Hello,
I must also put my bid in for Watchguard. I got to set one up at my
last job (a firebox II). It has a decent windows GUI (It too, is a
Linux box, just already set up). Logging tools are pretty good, VPN is
available and pretty snappy, etc. It talks PPTP and its own flavor of
VPN. I can't tell you just how pleased I am with its ability to be
quiet on the network. I liked the way it responded (or *didn't*
respond) to a wide variety of "tools".
As far as proxies go, it is better than I expected. It had (as of
January) HTTP, FTP, SMTP proxies (maybe others). You can set different
proxies for inbound and outbound and to DMZ. We actually used proxies
to the outside world and then IP filtering everywhere else, but you have
to decide that. I was pleased with the useability of the proxies. HTTP
proxy, for example, can block certain mime types in a web page. SMTP
proxy can block certian *.exe attachments and also attachments by MIME
type. So, you can block all *.exe, *.com, *.pif, etc. This really
helped us with email viruses. We actually never got any infections in
the year or so we had SMTP turned on.
I did have a problem with the NAT daemon. If you are planning a
moderately complex network with multiple external addresses, which we
were, you've got to be really careful. For example, you can NAT
incoming connections on one IP like port 80 goes to 10.0.0.1 and port 25
goes to 10.0.0.2. What you *can't* do is have any *outbound* traffic
reNATed to be a certain external address. So, mail goes in one IP
address and out the other. I didn't like this because then other SMTP
servers were probing AUTH on 113 of the wrong IP address. This really
bugged me. We could have set up an incoming AUTH NAT to the correct
machine, but we could have been blacklisted for sending SMTP over the
wrong IP address, compared to our DNS entry. It also meant that we
couldn't have more than one seperate domain in our subnet, without
having to use the main IP address as SMTP inbound. So, we had to
restructure all our IP addresses to fit this stupid oversight. Or, use
*real* IP addresses in the DMZ and don't NAT them. We supposed the
extra NATting gave us an extra level of protection. YMMV.
Other than that, the box has been awesome and I would recommend it to
anyone with a mostly straightforward IP addressing scheme. Especially
if you only have one external IP address. Then you are golden.
just my $.02
-Steve
rough draft of network:
[ internal lan 10.0.x.x] -- [ Firebox ] -- [ external net block ]
|
|
[ DMZ 192.168.x.x ]
If you are a FreeBSD'er, you might want to note that a genious co-worker
set up multiple NICs in the DMZ servers and installed Jail. The Jailed
root processes couldn't talk to the internal LAN via the firebox because
it wouldn't route anything inside that came from the externally attached
DMZ NICs. They were also on a diffent subnet. Putting them on a switch
would have been a smart move, too. But they could only contact the
outside world. The unjailed processes could talk to the internal lan
and both jailed and unjailed shared files. So, there was no real
network flow between the outside and the inside for certain ports. I
was impressed.
Then again, we had VPN turned on.
Naren T wrote:
> Hi,
>
> Both, Netscreen and Sonicwall are built on the same technology .. stateful
> inspection .. and none is better (or worse) than the other .. apart from
> whatever their own sales team talks of ...
>
> My vote for Watchguard .. (though this too, like NS and Sonicwall does not
> host DNS) ...
