how-to block ads
|
IPA1
@cypresscom.ne
| Hardware Firewall
Hello,
I have just signed up for BellSouth Fast Access for business and they have given me a cayman/netopia 3347W. I will not be using the wireless portion of this and it will remain turned off but the question is in regard to the firewall itself.
I currently use a Sonicwall TELE3 SP and since the cayman has a built in firewall, do I need to continue to use the sonicwall? I am up to my limit on nodes and if I keep the sonicwall I will have to upgrade but I am wondering given this new cayman if I need to keep it at all.
I know that there will be some people who will say that there is never enough protection but do I really need the two?
Thanks in advance for your opinions. | |
cbiggers
join:2000-08-10
San Luis Obispo, CA
clubs: 
| I've never been one to advocate multiple firewalls like that. It just can create nightmares later for trying to forward ports, etc. Basically if you have all your machines up to date with service packs, and you have them behind a NAT "firewall", as in each computer is on a non routable IP which is sheltered behind a routable IP, then you should be fine unless somebody is really out to get you. If you need more advanced features like content filtering, QoS, or things like that, then yes you should figure out whichever one has the more powerful firewall and use it. What exactly is behind your network, and why do you think you'd need two firewalls? What was your current purpose of having the Sonic? | |
IPA1
@cypresscom.ne | Hi. Thanks for the reply. I have a mail server, webserver and 8 workstations.
The sonicwall was my only firewall but now I've just got this new dsl service and the cayman comes with it. It is an all in one modem and firewall. | |
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| I'm not familiar with the two hardware components you are confronted with, but I do have a similar configuration.
On Verizon DSL, I ended up with a Westell 327W provided by Verizon. This is basically a combination DSL modem and NAT router (with some firewalling capability). However, prior to that, I'd been using an SMC Barricade 7004ABR (primarily because it would work with the dial-up connection I had at the time) that provided a rather different mix of hardware firewalling capabilities from that which I get from the Westell. The Westell has very good logging, the logging on the Barricade is virtually non-existent.
Very shortly, I intend to run both with an older PC in between as sort of a guinea pig machine in a DMZ. In my situation, the guinea pig machine is a sort of sacrificial lamb which will receive unsolicited probes on ports (of my choice) from the Westell. I may throw up an unprotected web server on the guinea pig box, check out various software firewalls, AV software, etc., to my heart's content. All the other PCs here will sit behind the Barricade in cascade and consequently will, in fact, largely be behind a double firewall. The guinea pig will not be part of the local LAN used by the other PCs, and each of the others will also have a fully functional software firewall installed (most likely different products from different vendors). In essence, all of the 'working' PCs will then be triply firewalled; only the guinea pig will be exposed -- and, even then, I control how much the guinea pig is exposed by what I choose to forward to it from the Westell.
Now, this is a poor man's test set-up, not at all what you are looking for, I daresay. But, if your mail server and web server machines are intended to provide services to the public Internet space, you could do something very similar, placing them between the Cayman and the Sonicwall. However, if the mail server and web server are only intended to provide their services to your private LAN, this would be a certain amount of overkill, I suspect. (Are you running a peer-to-peer LAN or a client-server LAN?)
And, as cbiggers points out, this can cause complications if you use both firewalls in cascade with no real need to do so. My old solution to needing more nodes was a simple hub, but I'm not sure you can even find them anymore! 
--
Regards, Joseph V. Morris | |
IPA1
@cypresscom.ne
| Sitting in front of me on my desk is an old hub I used when I first set the business up so I'll give that a try.
I'm running a client-server LAN and I was thinking that I should keep things simple. Either dump the sonicwall or just have the cayman set up as my WAN Gateway and go straight through to the sonicwall.
It's funny, Bellsouth would have made my life easier (too many choices and config options) if they had given me a plain old modem. | |
IPA1
@cypresscom.ne | I forgot to metion that I would use NAT for the mailserver and webserver. No DMZ just 1 to 1 nat. | |
jvmorris
I Am The Man Who Was Not There.
Premium,MVM
join:2001-04-03
Reston, VA
| reply to IPA1
said by IPA1:
Sitting in front of me on my desk is an old hub I used when I first set the business up so I'll give that a try. Yes, I myself have a growing collection of cards, cables, modems, routers, hubs, printers (and God knows what else) that dates back to my first PC in 1981. 
I'm running a client-server LAN and I was thinking that I should keep things simple. Either dump the sonicwall or just have the cayman set up as my WAN Gateway and go straight through to the sonicwall. Not knowing the Cayman at all, I didn't mention that option, but I could do it with the Westell, running it in bridge mode. However (in my particular case), the Westell's firewall is nicer, more configurable, and better documented than the Barricade, not to mention that its logs can be quite detailed, depending on the options selected.
It's funny, Bellsouth would have made my life easier (too many choices and config options) if they had given me a plain old modem. :D Yes, I feel your pain.
--
Regards, Joseph V. Morris | |
|
