I'm running a couple of servers right now and looking into getting a hardware firewall so I don't have to configure each one manually. Anyone got any recommendations?

Cisco PIX 506 for a small budget or a PIX 515e.

Look at http://www.coyotelinux.com, check out their Wolverine solution. It's a software solution (but you can buy it with hardware and all). It has most of the features of the PIX, but at a much lower price. You just telnet to the box (or use the web-interface on the latest version), just like a hardware firewall.

regards,
J.

i'll second the vote for a pix 515, or maybe a 1u server, 3 nic's and a copy of the trustix suite for a DIY job

Netscreen. :)

What about SonicWall?

We have both the PIX and the Sonicwall. I think I prefer the Sonicwall because it's a little easier to setup and admin. As far as quality of service I would say they are the same.

We use a Cisco Pix and have been very happy with it.

Takes a little while to learn the operating system though...

We have a few customers that use Sonicwall, they say it runs well and its easy to set up. Cisco is the best as long as you know what your doing...

How about the ZyWall 35 or ZyWall 70?

Anyway, what I wanted to ask in this context: Does it make any sense, to have a Webserver, which by definition wants to be exposed to the Internet, behind a Firewall?

Aren't Firewalls just a thing to protect an (internal) LAN of some Company from all the evil things coming from Internet? Then, if they also run Internet servers, I think that's where the Firewall with DMZ comes in... But if there's Web servers only, why would one want to hide them behind a Firewall?

if there's Web servers only, why would one want to hide them behind a Firewall?Because a firewall isn't just for "hiding" things and Apache/IIS isn't the only service running on a web server. While you might sometimes want to block specific IPs from reaching the webserver, more likely you would (for example):

- use it to stop scripts from being used to run things (like IRC servers) which run on other ports.
- use it to prevent people from from reaching your SSH, FTP or other servers from any but a set of known IPs.
- use it to prevent specific IPs from accessing your mail server (reduce RBL lookups).
- use it to log and/or block suspicious network activity.

Bottom line is you don't usually setup a firewall (at least not initially) to block one thing... you use basic rules to block everything, then explicitly allow a web server or other public services to run. While that may not always be the reason for a dedicated firewall, basic rules are better secured by knowing the firewall isn't running on (and vulnerable to) the same machine it's trying to protect.

Cisco PIX 506E or 515E. We use PIX fairly exclusively with our clients and have had few headaches. We have replaced several sonicwalls with Pix's over the years.

Although not a hardware solution, one might find smoothwall a great implementation if they have an old machine lying around and can't afford a PIX.

PIX 506E = ~$800
PIX 515E = ~$2200 (restricted with one DMZ)

The IOS is the same so the main differences are ports and thoroughput. The 515E is also rackmountable and I've never seen a bracket for the 506E that makes it rackmountable. (If anyone has, I would enjoy knowing where to pick these up for our clients)

I hope this helps.

I just purchased a HotBrick Load Balancer LB-2 Firewall for $182.00
IT'S GREAT !!!
it takes two sererate wan connections, Has real Nat and is very easy to set up !!!
the best part is the wan connections are fully redundant...
http://www.hotbrick.com




Oliver/ Hayes Communications Inc
http://www.hayescom.com

I'm running a couple of servers right now and looking into getting a hardware firewall so I don't have to configure each one manually. Anyone got any recommendations?


I use BlackIce Server for both win2k and win2k3. It'e never let me down. For a hardware firewall I've been really pleased with the Netgear. Personally I have configured one for a client PC network not for a webserver. But the ease of use is what I found to be excellent.

m0n0wall is free, works very well, I've replaced a few PIX 501, and older Sonicwalls in favor of it.

http://m0n0.ch/wall

http://www.cerias.purdue.edu/about/history/coast_resources/firewalls/

John Cesta

Netscreen or Cisco PIX

Both are available freely on ebay.

we using pix-515e for our servers and they are very good.

In order to really recommend a firewall, you should give a little more information:

1 - Estimated traffic levels
2 - How many hosts (IP's) are you looking to protect?

Due to the way the software in many firewalls is licensed, you will be purchasing your firewall based on how many hosts or IP's will be behind the device. Even most common small office / home office firewalls will do 10 Mbps or so, but if you need more traffic capacity than that, you will want to look into a better solution.

That being said, I would look into Sonicwall - they seem to be the best deal for your dollar that I've found so far. The Netscreen and Pix firewalls are certainly nice, but you pay for it.

Sonicwall
Monowall
Cisco Pix
IpCop

... used 'em all and they're all great.

You can also setup a FREEbsd server using ipfw to filter traffic install snortinline for IDS.

Very cheap and flexible solution :)

Zywall 5 UTM (unified threat management...very nice) is a good, cost-efficient choice.

I think the cisco pix is good
here are some features of

The Cisco® PIX® 506E Security Appliance delivers enterprise-class security for remote office, branch office, and small-to-medium business (SMB) networks, in a high-performance, easy-to-deploy purpose-built appliance. Its unique desktop design supports two 10/100 Fast Ethernet interfaces and two 802.1q-based virtual interfaces, making it an exceptional choice for businesses requiring a cost-effective security solution with DMZ support. Part of the market-leading Cisco PIX Security Appliance Series, the Cisco PIX 506E Security Appliance provides a wide range of rich, integrated security services, advanced networking services, and powerful remote management capabilities in a compact, all-in-one security solution.

plz download this file http://www.cisco.com/application/pdf/en/us/guest/products/ps4336/c1650/ccmigration_09186a0080091b13.pdf
for manual and other specifications.

I use IpCop and like it.

You can find a Cisco 2811 router for less $$$ than the PIX; the latest IOS has most of the firewall features PLUS you get advanced routing features. Just be sure to get one with 3 interfaces so you can setup a DMZ.

Hey SRO|Sean,

Thanks for the information. Its really good to know about it.

Try Sonic Wall

Greetings:

Our customers have had good results with SonicWall and WatchGuard.

Thank you.

Ive used cisco and watchguard products,

Cisco is very easy to configure and troublesome to maintain, whereas firebox with the GUI console takes ages to configure but maintaining it is a breeze

Juniper Networks: netscreen very good hardware firewalls

Juniper Networks: netscreen very good hardware firewalls

I also recommend netscreen and juniper firewalls. Excelent products. Cisco ASA firrewalls are also good.

I would recommend a Juniper SSG5 or SSG 140. TechDefenders is a good source.

Hardware firewall is better than other software firewall

pix 515 will save you from a lot of headaches that you will get going with any other. Trust me, I found out the hard way and it sucked!!!!!!!!!!!!!

Cisco PIX 506 for a small budget or a PIX 515e.
good choice