Need to find alternative firewall solutions - expert advice required

Saajid

Expert Member
Joined
Aug 8, 2008
Messages
4,542
So our company has been using the iShield firewall appliance from local company Tradepage. Support is decent, pricing is reasonable, but the actual firewall software is not that great, and has many limitations.

I am looking for a similar firewall solution to the iShield, which is backed up with good support, and doesn't have the limitations listed below:

  1. You cannot block specific sites that make use of HTTPS. I can either block HTTPS completely for a single user, or allow it completely. I cannot block Facebook on HTTPS, but still allow FNB on HTTPS, unless I do it by IP address. This is a huge PITA. All the guys who need access to banking, and secure online services, also have access to Facebook, Twitter, Youtube, and any other service that encrypts its traffic.

    Of course, one can block HTTPS to a particular IP address, but do services like Youtube, Facebook and Twitter have a fixed range of IP addresses that can be blocked? Are these websites not often served via CDN nodes, who probably change things around every now and then. Surely there is a way to simply block HTTPS to a specified domain names?
  2. When assigning static IP addresses to MAC addresses inside the DHCP server, you cannot specify what that static IP should be. The system will only allow you to assign the current DHCP-assigned address as static. So now we have statically assigned addresses littered accross our DHCP range. Not a train-smash, everything still works, but its a huge annoyance. I prefer having static addresses (even DHCP-assigned static addreses) in their own range. It also makes applying firewall rules to a group of users easier. We put them in the same range, and apply the firewall rule to this particular IP sub-range.
  3. The DHCP server cannot be easily configured to dish out a WINS server address. I cannot do this myself through the user interface. It has to be done behind the scenes by tech support.
  4. We are utilising a 3G connection as failover, for when our ADSL line goes down. There is also supposed to be email notification sent to the admin, to notify of the failover, and the fallback to ADSL (when it happens). However, the failover notification email never comes through. Only once the system falls back to ADSL, do both the failover and fallback notifications come. By this time it is too late to investigate what is going on.

I am not looking to do it myself. I don't want to download, configure and manage a Linux distro. I need a solution that just works, and is from a company with good technical support.
 
Last edited:

Nuro

Expert Member
Joined
Apr 11, 2007
Messages
1,788
With pfSense most of these tasks are trivial, we do most of it already. Have a look (pfsense.org), they offer paid support as well, but to be honest, it works so well we never needed it.
 

kianm

Honorary Master
Joined
Jan 13, 2014
Messages
10,499
Fortigate firewalls from Fortinet
http://www.fortinet.com/solutions/firewall.html
You can block https sites on layer 7 and also block at lower layers. Quite powerfull appliances capable of a lot of functionality like IPS IDS, Vpn traffic shaping, web/spam filtering Dhcp Dns server are standard etc. Check them out, you can try the Fortigate 80c though you can also go with ones that come with internal storage to keep logs etc

Edit: it does allow you to specify which https sites to block and which ones are allowed. Another extra layer of security that you can add is dns based filtering by Opendns.com I use their free service and you can also use it to filter https social network sites whilst allowing other banking etc sites. You can even try it on your network before investing in a new appliance, might fullfill some of your requirements, but not dhcp/failover of course
 
Last edited:

irBosOtter

Expert Member
Joined
Feb 14, 2014
Messages
2,483
Fortigate also gets my vote.

If you wanna log on to one drop me a pm, I can give you access to a 110C unit that's at my house, not my main firewall so you can scratch around a bit if you like
 

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
36,195
Have a look a the Sophos Firewall products
Yup another vote for Astaro/Sophos UTM here.

Problem with HTTPS is you need to load your own certificate on every machine otherwise you are going to have security breach popups all over the show.
 

kianm

Honorary Master
Joined
Jan 13, 2014
Messages
10,499
Yup another vote for Astaro/Sophos UTM here.

Problem with HTTPS is you need to load your own certificate on every machine otherwise you are going to have security breach popups all over the show.
Fortigate blocks without cert errors no need to load certs on the clients store. Opendns also blocks with no extra cert configs required
 

SauRoNZA

Honorary Master
Joined
Jul 6, 2010
Messages
36,195
Fortigate blocks without cert errors no need to load certs on the clients store. Opendns also blocks with no extra cert configs required
Yes Sophos can block using the firewall itself as well.

However then you don't have any stats on your proxy as the data isn't actually tracked.

So all depends on your particular needs.

OpenDNS makes sense as it gets blocked long before it even reaches you.
 

kianm

Honorary Master
Joined
Jan 13, 2014
Messages
10,499
Yes Sophos can block using the firewall itself as well.

However then you don't have any stats on your proxy as the data isn't actually tracked.

So all depends on your particular needs.

OpenDNS makes sense as it gets blocked long before it even reaches you.
Yes the nice thing about opendns is one can try it without any significant change to their infrastructure. Only little catch is they don't have nodes in Africa but it's aight
 

Clarotech

Clarotech representative
Company Rep
Joined
Aug 7, 2013
Messages
293
Fortinet FortiGate should do pretty much all of what you have mentioned.

With regards to MAC addresses and DHCP assignments you can enabled device identification on FortiGate which will then allow you to add aliases to MAC addresses. I have a couple of Laptops and Pi's on the network running Linux which don't do the FSSO stuff so I've created aliases for them and created firewall policies based on that alias, so no matter what IP they get the same policy applies. In the case of laptops you can add both the Wifi and LAN MAC to a single alias. If you have AD the Fortinet Single Sign-on can authenticate access based on AD groups which gives you nice flexibility to create different levels of access.

The content filtering can be done by categories i.e. adult, social networking etc. You can also block specific sites, but I find categories does the job for most people. I haven't looked to deep into the HTTPS inspection, but I know it's there.

The reporting from FortiAnalyzer is also really great for high level overview of traffic and threats.

Another recent cool feature on Fortigate we discovered was the vulnerability scanner, which allows you to scan devices on your LAN for vulnerable software. So we can see which machines need patching etc.

We deploy FortiGates, so if you like drop me a PM. :)
 

jsheed_sa

Executive Member
Joined
May 27, 2005
Messages
5,153
With pfSense most of these tasks are trivial, we do most of it already. Have a look (pfsense.org), they offer paid support as well, but to be honest, it works so well we never needed it.
+1 for PFSense - very easy to setup and they do have commercial support plans / devices.
 

Saajid

Expert Member
Joined
Aug 8, 2008
Messages
4,542
Thanks guys for all the replies, and PMs. I will take a few days to a week to absorb all this, play around with the demo sites, and do further investigations. I will probably have some more questions too.
 

MikeSmith

Member
Joined
May 29, 2014
Messages
12
If your are looking at an appliance, you can go with the Juniper SRX or Cisco ASA, if not then PFSense is great.
 

syntax

Executive Member
Joined
May 16, 2008
Messages
7,760
If your are looking at an appliance, you can go with the Juniper SRX or Cisco ASA, if not then PFSense is great.
never worked on PFsense. But I come from a background of Juniper and Cisco. I would not use either products as a firewall, let alone a UTM device.

Some reasons:
ASA
Web filtering and UTM functionality is almost non existent.
Requires licensing for additional features like anyconnect
Port density is usually quite low
Expensive

Juniper
Does not integrate with AD properly,
Policies are awful to work with
licensing again is a headache
 

Grep

Senior Member
Joined
Nov 21, 2006
Messages
905
Another vote for Sophos, it is pricey but worth every cent.
 

nand

Senior Member
Joined
Nov 2, 2012
Messages
742
If your are looking at an appliance, you can go with the Juniper SRX or Cisco ASA, if not then PFSense is great.
+1 pfSense is great, but if you're doing serious stuff, get a Cisco ASA.

There's always the purist option as well: OpenBSD & pf / Linux & iptables.
 

kianm

Honorary Master
Joined
Jan 13, 2014
Messages
10,499
+1 pfSense is great, but if you're doing serious stuff, get a Cisco ASA.

There's always the purist option as well: OpenBSD & pf / Linux & iptables.
Does pfsense have UTM features?
 
Top