Small Form Factor Firewall

Does anyone make a small form factor firewall that is manageable by a web
interface, with a rule based configuration similar in principle to
Checkpoint's, but is designed for individual computers or a very small
network? I'm interested in possibly putting a few of these in front of key
network management stations. Because of rootkit viruses, I no longer
believe that in what a software firewall's logs tell me. The rootkit can
simply hide network activity in the kernel and report back only what it
wants you to see. Because I would use these firewalls one per workstation,
I don't want to be spending $1K or $2K per box.

Some very desirable features:

1) A hard lockout on the firewall that would prevent any configuration
changes or administrative logins unless a button or knob were pressed.
Having a hard-wired read-only mode would prevent a trojan that sniffs your
keystrokes from doing much of use with the userid and password of the
external firewall.

2) Low cost, under $500/firewall.

3) GigE Support. These are being used on an internal network and I don't
want to sacrifice speed.

4) Support for mail alerts as well as alerting back to a GUI gadget on the
Windows desktop.

Are there any good options for this product?

--
Will

Re: Small Form Factor Firewall

Will wrote:
> Does anyone make a small form factor firewall that is manageable by a web
> interface, with a rule based configuration similar in principle to
> Checkpoint's, but is designed for individual computers or a very small
> network? I'm interested in possibly putting a few of these in front of key
> network management stations. Because of rootkit viruses, I no longer
> believe that in what a software firewall's logs tell me. The rootkit can
> simply hide network activity in the kernel and report back only what it
> wants you to see. Because I would use these firewalls one per workstation,
> I don't want to be spending $1K or $2K per box.

you could use a small soncwall (tz170)
> Some very desirable features:
>
> 1) A hard lockout on the firewall that would prevent any configuration
> changes or administrative logins unless a button or knob were pressed.
> Having a hard-wired read-only mode would prevent a trojan that sniffs your
> keystrokes from doing much of use with the userid and password of the
> external firewall.
>
it doesn't have a button but you can disable http/https managment on any interface
(e.g. disable for inside/outside interface, enable for opt interface, if you need to change config, connect with laptop
to opt interface or console)
> 2) Low cost, under $500/firewall.

i think they are about $400-500
> 3) GigE Support. These are being used on an internal network and I don't
> want to sacrifice speed.
>
not sure, check specs
http://www.sonicwall.com/products/index.html
> 4) Support for mail alerts as well as alerting back to a GUI gadget on the
> Windows desktop.
>
it can send mail alerts and I think syslogging
> Are there any good options for this product?
>

M

Re: Small Form Factor Firewall

Post removed (X-No-Archive: yes)

Re: Small Form Factor Firewall

"Leythos" wrote in message
news:9rtSg.5203$pq4.3393@tornado.ohiordc.rr.com...
> Almost every "Firewall Appliance" does what you want - check with
> WatchGuard, call them to get the specifics you need to handle. Don't
> settle for a NAT box, you will need a real firewall appliance.
>
> What specifically do you expect the firewall to tell you and detect?

To a management station, I would expect no incoming connections, so I want
that policy enforced and reported.

From the management station, I would expect some standard interactions to a
domain controller (DNS, Kerberos, file share on port 445, RPC
(unfortunately)). Web access might be restricted to a specific internal
network or to Microsoft for updates (a security hole, but not of much use if
the software they plant on your machine cannot get back out). Again, I
want that policy enforced and reported.

The bottom line is that no matter how malware is introduced onto that
machine, it would be nearly impossible for anyone to get any benefit from
that infection. That policy would be enforced in a way that no software
running on the affected machine could do anything to change.

--
Will

Re: Small Form Factor Firewall

Post removed (X-No-Archive: yes)

Re: Small Form Factor Firewall

Will wrote:
: To a management station, I would expect no incoming connections, so I want
: that policy enforced and reported.

Where are you planning on utilizing this? Internally or for SOHO users?
I believe most SOHO boxes doesn't currently support GigE. For small remote
offices I have utilized small firewall boxes from Sofaware
(www.sofaware.com). If you're using Checkpoint firewalling you will
recognize these. Sofaware is a Checkpoint daufgter company. You can also
manage these centrally from a Checkpoint SmartConsole (or you can use a
web interface on each individual one if you choose to).

For internal networks you also have the options of Cisco NAC This
requires you to have Cisco switches etc and will handle gigabit load
etc. If you're not using cisco you can get a product such as Trend
Viruswall
(http://www.trendmicro.com/en/products/network/nvw1200/evalu ate/overview.htm).
Trend also have a hardware module that can be used in Cisco ASA
equipment.

Other solutions that will give you such functionality on the Client is
Checkpoint Integrity
(http://www.checkpoint.com/products/downloads/integrity_data sheet.pdf) or MS NAP
(http://www.microsoft.com/technet/itsolutions/network/nap/). You can
also combine several of these and they can work together for optimal
protection.

Good luck!

Lars

Re: Small Form Factor Firewall

wrote in message
news:efk3j9$qva$1@bork.aitel.hist.no...
> Will wrote:
> : To a management station, I would expect no incoming connections, so I
want
> : that policy enforced and reported.
>
> Where are you planning on utilizing this? Internally or for SOHO users?

Corporate use internally, way behind the main firewall.


> I believe most SOHO boxes doesn't currently support GigE. For small remote
> offices I have utilized small firewall boxes from Sofaware
> (www.sofaware.com). If you're using Checkpoint firewalling you will
> recognize these. Sofaware is a Checkpoint daufgter company.

You hit the nail on the head. 95% of the product on the market for cheap
firewalls is for home users who have slow WAN connections. There are lots
of small firewall applications on a corporate network where you want to do
something special purpose, with a server or group of servers, or a critical
management workstation. Sometimes you just don't have a clean way to
attach that to a main firewall segment and you have to put something with
the machine locally. As you point out, there isn't a whole lot of
product offering out there for a small intra-corporate firewall with gigE
interfaces on both sides of the firewall.

And to be honest with you, what I really need is something closer to an
ethernet bridge that does firewall-like packet inspection. It would be
awfully nice if for example I could use the corporate DHCP from behind the
small firewall I want to buy.


> For internal networks you also have the options of Cisco NAC This
> requires you to have Cisco switches etc and will handle gigabit load

Probably a major expense.


> etc. If you're not using cisco you can get a product such as Trend
> Viruswall
>
(http://www.trendmicro.com/en/products/network/nvw1200/evalu ate/overview.htm
).
> Other solutions that will give you such functionality on the Client is
> Checkpoint Integrity
> (http://www.checkpoint.com/products/downloads/integrity_data sheet.pdf) or
MS NAP
> (http://www.microsoft.com/technet/itsolutions/network/nap/). You can
> also combine several of these and they can work together for optimal
> protection.

Software firewalls are cheap but easily defeated by any sophisticated
rootkit trojan.

--
Will

Re: Small Form Factor Firewall

Will wrote:
[..]
: Corporate use internally, way behind the main firewall.
[...]
: And to be honest with you, what I really need is something closer to an
: ethernet bridge that does firewall-like packet inspection. It would be
: awfully nice if for example I could use the corporate DHCP from behind the
: small firewall I want to buy.

: > For internal networks you also have the options of Cisco NAC This
: > requires you to have Cisco switches etc and will handle gigabit load

: Probably a major expense.

Protecting your infrastructure with GigE performance doesn't come for
free. If you're already having descent cicso equipment, adding NAC might
not be too expensive.

A free solution would be to use snort and maybe set it up to talk to your
checkpoint firewall (snortsam). You would have to choose span ports
wisely and it's also possibly to monitor packets at gigE speeds.
Sourcefire (the developer of snort) almost became a Checkpoint company,
but CFIUS blocked the merger. To use snort you would need dedicated
hardware, probably quite new (fast) hardware.

There are also host based IDS/IPS software that might be able to block
trojans/worms (and spyware) that normal AV software doesn't. ISS has several such
host based products for servers:
http://www.iss.net/documents/whitepapers/ISS_Preemptive_Host _Protection_Whitepaper.pdf

: Software firewalls are cheap but easily defeated by any sophisticated
: rootkit trojan.

MS NAP is not a software firewall.
https://209.34.241.68/nap/archive/2006/09/29/460008.aspx

Good luck!

Lars