
recommended if you do not have control over what happens after the
switch. Both hardware solutions work easily with both Linux and
Windows, though most of the configuration software (if it has
configuration software) is meant for Windows. (Solution #3)

Below, I have outlined the companies providing the software/hardware,
as well as a selection of software/hardware for each solution, along
with my recommendation.


##############################
# Solution Provider Overview #
##############################

Cisco Systems
-------------
Cisco Systems is probably your best bet if you are going for
reliability and product support. This may sound like bias coming from
a CCIE, but it is true. The amount of literature available on
configuring their PIX firewalls is truly staggering
(http://www.net-security.org/review.php?id=27,
http://www.pcstats.com/articleview.cfm?articleID=963,
http://www.enterprisenetworksandservers.com/cp/art.php/1587200678)
The benefit of this is that you can become an expert on your security
systems, instead of relying on a third party to configure and maintain
your system setup. Cisco also releases frequent product updates, white
papers, firmware upgrades and technical documentation to further
ensure what you and your firewall are updated on new security
developments. Offers 24x7 technical support and is the mainstay of
many business/enterprise IT departments.

Symantec
--------
Symantec is a big developer of the software side of firewalls, though
they do offer high end hardware firewall appliances. Better known for
their personal/home software development.

SonicWALL
---------
Sonicwall is a dedicated internet security provider and has many of
its firewalls featured by PC Magazine
(http://www.pcmag.co.uk/Products/Hardware/1153768), Network World, and
SC Magazine. They have half a million units in use worldwide in many
industries including SOHO, SMB, enterprise VPN, service providers,
retail/point-of-sale, education, healthcare, and government. Offers
24x7 technical support.

3Com
----
A solid company in terms of price, support and hardware.

Trustix
-------
Trustix provides commercial Linux business solutions, including
security, web servering, anti-virus and more. They have a long list of
high profile partners and customers including Shell, IBM, Toshiba, and
many universities (http://trustix.com/partners/index.html).


###############
# Solution #1 #
###############

PIX 501 Firewall (Recommended)
------------------------------
Website: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps2031/index.html
Manufacturer: Cisco Systems
Price: $300-$500 (http://www.dealtime.com/xPC-Cisco_PIX_Firewall_501_PIX_501_BUN_K9)
Ports: 4 (10/100 Mbps)
Throughput: 100 Mbps
Comments:
Designed for small offices, the throughput on this firewall is decent
and should be enough for your configuration. Some users have commented
that the command line interface is slightly difficult to get used, but
the large amount of literature and technical support available should
easily alleviate this problem. Features
(http://www.dealtime.com/xPF-Cisco_PIX_Firewall_501_PIX_501_BUN_K9).
Its data sheet can be found at
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b18.html

Model 100 Firewall
------------------
Website: http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=63&EID=0
Manufacturer: Symantec
Price: $300-$400 (http://www.dealtime.com/xPO-Symantec_Firewall_VPN_100_16_00_00078#fulldesc)
Ports: 4 (10/100 Mbps)
Throughput: 100 Mbps
Comments:
Recommended by PC Magazine but deemed only decent by some users
(http://www.dealtime.com/xPO-Symantec_Firewall_VPN_100_16_00_00078#fulldesc)
Symantec has had problems with technical support. However, their
firewall appliances are quite inexpensive and if you're looking
primarily at price, the 100 Firewall may be for you.
Its fact sheet can be found at
http://enterprisesecurity.symantec.com/content/displaypdf.cfm?pdfid=82.

Office Connect VPN Firewall
---------------------------
Website: http://www.3com.com/products/en_US/detail.jsp?tab=features&sku=3CR870-95&pathtype=purchase
Manufacturer: 3Com
Price: ~$300 (http://www.dealtime.com/xPO-3Com_OfficeConnect_VPN)
Ports: 4 (10/100 Mbps)
Throughput: 100 Mbps
Comments:
Like their company, a good investment, though I would recommend going
with the PIX firewall.
Its data sheet can be found at
http://www.3com.com/products/en_US/detail.jsp?tab=prodspec&sku=3CR870-95&pathtype=purchase

SuperStack 3 Firewall
---------------------
Website: http://www.3com.com/products/en_US/detail.jsp?tab=features&pathtype=purchase&sku=3CR16110-95-US
Manufacturer: 3Com
Price: ~$2500-$3500 (http://www.dealtime.com/xFS?FN=Firewalls&KW=superstack+3&FD=96288)
Ports: 3 (10/100 Mbps)
Throughput: 190 Mbps
Comments:
Provides the highest throughput for firewalls in this solution
category, required if you have large amounts of data being
transferred. This higher end firewall also includes dual security
zones, as well as highly flexible bandwidth control.
Its data sheet can be found at
http://www.3com.com/products/en_US/detail.jsp?tab=prodspec&sku=3CR16110-95-US&pathtype=purchase


###############
# Solution #2 #
###############

Trustix Enterprise Firewall (Recommended)
-----------------------------------------
Website: http://firewall.trustix.com/small/
Manufacturer: Trustix
Price: $270
O/S: Linux
Trial Download: https://secure.comodo.net/products/LicenceSignup1a
Comments:
Once again, one of the few commercial applications available on Linux.
If you are brave, you can also check out Linux Firewalls
(http://www.amazon.com/exec/obidos/tg/detail/-/0735710996/102-2624187-6192141?v=glance)
to learn how you can manually setup your own firewall on your Linux
systems.

Kerio WinRoute Firewall 6 (Recommended)
---------------------------------------
Website: http://www.kerio.com/kwf_home.html
Manufacturer: Kerio
Price: $399 ($99 for subscription)
O/S: Windows
Trial Download: http://www.kerio.com/kwf_download.html
Comments:
An excellent Windows Firewall with many features from a dedicated
company. It has garnered excellent reviews
(http://www.kerio.com/kwf_reviews.html).

Symantec Enterprise Firewall
----------------------------
Website: http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&EID=0
Manufacturer: Symantec
Price: $21 (http://shop.soft32.com/buy-B0001YXWP0-AsinSearch-us.html)
O/S: Windows
Comments:
Symantec provides an inexpensive and easy to setup solution. Much more
information can be found at
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&EID=0.


###############
# Solution #3 #
###############

TZ 170 Firewall (Recommended)
-----------------------------
Website: http://www.sonicwall.com/products/tz170.html#features
Manufacturer: SonicWALL
Price: $300-$800 (http://www.dealtime.com/xFS?FN=Firewalls&KW=TZ+170&FD=96288)
Ports: 5 (10/100 Mbps)
Throughput: 90 Mbps
Comments:
An inexpensive firewall appliance which has received excellent reviews
(http://www.pcmag.co.uk/Products/Hardware/1153768). Designed for lower
bandwidth systems and small companies, it features a simple and
intuitive interface for fast setup.
Its data sheet can be found at
http://www.sonicwall.com/services/pdfs/DS_0304_TZ170.pdf.

Model 200R Firewall (Recommended)
---------------------------------
Website: http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=63&EID=0
Manufacturer: Symantec
Price: $800 (http://www.pcmag.com/article2/0,1759,9781,00.asp)
Ports: 8 (10/100 Mbps)
Throughput: 100 Mbps
Comments:
This model has received rave reviews at PC magazine
(http://www.pcmag.com/article2/0,1759,9781,00.asp) which has also
provided the excellent advice of purchasing the Symantec Firewall CPN
200 instead of the VPN to save money on the VPN software (which is not
compatible with Linux). Unlike other firewalls, it also features load
balancing. Configuration is easily done through a web interface.
Its fact sheet can be found at
http://enterprisesecurity.symantec.com/content/displaypdf.cfm?pdfid=82.

PIX 515E Firewall
-----------------
Website: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/ps4094/index.html
Manufacturer: Cisco Systems
Price: ~$5000 (http://www.dealtime.com/xFS?KW=Cisco+PIX+515&FN=Firewalls&FD=96288)
Ports: 6 (10/100 Mbps)
Throughput: 188 Mbps
Comments:
Cisco hardware tends to be fairly expensive, though many have found
that it is well worth the investment. Designed for medium to small
businesses, choose this firewall if you have a fair amount of traffic
to your servers.
Its data sheet can be found at
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_data_sheet09186a0080091b15.html.

I hope you find this information useful. If you have any questions,
feel free to post a request for clarification.

Cheers,
Tox-ga

---

Clarification of Answer by tox-ga on 30 Jun 2004 09:49 PDT

jonhalton-ga,

 The research I have compiled here is derived from consulting with a
security expert and from the experiences of many small-large
businesses. Also, I must reiterate the fact that software firewalls
are generally not considered adequate for server configurations,
especially not a server configuration with 5 boxes.

On another note, PIX firewalls are in fact quite reliable, the only
down point being its command line interface. While difficult to
initially master, you will appreciate its extensive feature set (it
runs on essentially the same firewall as the high end $20000 version,
with the exception of lower-end hardware) and fine control over what
goes in and out of your servers. They have received excellent reviews
on the internet (http://www.pcquest.com/content/Firewalls/101061602.asp,
http://www.dealtime.com/xPR-Cisco_PIX_Firewall_501_PIX_501_BUN_K9~RD-112151531140,
http://www.internetweek.com/reviews01/rev032601.htm to name a few). In
fact, in an independent review by a security firm, they found PIX
firewalls to be much better than Checkpoint Firewall-1 in many areas
(http://www.roble.com/docs/fw1_or_pix.html). The document outlines
some of the problems with Checkpoint Firewall-1 when compared to a
Cisco PIX and I recommend you take some of those into consideration.

Checkpoint Firewall-1, however, should be considered if you decide to
go for a software solution, since it is a single program for both Unix
and Windows.

I hope you find this information useful. Feel free to ask for
clarification if you have any questions.

Cheers,
Tox-ga

Lots and lots of information there, but some of it is incorrect.

A hardware firewall is generally the best form of security currently,
but many of the reasons that are given (http fix up protocols etc.)
are also available in many software based firewalls.

Pix are horrible. They are disgusting to install/configure and are
more switch based that firewall based. I would never recommend using a
Pix, go with another firewall vendor if at all possible.

My recommendations are:

A Nokia appliance, a good easy to manage appliance that is based on
Checkpoint Firewall-1 (the leading firewall product) and has
appliances sized for very large enterprise customers right down to
small business customers that are about your size.

http://www.nokia.com/downloads/networks/security_products/NOK_FW_VPN_APP.pdf

If you'd prefer having a server based system I would suggest going with either:

Checkpoint Firewall-1 running on a server OS that you are comfortable
administering (will run on Windows, Unix or Linux). www.checkpoint.com
for more information.

Or Symantec Enterprise Firewall (previously known as Raptor). I am not
a huge fan of Raptor, but it a great firewall for small to medium
businesses, is easy to manage and provides many of the 'hardware' type
advantages like an HTTP/SMTP fixup protocol:
http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=47&EID=0

Symantec also has an appliance based box, but I have never used it so
I can't comment on it: http://www.symantec.com/smallbiz/gtw/

This is not a complete list of the best firewall technologies, but for
a small business/small network these are your best options. Your
choice should also be based on who will be installing/managing the
system. If you are going to do it yourself then make sure you get a
little training beforehand on whatever system you choose to go with.
If someone else will be installing/managing it then I'd find out what
firewall systems that they are already comfortable managing and go
with one of those systems. A firewall is only as good as the person
managing it.

Again, stay away from Pix! :)

The researcher has not bothered to check for security problems
inherent in Cisco PIX firewalls. Google lists thousands of credible
tech news reports documenting the secuity flaws, holes and problems
that have plagued this product for years. 
://www.google.com/search?q=pix+firewall+flaws

The nokia appliance, good. Symantic's enterprise firewall, good. PIX, very bad.

CCIE != Security expert. They need to know some security related
information, but it is mainly focused on Cisco and the core of the
CCIE is network related.

Having worked with many firewall systems in large scale enterprise
environments I can tell you that Pix are not a pretty firewall to work
with. They have all the functionality of other firewalls but are much
more difficult to manage. This is personal experience as a security
consultant and firewall administrator. I will always recommend against
Pix given the choice for another equal or better firewall platform,
and there are definitely better platforms available for business
firewalls.

I am not sure I understand your point about a software firewall not
being appropriate for a network of 5 computers? It is more than
adequate, offers great security and ease of management. I know some
very large enterprise customers with thousands of servers that are
running on software based firewall structures. This is a false
statement. Hardware firewalls are preferred, software firewalls offer
similar security, but less robust high availability and definitely
less performance.

If I am ever going to recommend a firewall it is going to be a
Netscreen from Juniper Networks. Hands down the best firewall out
right now for performance, security and manageability. It also has
some excellent High Availability components that are second to none.

Folks, I am actually stunned by the product specific approach being
taken here. While all of the firewalls mentioned have their place,
there seems to be little time and investment made in looking at issues
outside of simple brand loyalty. I have to admit I am as biased about
firewalls as most people but we all have our reasons - some people
just drink the corporate lemonade.

Given the minimal information you have been able to provide
(understandable seeing as you would not want to give too much away
about your environment) I would strongly suggest you consider an
application proxy firewall, there are not too many good ones around,
however consider the following when looking for a suitable solution:

Security history - the E-Secure-IT database holds a complete record of
all firewall exploits, vulnerabilities, issues and updates for the
las6 few years, if you want to establish which firewall is going to
give you the biggest headaches, have the most security issues, cause
you to spend the most time patching and updating, and basically give
you a poor cost of ownership for the money you initially spend. A high
maintenance firewall is going to potentially impact a datacenter more
than one that requires minimal manual intervention. If you want to see
the security history of any product, get a free trial which will allow
you full database access for up to a month, you will then know which
products are going to keep costing you in terms of time and money
after you have purchased them! Its also an early warning database, and
serves to keep you ahead of emerging security issues.

Price - you are securing a datacenter with multiple internal servers,
dont buy a cheap firewall as you will get what you pay for :) if you
must spend a few hundred on a PIX for example, use it as part of a
multi-layered solution which sits between your external router and
your primary firewall, which should be from another vendor (not
anti-PIX specifically here, but suggesting that two different firewall
product architectures will give a multi-layered approach to your
security, many organisations use a combination of PIX and Checkpoint
for example). Having said 'dont spend too little', I should also state
'dont spend too much', there are too many firewalls that cost an arm
and a leg for doing what all the other firewalls are already doing, be
aware that paying a lot of money is not necessarily going to get you
the best product for your needs, paying for the badge or the brand
name can inflate the cost of certain well known firewalls when they
are in fact no more functional or feature rich than firewalls half the
price!

Functionality - securing multiple internal servers requires an
APPLIANCE based approach, full stop. Preferably a platform agnostic
appliance such as Borderware Firewall Servers (www.borderware.com) ,
running their own proprietary OS which means there are no publicly
available exploits or known vulnerabilities at this time. Unlike
Windows, Unix, Linux, Cisco IOS etc, who all have a long list of
security offences that would make any security manager looking for a
new solution quiver if they were worth their salt (or salary). In
short, go with hardware, application proxy, proprietary OS etc. One
final issue in this area, certain firewalls can also act as embedded
servers, DNS, FTP, Web, SMTP, NTP etc, this can take some of the
security worry from the Linux and Windows based servers that you are
currently using and can free them up for other uses.

Certification - OK I'll declare my biase here :)  There is only one
firewall to achieve Common Criteria EAL4+ TWICE, and with EAL5 for
security vulnerability analysis, Borderware. Common Criteria
certifications are based on international agreements and should be
given serious consideration when reviewing firewall candidates. The
Borderware MXtreme Mail Firewall is also the only EAL4+ mail gateway
and security appliance in the world, so should you wish to separate
out your mail security to prevent against blended mail threats,
MXtreme will handle ALL mail security issues for you. Government and
Military tend to lean towards this, no reason why a datacenter
shouldnt have the same benefits.

Both Checkpoint and PIX, and I believe Sidewinder have EAL4
certifications as well, only Borderware has the certifications without
any disclaimers or limitations. (I believe PIX has EAL4 if its not
using NAT)

Best Fit - having said all this, you need to go into your specific
requirements and get each major vendor to submit a proposal as to how
they will meet the requirements of your environment. What do you want
it to do? How much time and money do you want to spend patching,
updating, and manually intervening? Does the product have an automated
patch and update system? Does the application proxy have a stateful
failover and HALO option? (most good firewalls do) Another very
important question is 'do you need a certification to manage this
firewall, or can it be managed remotely, if the answer to both is yes,
you will be spending more money, so look at the firewalls that you
dont need to sit an expensive course to be able to administer, give
yourself a choice if interface, some firewalls allow you to either go
straight to the command line or use a Windows type GUI, I prefer the
latter but thats just me.

To recap, look at security history so that you know what you may be in
for, price is important, and if the business case is satisfactory you
shouldnt have a problem with the funding - if you are using a firewall
already, see which vendor is going to give you a competitive swapout
discount. Protect your commercial and well known OS's with a 'blank'
or proprietary OS gateway, eg one that cant be recognised, and make
sure you use an appliance based solution.

Well now I have possibly opened the lid a little further on this can
of worms, I hope this has been helpful, but as a serious question, you
deserve an asnwer that will benefit you the most - I stand to benefit
nothing from this advice but I hate to see people influenced by well
known brand names or perceived market share.