Questions

Firewall and Router --- 1 or 2 Devices?

+
0 Votes
Locked

Firewall and Router --- 1 or 2 Devices?

Working IT
Should I use 1 device that can act as firewall and router or use 2 devices (one as firewall and the other one as router)?
  • +
    0 Votes
    w2ktechman

    Is this for a home network, a small network, or a larger network?
    For a home network on DSL/Cable, an all-in-one should be fine (HW), but extra protection (SW) is advised.
    For a small business network, you will need to determine costs, and justify the equipment.
    For a larger network, independant HW devices should be deployed

    +
    0 Votes
    Working IT

    5 locations, 20 internal users, and 10 mobile users.

    What is the benefit to have 2 device instead of 1?

    What do people put between the router and firewall?

    +
    0 Votes
    HAL 9000 Moderator

    The benefit of having 2 devices is that if the router fails you still have an Internet connection but with limited security. Personally I don't see this as a benefit but depending on your budget it may be. Or you could go with a computer running a dedicated Firewall application which would give you an excellent Firewall solution depends on just how secure you need the internal LAN to be.

    What do people put between the router and firewall?

    Mostly a CAT 5E Cable is used though you could use a CAT 6 cable but it wouldn't offer any real advantage.

    +
    0 Votes
    w2ktechman

    In your case, if budgeting is an issue, get the 2-in-1 option. If funding is available, go with the 2 seperate devices.

    +
    0 Votes
    mdavis

    You say 5 locations. What is your method of interconnectivity? Frame Relay? Simple T-1 with internet connection? DSL? Cable?

    Most all of these, your provider is going to supply you with the "router" either in the form of a real actual router or a DSL/Cable modem. The modems act as a router (by dfinition a router is nothing more than a device that forwards information to disparate networks). The firewall is also in and of itself a router since typically there is one network on the untrusted side (ie. internet) and another network on the LAN side (trusted).

    If you do NOT have a router provided to you by your service provider, then you will most certainly need one of those and most of the units built for a SOHO are assuming that you have a modem in front of them, as MOST are not capable of internet routing protocols.

    Making the assumption that you are like most small businesses and have opted for the cable modem/dsl option I would recommend a small firewall such as a Cisco ASA 5505 (the replacement of the PIX 501). http://www.cisco.com/en/US/products/ps6120/index.html there are other products like Netscreen and SonicWall and Watchgaurd to name a few. These are scaleable, quasi-enterprise class devices that would also allow you to set up site to site VPNs and other things as well. Basically they give you flexibility options and are in the 500-700 dollar range, quite affordable actually.

    +
    0 Votes
    Working IT

    I thought of ASA 5500 series, too. But the price different between ASA 5500 and PIX 501 is huge. ASA 5500 is around $2200 and PIX 501 is around $750.

    Are these 2 device are basically the same? Do you recommend PIX 501 even though Cisco will not support that within the next few years?

    +
    0 Votes
    CG IT

    I'd go with the 800 or 1800 series routers if he's small business and even if he has 5 seperate locations all of which are small in size [# of employees and workstations]. Note: most consumer level routers offer 8 mbps throughput on the WAN link. To get more, you have to go to SOHO or better routers. Symantec has the 360 series SOHO which offers 55 mbps throughput on the WAN link.

    So choosing a router and firewall device really has one looking more at infrastructure and users needs which will determine what type of device or devices to purchase.

    With gigabit LANs and NICs one could opt for a single device like ISA Server 2006 which is proxy/firewall and imo a good one.

    +
    0 Votes
    Working IT

    I agree. For the router, I will pick 1800 series.

    For the firewall/VPN, which one you prefer, PIX 501 or ASA 5500?

    +
    0 Votes
    HAL 9000 Moderator

    Googgun Linux has an excellent product called Trustifier which is easy to work and runs on a Linux platform that's I've found unbreakable so far and I've tried but gave up trying to break in after about 3 months of off and on attacks.

    It's extremely easy to set up even easier to maintain and can run on some very old cheap hardware and still appear to work as well as something loaded on the newest hardware available. While an ISA Server is good this is both cheaper to buy and easier to maintain and if someone goes all out to attack it there is nothing else on that server for them to find if they actually manage to bypass the security that is built in. Even if they manage to break the Gateway server they then have to break into the internal LAN. If you are using ISA on a server you will most likely have other applications running off that server so once they break ISA they will have total access tot he internal system.

    Don't gt me wrong ISA is good but it's weakness is that it can be run on a server doing other things and that gives it weakness that other things like Trustifier just don't have. I'm running Googgun Linux on an old IBM Netfinity 5000 that cost me about $100.00 AU and with that I expect it to run for a very long time without problems I just tend to have the particular case buried away and I only pay any attention to it when there are severe Thunder Storms about as I have to remember to restart it after I power down the UPS that it's on.

    Col

  • +
    0 Votes
    w2ktechman

    Is this for a home network, a small network, or a larger network?
    For a home network on DSL/Cable, an all-in-one should be fine (HW), but extra protection (SW) is advised.
    For a small business network, you will need to determine costs, and justify the equipment.
    For a larger network, independant HW devices should be deployed

    +
    0 Votes
    Working IT

    5 locations, 20 internal users, and 10 mobile users.

    What is the benefit to have 2 device instead of 1?

    What do people put between the router and firewall?

    +
    0 Votes
    HAL 9000 Moderator

    The benefit of having 2 devices is that if the router fails you still have an Internet connection but with limited security. Personally I don't see this as a benefit but depending on your budget it may be. Or you could go with a computer running a dedicated Firewall application which would give you an excellent Firewall solution depends on just how secure you need the internal LAN to be.

    What do people put between the router and firewall?

    Mostly a CAT 5E Cable is used though you could use a CAT 6 cable but it wouldn't offer any real advantage.

    +
    0 Votes
    w2ktechman

    In your case, if budgeting is an issue, get the 2-in-1 option. If funding is available, go with the 2 seperate devices.

    +
    0 Votes
    mdavis

    You say 5 locations. What is your method of interconnectivity? Frame Relay? Simple T-1 with internet connection? DSL? Cable?

    Most all of these, your provider is going to supply you with the "router" either in the form of a real actual router or a DSL/Cable modem. The modems act as a router (by dfinition a router is nothing more than a device that forwards information to disparate networks). The firewall is also in and of itself a router since typically there is one network on the untrusted side (ie. internet) and another network on the LAN side (trusted).

    If you do NOT have a router provided to you by your service provider, then you will most certainly need one of those and most of the units built for a SOHO are assuming that you have a modem in front of them, as MOST are not capable of internet routing protocols.

    Making the assumption that you are like most small businesses and have opted for the cable modem/dsl option I would recommend a small firewall such as a Cisco ASA 5505 (the replacement of the PIX 501). http://www.cisco.com/en/US/products/ps6120/index.html there are other products like Netscreen and SonicWall and Watchgaurd to name a few. These are scaleable, quasi-enterprise class devices that would also allow you to set up site to site VPNs and other things as well. Basically they give you flexibility options and are in the 500-700 dollar range, quite affordable actually.

    +
    0 Votes
    Working IT

    I thought of ASA 5500 series, too. But the price different between ASA 5500 and PIX 501 is huge. ASA 5500 is around $2200 and PIX 501 is around $750.

    Are these 2 device are basically the same? Do you recommend PIX 501 even though Cisco will not support that within the next few years?

    +
    0 Votes
    CG IT

    I'd go with the 800 or 1800 series routers if he's small business and even if he has 5 seperate locations all of which are small in size [# of employees and workstations]. Note: most consumer level routers offer 8 mbps throughput on the WAN link. To get more, you have to go to SOHO or better routers. Symantec has the 360 series SOHO which offers 55 mbps throughput on the WAN link.

    So choosing a router and firewall device really has one looking more at infrastructure and users needs which will determine what type of device or devices to purchase.

    With gigabit LANs and NICs one could opt for a single device like ISA Server 2006 which is proxy/firewall and imo a good one.

    +
    0 Votes
    Working IT

    I agree. For the router, I will pick 1800 series.

    For the firewall/VPN, which one you prefer, PIX 501 or ASA 5500?

    +
    0 Votes
    HAL 9000 Moderator

    Googgun Linux has an excellent product called Trustifier which is easy to work and runs on a Linux platform that's I've found unbreakable so far and I've tried but gave up trying to break in after about 3 months of off and on attacks.

    It's extremely easy to set up even easier to maintain and can run on some very old cheap hardware and still appear to work as well as something loaded on the newest hardware available. While an ISA Server is good this is both cheaper to buy and easier to maintain and if someone goes all out to attack it there is nothing else on that server for them to find if they actually manage to bypass the security that is built in. Even if they manage to break the Gateway server they then have to break into the internal LAN. If you are using ISA on a server you will most likely have other applications running off that server so once they break ISA they will have total access tot he internal system.

    Don't gt me wrong ISA is good but it's weakness is that it can be run on a server doing other things and that gives it weakness that other things like Trustifier just don't have. I'm running Googgun Linux on an old IBM Netfinity 5000 that cost me about $100.00 AU and with that I expect it to run for a very long time without problems I just tend to have the particular case buried away and I only pay any attention to it when there are severe Thunder Storms about as I have to remember to restart it after I power down the UPS that it's on.

    Col