Well, the solutions as I see them are:

Cisco PIX, SonicWall, etc: Great products overall (though I'm not too
impressed with SonicWall's interface), and can provide a range of
solutions (firewalling, VPN, routing) depending on which one you go with.
The upshot of these systems as I see them is that updates are usually just
one new release to go to, and keep the management overhead down to just
firewall rule changes and log reading. Downsides include that the
hardware is usually proprietary (so should you switch, you need a whole
new hardware investment), and you are at the mercy of the provider to keep
the OS/software bug free and up to date.

Linux/OpenBSD/other *nix: Robust platforms that have many different
abilities (firewalling/VPN/dynamic routing/proxing/etc.) and updates and
bug fixes are always quick to come out. Also, these are usually the
cheapest solutions as you can reuse old hardware and the OS/software is
free. The downside of this type of solution is that all of the
maintenance is up to you, and there may be much more time overhead in
tracking down patches and upgrades. This is the option I usually pick for
my home network, as the complexity of my network is low, and it's cheap
enough to make sense (my old pentium 75 with a couple ISA NE2000s and
Linux).

Managed firewalls: (First the disclaimer...I just moved from a security
consulting firm in Charlottesville, VA to work at a managed firewall/vpn
provider in Madison, WI, SecurePipe. While my views may seem slightly
tainted, please understand that I wouldn't have moved a thousand miles
away if I didn't believe in it.) Managed firewalls provide the least
amount of overhead (time wise), as the box is maintained, upgraded,
configured, and monitored for you. Also, no intimate knowledge of
firewalling technologies is needed, except as far as picking the
management provider. The downsides to a managed firewall are as follows:
You must trust the management team explictly; these are people you most
likely don't know in person managing your security. You may not have
access to up-to-the-minute information on traffic flow. Depending on the
provider, you may call up and be put on hold, sprint-style.

Remeber, when choosing a provder, that most of the products are very
similar, but the real differentiation is in the service. The ability to
call up, and talk with someone immediatly who knows you, knows your
network, and can fix your problem is key; being put into a tiered queue of
anonymous technical support people probably is not going to fix your
problems, or keep you secure.

Also, check out http://www.robertgraham.com/pubs/firewall-seen.html It is
a really good reference for firewall log reading, that will be helpfull if
you choose to manage your own firewall.

-Dan

-- 
| D a n  S c h l e i f e r    S e c u r e P i p e  C o m m u n i c a t i o n s |
| d s c h l e i f e r  s e c u r e p i p e . c o m    6 0 8 . 2 9 4 . 6 9 4 0 |
                                                                              --

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]