To Upgrade or Not to Upgrade?

Greetings,

I am trying to decide if I should upgrade my hardware firewall. For the past 3 years I have been using a NetScreen 5xt (OS version 4) to protect a Web Server running W2K. I chose this box in 2003 because it was fast and had the features I needed at a good price. I just changed ISPs from DSL to cable and am having trouble getting the NetScreen configured correctly. To top it off, I am making my setup a bit more complex. Now the firewall will not only be protecting a web server, it will also be protecting a small (5 node) LAN and a few stand alone PCs.

I was planning on hiring an IT specialist with experience in NetScreen to come onsite and get everything configured. I spoke with one person who said that I may be better off buying a new hardware firewall. He said a lot of improvements have been made in the past 3 years and for under $400 I could have a current machine with current software. Juniper has retired the NetScreen 5xt, so updates are hard to get and pricey.

I know enough about networking, IP addresses, etc. to be dangerous. I found the NetScreen web interface to be a bit confusing. My total budget to get this up and running is $750 (or less). I am looking for opinions and suggestions on:

1) Should I buy a new firewall or simply invest in someone configuring my old one? I think it will cost about $200 to get someone to configure my current one.

2) If you are suggesting a new one, which model would you recommend? Again, I am not looking at spending thousands of dollars. Hopefully there is a ~$500 solution that would protect me and be easy to set up.

3) Does anyone have an opinion on the SonicWall TZ170?

Thanks so much!
Mr. Chip

 

I think this is a tricky one to answer. I don't think there is anything wrong with a 3 year old hardware firewall, if the manufacturer is still supporting it. The case for changing isn't that a lot has changed in the last three years as far as firewalls go, but rather that all it takes is one new vulnerability to pop-up that you can't patch and your system could be vulnerable. It's the lack of updates that would make me consider upgrading.

Also poor configuration can be a more likely to cause vulerabilities than anything else. The best hardware firewall will be useless if a bad GUI results in you misconfiguring it and/or leaving ports unblocked. Having a firewall that you find easier to configure may be worth the cost alone.

Having said that the main jobs a firewall does - block ports, and monitor sessions hasn't changed a lot, so your current firewall is probably OK for now.

The thing I'd consider is the firewall throughput. Can a new hardware firewall within your budget give you the throughput your web server needs? If yes, I think I'd lean towards getting a new firewall. However, make sure you have a play with one before you buy. I think it would be worth taking this opportunity to get a firewall with a good user interface that you understand and therefore, can maintain easily.

If you can't get the throughput you need for your site, then I think I'd stick with the Netscreen for now, and save for a new firewall in the next year or two.

Sonicwall kit is always well reviewed. I've only configured one, but that went fine. I use Watchguards for smaller sites at work, which are OK. My main firewall is a Netasq. Quirky (it's French after all) but I like it a lot. I love the user interface. I have network friends who swear by Cisco PIX. Checkpoint used to be the firewall to beat, and they are now affordable for small networks, so also worth considering.

 

ReggieB,

Thank you for your detailed answer! Here is some additional information:

I found out that Juniper still supports the 5xt and for $160 I can get s/w updates and tech support for 1-2 years. The timeframe is uncertain because they backdate the plan to the last day I was covered. Juniper says updates will be available until 2010 or later. Tech support will help me with configuration as well.

One of the main reasons I purchased NetScreen was because it offered the best throughput compared to SonicWall and WatchGuard (at the time). With that said, my web server's traffic is fairly low as far as web servers.

Thank you for the tips on SonicWall and Watchguard. I am first going to look into the NetScreen support option a bit more. If I have to buy a new one, are there any big differences between the brands you mentioned that a layman like myself should consider?

 

I've thought of another thing to consider. I would not recommend having a website open to the internet on the same network segment as your LAN. Therefore, I'd recommend that you look for a firewall that has a DMZ (DeMilitarised Zone). A DMZ is a separate network connection, that you can connect to your router. If you put the webserver in the DMZ, it will be separated from the LAN and if it was compromised, it wouldn't also result in your LAN being compromised.

The classic arrangement was

LAN === [firewall 1]==DMZ==[firewall 2]==internet

Modern systems tend to combine the two firewalls into one:

LAN==[ fire- ]
DMZ==[ wall ]====internet

So DMZ is just a second network that you can configure separately from the LAN.

 

Reggie, excellent point. I never considered this before because up until now the NetScreen was used exclusively for the web server. I reviewed the documentation and did not see a direct reference to DMZ for this model. However, I believe it offers this because the 5xt offers "Port Modes ". These are defined below:

Port Modes allow you to bind physical ports, logical interfaces, and zones. There are 4 options:

1) Trust-Untrust Mode - (Default) binds the Trust zone interface to the Trust zone and the Untrust zone interface to the Untrust zone.

2) Home-Work Mode - binds interfaces to the Untrust zone and to new Home and Work zones. The Home and Work zones enable you to segregate users and resources in each zone.

3) Dual-Untrust Mode - binds two interfaces, a primary and a backup, to the Untrust zone. The backup interface is used only when there is a failure on the primary interface.

4) Combined Mode - allows both primary and backup interfaces to connect to the Internet and the segregation of users and resources in Home and Work zones. (If your NetScreen-5XT does not have a license key to support this port mode, then this option is not available.)

Does #2 fit what you are looking for?

 

In that case, I think there is a very good case for sticking with your current firewall.

They compete head to head, so I wouldn't expect them to offer very different performance. I'd expect good security to be a given on firewalls from any of the manufacturers I mentioned above.

The things I'd look for are:

• Try and get to play with one before you buy. In particular have a look at the user interface and see if you like it and (perhaps more importantly) you understand it. There's nothing like strange syntax to make setting up firewall rules difficult.
• Ask to see the logs the firewall generates. If you have a problem, it is the logs that will tell you the source. Poor logs can make problem solving a real head ache.
• Compare on going support costs. You may find a cheap firewall has high on going support costs, so you need to compare them.
• When comparing costs also include the user licenses. Don't forget that your server will use a "user license ". For example, if you have 5 users, 5 user licenses is never enough.

 

I think so, but I am not familiar with NetScreen's terminalogy. I'm sure if you ask their support team that you want a DMZ, they'll know what you want and will be able to confirm the right configuration.

 

Free Linux firewall too are available with almost all the features on the commercial firewall boxes.

I have been using Smoothwall (www.smoothwall.org) for last 2 years & am satisfied with it. On top of that, there are tons of modifications (mods) being done by people all over, which makes it a very powerful & configurable firewall.

 

Can a LinkSys Product Solve my DMZ Needs?

Thank you ReggieB and rsinfo for all of your help so far! I have been researching your posts for the past few days. I met with a friend with an IT background and he agrees with you Reggie that I should set up a DMZ zone.

I have spent hours on the phone and internet trying to understand exactly what NetScreen's Home/Work zone is and how it compares to a DMZ. Unfortunately, the NetScreen technician who knows this answer is too busy to speak with me. Juniper kept trying to convince me to discard my 5XT and buy a new $1,200 firewall. I am trying to see if there is a more cost effective solution to get a DMZ.

Reggie, my IT friend was suggesting the following two-hardware device setup which is similar (maybe the same) as what you suggested.

Internet ==> Router with DMZ ==> splits internet:
==> Web Server in DMZ
==> NetScreen 5XT Firewall ==> LAN

So my web server connects directly to the router's DMZ port while my LAN connects to my NetScreen that connects to one of the router's other 10/100 ports.

My question is can I use a LinkSys router for the first hardware device?

I already own a LinkSys BEFSX41 EtherFast® Cable/DSL Firewall Router with 4-Port Switch/VPN Endpoint. This product offers a DMZ zone, but is targeted at consumers (cost is under $70). Would it be OK to use this device or does it lack the horsepower/reliability for a web server and my work application?

Another option would be for me to buy a higher-end LinkSys product. I was looking at the Linksys RV402 10/100 4-port VPN Router. This product costs around $180 (much less than $1,200!). It has 6 ports in the back:

4 LAN (Ethernet) ports
1 Internet (WAN1) port
1 DMZ/Internet (WAN2) port that can be used as a second Internet port (for load balancing) or a DMZ port

This product seems more robust than the one I have. Some of its specs include:
• 4-Port 10/100 Switch supports Auto-MDI/MDIX and up to 200Mbps of throughput per port
• IP filtering for restricted access to the Internet and other network resources
• Full IPSec Virtual Private Network (VPN) Capability using DES and 3DES Encryption Algorithms
• Support for MD5 and SHA Authentications Algorithms
• Create up to 30 simultaneous IPSec VPN Tunnels

Would either of these products work w/o bogging down my internet pipe?

 

Another Question

I have a follow-up question that I did not see answered in other posts. What are the differences between the following ranges of private addresses:

192.168.1.xxx
192.168.0.xxx
10.0.0.xxx
10.10.10.xxx

Is one type more appropriate for a particular application?

I have a colleague who is also using a NetScreen firewall to protect a web server. His setup is:

Modem ==> NetScreen ==> LAN

His NetScreen only talks to the modem (not the Internet). The modem output is another internal network 10.0.0.xxx. The modem connects with PPPOE and the IP address is set automatically.

Is this set up any better than the one discussed above?

 

All those addresses are private addresses and have fairly equal value. 10.0.0.x and 10.10.0.x could be on the same network (depending on which mask you use). Both the 192.168.x.x address are probably on different networks.

Personally, I'd use a 10.x.x.x address except for special networks. My reasons are:

• 10 is easier to remember than 192.168. Therefore, all you have to remember is that if the address starts with a 10, its on your network. As long as your IP address starts "10." you can be confident that you are using an IP address that is not in use on the internet and therefore you will have no IP conflict routing issues connecting to the internet.
• The 10 address space is much larger. Only the first number of the set of 4 is used to define the network area, and therefore you have the other three to play with. Why use 192.168.x.x/255.255.255.0 address space and limit yourself to 254 addresses when you could use 10.x.x.x and have thousands of addresses available. You also have plenty of space to subnet the address to give you many internal sub-networks if you want

My personal preference is to use 10.x.x.x/255.255.0.0 addresses when setting up a new network. That allows me to use the second octet to define each sub-network within my whole network. So head office could be 10.0.x.x, and the first branch office, 10.1.x.x and so on. Or if you want to separate accounts you can give them their own subnetwork (e.g. 10.100.x.x).

I'd then use 192.168.x.x address for small network that I need to be private, but separate for my 10.x.x.x networks. For example, the small network between a firewall and a router, or a DMZ.

background ramblings
In the old days of IP, the address space was split up into three classes: A, B and C. It was envisaged that large networks would use Class A, medium networks class B and small networks class C. Ranges of IP addresses were then assigned and bought by various organisations. However, one address space was reserved for private networks in each class.

• 10.x.x.x were set as the Class A private addresses.
• 172.16.x.x to 172.31.x.x were set aside as the Class B private addresses.
• 192.168.x.x were the Class C private addresses.

So the difference between your four addresses is that the first two are class C and the second two are class A. All the addresses are private and therefore will not work on the internet. To connect to the internet, you will need to use NAT to translate the IP address as they pass over the firewall or router.

OK, so what's the significance of Class. Basically the size of network. Class C address spaces tend to be smaller that Class A address spaces. However, there are two important points to make:

• Some time ago it was realised that the old class based system was very wasteful. As the demand for more and more IP addresses became apparent, it was realised that a lot of addresses were not being used in the Class A and B address spaces. Therefore, the system was thrown out and the size of network no longer based on the IP class. Nowadays, you do not have to use a class C address space if you have a small network. You can purchase a small block of IP addresses in any of the address space previously occupied by class A, B and C addresses. Likewise you can use any of the private address spaces for your private network.
• In a private address space you can break the class rules if you want. So you could use 192.168.0.0/255.255.0.0 which would give you a Class B network in a class C address space. Or you can use 10.0.0.0/255.255.255.0 which is a class C network in a class A address space.

 

Thanks ReggieB! Your explanation was very helpful. When I set up my network I am going to switch to the 10.x.x.x address range for my LAN.

I am still waiting to get an official quote from Juniper to purchase my support contract. They sure make it hard for someone to pay them money. You would think it would take less than 2 weeks to buy a support contract!

I wanted to run a different idea by you. I spoke with my cable ISP last night and they suggested I use the NetScreen firewall as the first line of defense in the following set-up:

Internet ==> Cable Modem ==> NetScreen ==> 2 zones

Assign the NetScreen my domain's IP address and configure it with its Home/Work zones:

Home Zone ==> Web Server (use port forwarding to block all ports except port 80 to the web server)

Work Zone ==> LinkSys router ==> LAN

What do you think of this configuration?

Based on your last post, am I correct that would you have the NetScreen Work Zone connect to the LinkSys router using 192.168.x.x and have the LinkSys router connect to the LAN using 10.x.x.x?

Thanks again for all of your help on this!!!

 

Some of the networking big boys are like that. Cisco can be the same.

Personally, I'd want my DMZ on separate network infrastructure, rather than just a different IP address space. That means having a separate DMZ connection from the firewall and dedicating a small switch to the DMZ network.

So three ports on the firewall, one to the internet (modem), one to the DMZ and one to the LAN.

What is the LinkSys doing? Why do you need it at all?

Use 10.x.x.x for the LAN and 192.168.x.x for the DMZ.

 

Voice From the Past Still Needs Help

Hi ReggieB,

I bet you wondered what happened to me. I am sorry I just vanished for a few weeks. First I was swamped with the logistics of moving my office and finalizing a home addition. Then I came down with some kind of super cold bug that has had me off-line for a while.

I have some good news. After much waiting, I finally have my support contract with Juniper. It took several weeks, but I am now covered through June of 2009. I also upgraded the firmware in my NetScreen to the latest version (5.3).

Now I am ready to restart our discussion on configuration. NetScreen tech support was very helpful with specific problems - but they said they will not help me with the design of my firewall.

I now confirmed that my firewall does not have a true DMZ option. Rather, I can configure one of its four ports as a "Home" port and another as a "Work" port. Anything connected to the Home port, or Home zone, cannot see the Work Zone. The Work Zone, however, can see the Home Zone. It is like a poor mans DMZ, since the two zones are not completely isolated.

To explain my thoughts on my last post. I want to use the NetScreen as my first line of defense because it is a more robust product than my other products. This way, it protects all of my assets. I was thinking of using this Home/Work configuration and having the web server connect to the NetScreen's Home Port. Then, I would use the LinkSys router in between the NetScreen Work Zone and my LAN as a second wall of defense (because the NetScreen does not have a true DMZ).

In terms of IP addresses, I thought I would use the 192.168.x.x for my cable modem, NetScreen and Web Server and the untrust interface on the LinkSys. Then I would use the 10.0.x.x for the trust side of the LinkSys and my LAN.

1) Does the above make any sense? If no, how would you recommend I set it up?

2) Would you be able to help me determine what IP addresses to assign to the cable modem, NetScreen, LynkSys, and my LAN? I am not sure where I should have my web server's static IP reside.

Thanks for your patience and your help!
Mr. Chip