Firewall recommendations

Hi

I'm looking for a 'blackbox' firewall solution for a small company about
50-60 users/computers with 4-5 servers (Web,Exchange,App server).
We also need one site-site VPN tunnel and client-site L2TP IPsec or maybe in
a future SSL vpn tunnels. I also need DNS and SMTP (proxy) on this box, to
use it as a mail-relay and DNS-relay from outside to our services into LAN.
Currently I'm looking WatchGuard FireBox X550e, it has all the
functionalities I need. Is this a good choice, or do you recommend any
other products that are more optimal for a small company
(price/performance). Maybe Netscreen or VigorPro, but I'm not sure if they
support DNS and SMTP proxy?
Thank you in advance!
Regards,
Miha

In article <#CKGPX#8IHA.4088@TK2MSFTNGP03.phx.gbl>, miha.bernik@email.si
says...
> Hi
>
> I'm looking for a 'blackbox' firewall solution for a small company about
> 50-60 users/computers with 4-5 servers (Web,Exchange,App server).
> We also need one site-site VPN tunnel and client-site L2TP IPsec or maybe in
> a future SSL vpn tunnels. I also need DNS and SMTP (proxy) on this box, to
> use it as a mail-relay and DNS-relay from outside to our services into LAN.
> Currently I'm looking WatchGuard FireBox X550e, it has all the
> functionalities I need. Is this a good choice, or do you recommend any
> other products that are more optimal for a small company
> (price/performance). Maybe Netscreen or VigorPro, but I'm not sure if they
> support DNS and SMTP proxy?
> Thank you in advance!

I have Firebox X550e through 1250e units, more than 100 across the
country, and I've found that with the UTM package that they are better
than any other units I've used/tried or have installed that are not WG
units.

You can't go wrong with the X550e, and if they need more performance
it's a "soft-key" upgrade performance to the 7xx series.....

Why would you want to relay DNS to your lan? Not a good idea for any
network, at least not one that would have you posting to this group.

Your exchange service will be well protected if you setup the UTM
services on the firebox to clean email (in and/or out) of malware and
bad file types....

You can email me if you need help once you purchase it (removed the 999)
to reply (see sig for email address)

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Thanks for informations.
I think that Firebox x550e will be exactly what we need for our company
(50-60 users)., I only plan to take LiveSeucirty subscription (not
UTM-Spam/Web/Gateway blocker), I think this will be sufficient for now,
we'll se in a future if we need these extra services. I also plan to buy
upgrade to FireFire Pro for more SSL VPN connection for my home users. I
need SMTP proxy so that Exchange server will relay through it (not to be
exposed to internet), also all mail from outside will be delivered to
FireBox that will forward it to Exchange server. Considering DNS proxy, I'm
thinking of using our internal DNS server also for DNS resolver from
internet, but also I don't want to expose it directly so it will be resolved
through FireBox proxy DNS,
Any other opinion or proposal about this configuration?
Regards,
Miha

"Leythos" <void@nowhere.lan> je napisal v sporocilo
news:1217614552_245384@news.usenet.com ...
> In article <#CKGPX#8IHA.4088@TK2MSFTNGP03.phx.gbl>, miha.bernik@email.si
> says...
>> Hi
>>
>> I'm looking for a 'blackbox' firewall solution for a small company about
>> 50-60 users/computers with 4-5 servers (Web,Exchange,App server).
>> We also need one site-site VPN tunnel and client-site L2TP IPsec or maybe
>> in
>> a future SSL vpn tunnels. I also need DNS and SMTP (proxy) on this box,
>> to
>> use it as a mail-relay and DNS-relay from outside to our services into
>> LAN.
>> Currently I'm looking WatchGuard FireBox X550e, it has all the
>> functionalities I need. Is this a good choice, or do you recommend any
>> other products that are more optimal for a small company
>> (price/performance). Maybe Netscreen or VigorPro, but I'm not sure if
>> they
>> support DNS and SMTP proxy?
>> Thank you in advance!
>
> I have Firebox X550e through 1250e units, more than 100 across the
> country, and I've found that with the UTM package that they are better
> than any other units I've used/tried or have installed that are not WG
> units.
>
> You can't go wrong with the X550e, and if they need more performance
> it's a "soft-key" upgrade performance to the 7xx series.....
>
> Why would you want to relay DNS to your lan? Not a good idea for any
> network, at least not one that would have you posting to this group.
>
> Your exchange service will be well protected if you setup the UTM
> services on the firebox to clean email (in and/or out) of malware and
> bad file types....
>
> You can email me if you need help once you purchase it (removed the 999)
> to reply (see sig for email address)
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)

In article <#IGs9cA9IHA.4608@TK2MSFTNGP06.phx.gbl>, miha.bernik@email.si
says...
> Thanks for informations.
> I think that Firebox x550e will be exactly what we need for our company
> (50-60 users)., I only plan to take LiveSeucirty subscription (not
> UTM-Spam/Web/Gateway blocker), I think this will be sufficient for now,
> we'll se in a future if we need these extra services.

UTM bundle CAN be cheaper if you get it with the firewall as a bundle
than just the firewall alone - check with your vendors. I can get a
x550e + UTM for about $1500 and the yearly renewal is a LOT cheaper than
on a 7xx or 12xx series.

The email anti-spam is on par as being the best I've ever used of any,
it's even proving to be better then the masses of GFI installations and
better than the two Trend installations we have. The only thing that
comes close is the Barracuda, in MY testing.

> I also plan to buy
> upgrade to FireFire Pro for more SSL VPN connection for my home users. I
> need SMTP proxy so that Exchange server will relay through it (not to be
> exposed to internet), also all mail from outside will be delivered to
> FireBox that will forward it to Exchange server.

Mail is not actually "Delivered" to the firebox, it passes through a
SMTP rule that acts as a proxy service, it will clean the SMTP content
and headers as you define in the rule.

> Considering DNS proxy, I'm
> thinking of using our internal DNS server also for DNS resolver from
> internet, but also I don't want to expose it directly so it will be resolved
> through FireBox proxy DNS,
> Any other opinion or proposal about this configuration?

There is NO REASON to have your server provide DNS outside the LAN,
none, and don't do it. Purchase cheap DNS service out side and let them
get hit by all of the attempts.

It's easy enough to mirror your external DNS and point the internal DNS
to your private or public addresses.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Thanks again for all the tips!
Yes you're right, taking UTM bundle for x550e (Firebox+Spam/Web/Gateway
blocker+LiveSecurity) costs in my country (Europe) about 3000$, just
Firebox alone costs 2500$, so for a 500$ I get 1-year full subscription to
all services, and next year we'll decide if we extend subscription.
So I think for now FireBox x550e UTM bundle + Fireware PRO will be the right
choice. I'll let you know more when I get the equipment.
Thanks again!
Regards,
Miha


"Leythos" <void@nowhere.lan> je napisal v sporocilo
news:1217625192_245397@news.usenet.com ...
> In article <#IGs9cA9IHA.4608@TK2MSFTNGP06.phx.gbl>, miha.bernik@email.si
> says...
>> Thanks for informations.
>> I think that Firebox x550e will be exactly what we need for our company
>> (50-60 users)., I only plan to take LiveSeucirty subscription (not
>> UTM-Spam/Web/Gateway blocker), I think this will be sufficient for now,
>> we'll se in a future if we need these extra services.
>
> UTM bundle CAN be cheaper if you get it with the firewall as a bundle
> than just the firewall alone - check with your vendors. I can get a
> x550e + UTM for about $1500 and the yearly renewal is a LOT cheaper than
> on a 7xx or 12xx series.
>
> The email anti-spam is on par as being the best I've ever used of any,
> it's even proving to be better then the masses of GFI installations and
> better than the two Trend installations we have. The only thing that
> comes close is the Barracuda, in MY testing.
>
>> I also plan to buy
>> upgrade to FireFire Pro for more SSL VPN connection for my home users. I
>> need SMTP proxy so that Exchange server will relay through it (not to be
>> exposed to internet), also all mail from outside will be delivered to
>> FireBox that will forward it to Exchange server.
>
> Mail is not actually "Delivered" to the firebox, it passes through a
> SMTP rule that acts as a proxy service, it will clean the SMTP content
> and headers as you define in the rule.
>
>> Considering DNS proxy, I'm
>> thinking of using our internal DNS server also for DNS resolver from
>> internet, but also I don't want to expose it directly so it will be
>> resolved
>> through FireBox proxy DNS,
>> Any other opinion or proposal about this configuration?
>
> There is NO REASON to have your server provide DNS outside the LAN,
> none, and don't do it. Purchase cheap DNS service out side and let them
> get hit by all of the attempts.
>
> It's easy enough to mirror your external DNS and point the internal DNS
> to your private or public addresses.
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)

In article <uIPHrzG9IHA.5556@TK2MSFTNGP02.phx.gbl>, miha.bernik@email.si
says...
> Thanks again for all the tips!
> Yes you're right, taking UTM bundle for x550e (Firebox+Spam/Web/Gateway
> blocker+LiveSecurity) costs in my country (Europe) about 3000$, just
> Firebox alone costs 2500$, so for a 500$ I get 1-year full subscription to
> all services, and next year we'll decide if we extend subscription.
> So I think for now FireBox x550e UTM bundle + Fireware PRO will be the right
> choice. I'll let you know more when I get the equipment.
> Thanks again!
> Regards,

If you've never setup a firewall, a real one, then you will want to
consider a lot of things - like what traffic to let out, what to let in,
etc....

Some things I've found, when you get it setup you're going to end up
with about 25-35 rules, the default is to allow all outbound, but block
certain ports and actions, I never leave an generic Outbound rule in
place.

You will need rules for the following:

FTP-Proxy.IN
FTP-Proxy.Out
SMTP-Proxy.IN
SMTP-Proxy.Out
HTTP-Proxy.NO-WEB-BLOCKER.Out (for your servers)
HTTP-Proxy.Web-Blocker.Out (for most users)
HTTP-Proxy.In (for your web servers if you have any)
POP3-Proxy.Out (if you have any pop3 users/accouns)
NNTP.Out
HTTPS.In (for your servers if needed)
HTTPS-Proxy.Out
Ping.Out
Time.Out
NTP.Out
PPTP.Out (if you allow this)
RWW.In (RWW ports if you use Small Business Server) TCP 4125/444
Traceroute.Out

Then you will have a lot of rules for other things that are not just the
basics - like VNC outbound, RDP outbound or inbound....

One thing to remember - the default SMTP filter removes characters from
email addresses, it will remove a decimal point by default, so you need
to remove that part of the rule to allow email addresses with names like
someone.lastname@somewhere.com.... It would remove the . between someone
and lastname but not the .com one.


--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Thanks. I'm quite familiar with rules on firewall, but don't have any
experiences with WatchGuard. Thank you again for all informations, I'll try
to configure it, we'll see how will it go.
Regards,
Miha

"Leythos" <void@nowhere.lan> wrote in message
news:1217692603_245455@news.usenet.com...
> In article <uIPHrzG9IHA.5556@TK2MSFTNGP02.phx.gbl>, miha.bernik@email.si
> says...
>> Thanks again for all the tips!
>> Yes you're right, taking UTM bundle for x550e (Firebox+Spam/Web/Gateway
>> blocker+LiveSecurity) costs in my country (Europe) about 3000$, just
>> Firebox alone costs 2500$, so for a 500$ I get 1-year full subscription
>> to
>> all services, and next year we'll decide if we extend subscription.
>> So I think for now FireBox x550e UTM bundle + Fireware PRO will be the
>> right
>> choice. I'll let you know more when I get the equipment.
>> Thanks again!
>> Regards,
>
> If you've never setup a firewall, a real one, then you will want to
> consider a lot of things - like what traffic to let out, what to let in,
> etc....
>
> Some things I've found, when you get it setup you're going to end up
> with about 25-35 rules, the default is to allow all outbound, but block
> certain ports and actions, I never leave an generic Outbound rule in
> place.
>
> You will need rules for the following:
>
> FTP-Proxy.IN
> FTP-Proxy.Out
> SMTP-Proxy.IN
> SMTP-Proxy.Out
> HTTP-Proxy.NO-WEB-BLOCKER.Out (for your servers)
> HTTP-Proxy.Web-Blocker.Out (for most users)
> HTTP-Proxy.In (for your web servers if you have any)
> POP3-Proxy.Out (if you have any pop3 users/accouns)
> NNTP.Out
> HTTPS.In (for your servers if needed)
> HTTPS-Proxy.Out
> Ping.Out
> Time.Out
> NTP.Out
> PPTP.Out (if you allow this)
> RWW.In (RWW ports if you use Small Business Server) TCP 4125/444
> Traceroute.Out
>
> Then you will have a lot of rules for other things that are not just the
> basics - like VNC outbound, RDP outbound or inbound....
>
> One thing to remember - the default SMTP filter removes characters from
> email addresses, it will remove a decimal point by default, so you need
> to remove that part of the rule to allow email addresses with names like
> someone.lastname@somewhere.com.... It would remove the . between someone
> and lastname but not the .com one.
>
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)

In article <OjiWpuh9IHA.2336@TK2MSFTNGP03.phx.gbl>, miha.bernik@email.si
says...
> Thanks. I'm quite familiar with rules on firewall, but don't have any
> experiences with WatchGuard. Thank you again for all informations, I'll try
> to configure it, we'll see how will it go.
> Regards,

If you run into trouble with it and want help, either contact me by
email or post here - make sure that you include the word WATCHGUARD or
FIREWALL in your subject, I look for key words and don't see posters
names when scanning threads.

--
- Igitur qui desiderat pacem, praeparet bellum.
- Calling an illegal alien an "undocumented worker" is like calling a
drug dealer an "unlicensed pharmacist"
spam999free@rrohio.com (remove 999 for proper email address)

Great, thanks again for all support!
Regards,
Miha

"Leythos" <void@nowhere.lan> je napisal v sporocilo
news:1217855962_245602@news.usenet.com ...
> In article <OjiWpuh9IHA.2336@TK2MSFTNGP03.phx.gbl>, miha.bernik@email.si
> says...
>> Thanks. I'm quite familiar with rules on firewall, but don't have any
>> experiences with WatchGuard. Thank you again for all informations, I'll
>> try
>> to configure it, we'll see how will it go.
>> Regards,
>
> If you run into trouble with it and want help, either contact me by
> email or post here - make sure that you include the word WATCHGUARD or
> FIREWALL in your subject, I look for key words and don't see posters
> names when scanning threads.
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)

Hi Leythos

I have another question regarding Firebox x550e about throughput that is
specified:
- Firewall Throughput 300+ Mbps
- VPN Throughput 35 Mbps
- AV Throughput 50 Mbps
I'm a little concerned if I enable all UTM services
(Anti-Spam,Anti-Spyware,GW-AntiVirus,IPS...) will there be any problems with
performance or throughput at all?
We have 100/100 internet connection, so with all these services enabled,
also about 10 users will use client-site SSL VPN (sometimes), can I expect
any problems with Firebox performance or with firewall throughput?

I'm also wondering if there are any differences between Mobile VPN Tunnels
and SSL VPN tunnels? Since Firebox x550e only has 5 Mobile VPN client
licences included, but with Firmware PRO upgrade I get full (75) SSL VPN
client licences, I'm thinking of using SSL VPN access for all users who will
need access from home computers.Are there any other differences/features
between these two types of VPN? Primary my clients need to access (from
their home computers) file-shares on servers and some local applications?
Thanks again!
Miha

"Leythos" <void@nowhere.lan> je napisal v sporocilo
news:1217855962_245602@news.usenet.com ...
> In article <OjiWpuh9IHA.2336@TK2MSFTNGP03.phx.gbl>, miha.bernik@email.si
> says...
>> Thanks. I'm quite familiar with rules on firewall, but don't have any
>> experiences with WatchGuard. Thank you again for all informations, I'll
>> try
>> to configure it, we'll see how will it go.
>> Regards,
>
> If you run into trouble with it and want help, either contact me by
> email or post here - make sure that you include the word WATCHGUARD or
> FIREWALL in your subject, I look for key words and don't see posters
> names when scanning threads.
>
> --
> - Igitur qui desiderat pacem, praeparet bellum.
> - Calling an illegal alien an "undocumented worker" is like calling a
> drug dealer an "unlicensed pharmacist"
> spam999free@rrohio.com (remove 999 for proper email address)