[K12OSN] Firewall

["Terrell Prudé, Jr."]

Mark Cockrell wrote:

> This may be a bit off topic, and if so I apologize for that.  Our 
> school is currently running a proprietary firewall, and it's no longer 
> meeting out needs.  I'd like to upgrade but, naturally, have very 
> little in the way of budget.  Can anyone recommend a solid firewall 
> that provides stateful packet inspection, VPNs, IP Tunnels, multiple 
> IP aliases and inbound and outbound packet filtering for about 500 
> -1000 concurrent connections?  And, of course, if it's Free and Open 
> Source, so much the better.  I'm not asking for much, am I?
>

OpenBSD will do these things.  Further, OpenBSD now has the ability to 
set up redundant, failover firewalls which actually keep state during 
the failover!  Only the Cisco PIX, to my knowledge, was able to do this 
consistently, but the PIX is $20,000.  OpenBSD's "secure by default" 
configuration and continuous, on-going code audit get high security 
marks in my book.  It is free as in both speech and beer.  As someone 
else previously mentioned, just about any GNU/Linux distribution will do 
it as well, sans stateful failover.

If you're talking about 500-1000 "regular", unencrypted TCP connections, 
then virtually any Pentium II box with, say, 128MB DRAM will be somewhat 
overkill; a 32MB 486DX-33 will do the job.  If, on the other hand, you 
mean 500-1000 VPN connections, then you'd better get the biggest, 
baddest, beefiest CPUs that you can possibly afford, and preferably more 
than one physical box like that.  Personally, I'd be looking into 
hardware crypto acceleration at that point.

If your powers that be dictate a proprietary solution, then a cisco 
router (a 2621 or higher) will also do these things, assuming three
or four VPN users.  Anything beyond that, I'd recommend the AIM-VPN/BP 
(or HP) crypto accelerator.

--TP
_____________________
Do you GNU!? <http://www.gnu.org>
Be virus- and spam-free with Free/Open Source Software (FOSS). Check it 
out! <http://www.mozilla.org/thunderbird>