Selecting the right Firewall - Open Source or Commerical solution

Hi guys, i`m looking to get a firewall for a small ISP business and im not sure what to go for as i don`t think the standard firewalls used in organizations would be suitable. Anyone know what I should be looking for? I`d prefer going down the path of opensource (free/paid) as long as it gets the job done. I`m, also aware of Cisco ASA, PIX ect but again I don`t know what I should be looking for to ensure the firewall is not a bottleneck on the network and if the Cisco products would be suitable.

Any suggestion, advice, comments would be appreciated

Cheers!

Hello Skylimit,

To answer that question properly you have to define what you want this device to keep out. It's one thing to want security but simply installing one device and turning the power on won't be enough. Most devices require a bit of configuration and administration. For example one of the most common problems:

Problem: DOS\DDOS - Attempts to bring down your network by sending a flood requests.

Solution: Block traffic with an access control list (acl on your router or firewall), an IDS to monitor the network traffic and alert admins of threats and an IPS take action and automatically deny traffic from threats when a set threshold has been breached(too many concurrent connections from one source in x time etc.)

Note: each of these devices do a specific job and need to be configured as such. The router/firewall needs to know what to permit/deny. The IDS and IPS need to be made aware of what is considered a "breach" to take action on or make an alert for.

Unfortunately DDOS while extremely common isn't the only threat and it's guarding against each threat requires a bit of configuration. In addition you can literally spend an infinite amount trying to secure a network and there will always be a vector. My advice would be to create a budget, identify your threats and then try to block as many as you can with your funds.

As for your request of a specific device for a small ISP, I would start by looking into Cisco firewall/IPS systems and ACL configuration. You can get open-source firewalls but if something goes wrong you're on your own. It's much cheaper for an ISP to pay a bit up front for a good device and a little each month for a license/support then to get a "free" software that is not supported and constantly creating a downed network.

And just for the record I'm not anti-open source, I'm just very anti-downtime. Open source is great for small things with little consequence but the first time you get a bgp route dampened
by a downstream peer because it considers your network traffic bad you'll quickly wish you didn't get the thing without support.

I've got to agree with Nevins in regards to open source solutions. I too use them quite a lot, however its a big risk when it comes to business continuity and downtime. I've also been in the uncomfortable position of having a customer's open-source solution not working correctly and having a very difficult time trying to resolve the issue.

The way I see it is that you present two solutions to management, along with the associated costs and then let them decide which way to go. Of course, you propose which you believe is best. In the case the company decides to go with the open-source solution, due to costs, then its their problem in case things go bad and you experience downtime for whatever reason.

Touching on the Firewall solution, yes you can go for a Cisco ASA or alternatively you can also look into a Cisco Router in case your more familair and comfortable with them. Routers tend to be somewhat easier to handle for engineers less-experienced with ASA Firewalls.

In any case, both ASA Firewalls and Cisco Routers have their GUI interfaces that will help make the configuration process a lot easier. From there on, you can also turn to a certified engineer or IT company that will help you set up the equipment of your choice.

Hope this helps.

p.s I've also changed the topic to a more suitable one for our readers reference.

Chris.

Thanks Nevins and Chris for your response.

I probably should have stated why I'm looking to deploy a firewall. Basically our public ip appears to have been blacklisted and investigation shows we may be dealing with a botnet hence why I opted for a firewall to be put in (we are fairly new and I cant say why this wasn;t thought of from the start since I wasn't with the company from the start). So far, SMTP port 25 has been blocked to no avail as we are still seeing high outbound traffic on the subscriber management system and blacklist checks still reports activity. I also tried doing a packet capture on the subscriber system to see if I could narrow down compromised machines so as to clean/format them, instead of visiting every client as they're load but I couldn't get much

I strongly believe a firewall would help solve the problem (please correct me if you have more experience in this area) because we can then control traffic coming in/going out. Also, firewall logs should be able to show requests from infected machines which will enable us clean up such systems, block/monitor such ports, etc

With regards to open source or commercial, as we are still growing, the first thing that came to mind was cost; however, for open source I was looking at a "finished" like ones from Netgate, OPNsense, Tranquilnet, as opposed to configuring one up myself if this makes sense. Are these so called finished products, with or without support also big risks to an organisation, Chris/Nevins? Please kindly enlighten me. Chris or anyone, can you also tell me a bit more about router firewalls please i.e. your experience with it, as I could google it up

From your response so far, we may even have to go for the ASA, as long as I can put a business case for it, meaning I'll have to take some time to learn how to configure it maybe using gns3 or whatever i can find. I can configure routers ( ccna going to NP) and have only managed an ASA using the SDM, so not much experience with firewalls)

many thanks for your insight on the cons of open-source as I've never really thought of them

"Basically our public ip appears to have been blacklisted"

Hello Skynet,

Lets go a bit deeper here. Who is blacklisting your IP? What criteria do they blacklist IP addresses for? What is the threshold? What is your agreement with your customers? Are they operating within allowed limits?


As an ISP you're providing a service. It's in the name. So shutting off super common ports like SMTP 25 isn't ideal because people commonly use it. It's akin to being an ISP that doesn't allow port 80 traffic.


So what can you do? Well the first step is going to be finding out exactly what traffic you can't send. Then using some sort of network scanning tool to figure out who's sending the bad traffic then implement a policy/context based access control list that filters that type of spam traffic.

This is not an easy fix because unblacklisting your IP is totally at the discretion of the entity black listing it unless they have some legal agreement with you as an upstream provider.