- From: Martin Johnson <notformail@xxxxxxxxxxx>
- Date: Mon, 20 Dec 2010 11:07:38 +0000
On 19/12/2010 15:28, Supersleuth wrote:
I need to set up a firewall for our office.
On outgoing traffic i want to be able to block certain ports and
URL's per MAC address
So that on certain machines ONLY i can allow sites like facebook
(required by our CEO) while blocking it from other employees
also I have only 3 employees that need ftp so would like to block ftp
for the rest
I also need it to be a VPN gateway for employees working externally
and to be able to open certain ports on incoming traffic
Will Cisco ASA 5500 series do this, or does anyone else know a better
solution - hardware or software
The ASA 5505 is a nice cheap box if your needs are modest. It is
fanless and diskless and doesn't burn many watts - all good. It's a
shame the rackmount kit costs extra, but the licensing costs will be
more significant if you need lots of users.
I would strongly consider using 802.1x port authentication on your
switches in order to assign different user groups to different VLANs
based on their roles, with each user's PC supplying different 802.1x
Place printers and phones into statically allocated VLANs with heavy
Place unauthenticated PCs into a guest VLAN, and depending on policy,
either shut that VLAN down completely, or firewall it off from your
internal networks and give it low-speed internet access.
802.1x makes it reasonably difficult for staff and visitors to go
plugging their virus-infested home laptops into your main LAN, or
creating unauthorised Wi-Fi hotspots. Not infallible, but fairly
effective in practice.
I would probably use multiple security devices, each with a limited
number of functions - giving a simple configuration on any one device.
I would do any URL filtering or other Layer 7 stuff on a dedicated box.
The main firewall should do as little as possible, in order to minimise
its attack surface.
I wouldn't rule out open-source firewall appliance distributions,
perhaps in concert with a Cisco ASA on the outside. E.g. pfSense &
Monowall run very sweetly on old rackmount servers that are otherwise
too slow to be useful.
Hope this is useful,
- Re: firewalls
- From: Martin Johnson
- Re: firewalls
- From: Supersleuth
- Prev by Date: Re: firewalls
- Next by Date: Re: firewalls
- Previous by thread: Re: firewalls
- Next by thread: Re: firewalls