I have about 8 servers in my department that I want
to protect using a hardware firewall. The department needs a
hardware firewall priced between 700-1000, maybe a little more.
Does anyone use a hardware firewall? Which
ones do you recommend?
Thanks
Andrew McCormack
*************************************************************************************
Andrew,
I don't think you'll get much firewall for your
budget unless it's used.
We bought a pretty low-end one from WatchGuard
(Firebox III Model 700) a couple years ago and it was about $3000 for the
hardware and the software licenses necessary to run it. Since you are
running servers behind it, you probably don't want the SO-HO type units that are
meant to protect one or two machines. There are some ongoing costs for
support, both hardware and software that you would probably want to get to keep
yourself protected, whichever one you settled on.
As someone has already pointed out to you, the
number of interfaces is important. The more interfaces you have the more
flexibility you have in being able to divide up the types of machines you are
trying to protect. For instance, our Firebox has 3 interfaces. One
we used as the interface to the external network (i.e. Campus Network), and the
others we set up one for a "DMZ" which would have public computers behind it
(web or email, e.g.), and the other was for "secure" servers (SQL, File, Print)
that only our office needed access to.
So, the more interfaces you have the more you can
control who has access to what.
You will also need some sort of switch for each
interface going "behind" the firewall so you can connect more than one computer
to it. In our case we needed 2 of them.
The other things you need to consider are
bandwidth and CPU speed. Obviously more of both is better, but how much
can you afford? What kind of servers are you protecting and how does this
affect bandwidth use? What traffic will have to go through them and how
often? What bandwidth are you using now without one? (ACNS can give
you an idea of that from the traffic through your router). Do you need
failover capability or can you live with it being down for a few hours or days
while you get it replaced if it fails?
We have been pricing out a new one, and the
Netscreen models mentioned are going to run you much more than
$1000.
You might want to check with the folks over at ACNS
and see what they have to say. I've found them pretty easy to work with
and they will certainly take the time to help you figure out what you
need.
Scott Smith
Human Resource Information Systems