Hardware firewall

[latrosicarius]

Hello, I am becoming interested in the possibility of buying a hardware firewall that is bi-directional (meaning it blocks outgoing communication from programs that have not been "approved".

Does anyone have any experience using these, and can you recommend some brands/models?


..

Also, can it be configured to allow all incoming connections? This would be "nice to have" so I could continue using the NAT settings on my router instead of opening the router completely and reconfigure all my port forwards again on the hardware firewall.

thank you

[Moby-Dick]

What you would want is an application layer firewall - however for specfiying an "allowed list" of programs , you are better off using a software firewall on each client.

BMK-IT

looks like it might do the trick , otherwise you'll have to stick with a more conventional layer 3 device. You could also look at application level proxies , sch as ISA ( or SQUID for the Open source people )

in a real world scenario , you have you external facing boxes sitting in a DMZ which has 2 firewalls - one to the real word , and one to the private LAN , so you'd have to configure 2 sets of rules anyway.

[latrosicarius]

thanks moby
i wanted to hardware because vista clients have trouble with zone-alarm, and microsoft's firewall for outgoing programs is a JOKE. the biggest fail ever. Ever.






ever

[Moby-Dick]

in what way ? I was never a huge fan of zonealarm.

[latrosicarius]

i'm not a huge fan of zone alarm either. the only reason i use it is because its a million times better than that piece of feces windows vista/2008server bi-directional firewall.

i don't even know how to put into words how much of a massive failure the microsoft fwall is. it's hard to use... you can only do certain functionality from the CLI, not the GUI, it doesn't have the ability to block on a program-by-program basis, nor does it have the ability to make or download lists of programs and set their access levels to different things based on where they are trying to connect to. and when it's working, you don't even have any indication that it is doing its job. an absolute piece of garbage.

[Moby-Dick]

but it can be controlled by group policy , which is very handy indeed. Especially when you plan on controlling over 1400 servers and what is allowed external network access. We'll be running the windows 2008 firewall on our work network , and a great layer of security it'll make.

tbh when my firewall is working , thats all I want it to do - I dont *need* some flashy gui telling me its protecting me from evil hax0rs out there. If a program isn't allowed external access , i dont *need* a popup telling me how good my firewall is in blocking a program from accessing the web.

I've said it time and time again , security is a layered process , there is no single panacea of a product that will make your system secure. only by combining products and network knowledge will you be able to achieve something close to a secure network.

[latrosicarius]

but what about the average client PC? that's what i'm talking about.

Vista & 2008 have the same basic firewall but they made no changes to the vista GUI to allow users to easily implement all the features they need.

And in 2008 server, while the clients may be blissfully unaware that their PCs are being protected by the firewall, i believe the server does indeed retain logs which the administrators can check up on. That may be acceptable in a professional domain environment, but it's not really suitable for a end user to have to dig through logs to see if his personal firewall is working, nor to have to read a tutorial and run abstract commands through a CLI in order to set up controls for programs and ports.