[Gllug] Fwd: Information Request: Firewall Kit

James Courtier-Dutton james.dutton at gmail.com
Fri May 4 21:27:31 UTC 2012


On 3 May 2012 15:21, Alfred Kernaghan <alfakern at gmail.com> wrote:
>
>
> ---------- Forwarded message ----------
> From: Alfred Kernaghan <alfakern at gmail.com>
> Date: Thu, May 3, 2012 at 3:20 PM
> Subject: Information Request: Firewall Kit
> To: gllug at gllugg.org.uk
>
>
> Hey all,
>
> I'm looking after 4 racks of servers in London, up until now they've just
> been locked down as much as possible individually using iptables on each
> machine (and blocking/removing public interfaces where they're not strictly
> necessary).  We're in a bit of upheaval at the moment due to going for PCI
> Compliance and improved security, so I'm securing/segmenting the network as
> it stands.  As opposed to a central software based firewall, the company's
> opted to go down the hardware route and get a full fledged firewall.
>
> I don't have a lot of experience with hardware/dedicated firewall
> appliances, but I've had recommendations for a few different brands, Cisco,
> Checkpoint, Watchguard and Barracuda.  As you'd all know, attempts to ask
> our vendor or Google for recommendations has been relatively fruitless in
> that I feel I'm getting up-sold (as much as possible) on very biased
> recommendations!
>
> Our requirements aren't huge, it's for a moderate to high use UK website
> (runs along happily at ~12mbps on our burstable pipe 99% of the time) and
> will simply need to firewall between 3 internal VLANS (1x DMZ and 2x
> private).
>
> It's not money dependant really, I just want to get something recommended by
> someone in the industry who's not in it just for a kick back, and will
> support our simple requirements, with room for growth of course.
>
> Could anyone shed any light on any of the above vendors, or recommend anyone
> else (I'm completely open to ideas).  As a base, I've been looking so far at
> the Watchguard XTM 3 or 5 series and the equivalent model(s) from Barracuda
> Networks.
>

"PCI Compliance" is actually quite difficult to get right.
I would be surprised if some open source firewall will be enough.
That is why I suggested EAL4+ firewalls.
For projects I have worked on, PCI Compliance adds millions to the
cost of the project.
For those the PCI Compliance was required due to the processing of
Visa Cards on a web site, and the associated personal data and the
required security assurance around it.
Do not under estimate the cost of PCI Compliance.
Most of the time, it is cheaper to use a PCI compliant 3rd party to
handle the Visa Card Payments.
--
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug




More information about the GLLUG mailing list