Suggestions for firewall, gateway, VPN in front of MacMini SNL server

i usually spec embedded hardware (soekris or alix boards) running m0n0wall or pfsense if paid support isn't an issue. if clients want paid support, sonicwall has decent hardware, though i don't like their licensing structure or fees.

Hi

In addition you could look at ZyXel (the higher spec models), Cisco (of course); Vigor/Draytek have some nice models (IMO). The easy setup question is harder to answer? If you've never used them before they're not really easy are they? In my experience support is good from all three manufacturers. Depending on where you are in the world mileage may vary

Tony

Hi Lewis

http://www.zyxel.com/web/product_category.php?PC1indexflag=20040908175941

Any of the USG Models. If they're too complicated any of the standard ZyWall Units.

http://www.draytek.co.uk/

I've had a play with this model and thought it OK:

http://www.draytek.co.uk/products/vigorpro5510.html

Tony

Lewis,

I'm a fan of the Astaro line of unified security products. It sounds like you'd be well served with the ASG110.

If you go to the Astaro website, and contact one of their resellers, you can usually arrange a 30-day demo unit.

G. Discenza

I 'm soon to have the same question: the little Snow Leopard book that comes with says on page 36 (English version) "Protecting your Network with Airport Extreme" and goes on to include Time Capsule is says "MACOSX Server can automatically manage it to protect your local network while allowing access to selected services from the internet."

In my book that's offering firewall services, even though I cannot see anything like that (port forwarding etc) in my Time Capsule utility and a friend of mine loudly tells me no such thing is apparent in his Airport Extreme.

That leaves hidden features becoming apparent when Server and Airport or Time Capsule are connected.

Maybe you have an AP or TS you can experiment with.
I have, but have not yet graduated from basic installation of a working system, so can't explore yet.

Anthony

don't listen to your office manager's nephew. that sets bad precedent (unless he's right of, course).

you'll be better off with a dedicated, more full featured firewall than using consumer gear like an apple airport base.

Hi Lewis, Interestingly the port forwarding tab does not appear until Internet/Share a public ip address are selected, and then Advanced does show port mapping. I have never used that combination before now.

To answer your question.
Something like the Zyxel Zywall 2WG (edit: this is NOT a "modem" of any kind, you can't plug adsl into it)

http://www.zyxel.com/web/productfamilydetail.php?PC1indexflag=20040908175941&CategoryGroupNo=81AD76FF-54E8-484F-A2C5-4 B2C83DFD32B

can accept a 3g cellphone card for access to internet when/if the landline connection goes down. This is also useful if the LAN ever goes walkabout (travelling) like mine does.

From a security point of view it is my understanding that such devices offer more sophisticated protection represented by these words: "Based on Stateful Packet inspection and Denial of Service (DoS) technology...". When I read up on that (long ago, so now somewhat faded) it seemed to me that this is more than mere port blocking (or opening), it is the testing of incoming packets to decide if they are "attacks". The attack parameters can be configured or left to default.

Also you can configure (as I recall) the machine to email you with varying levels of report about its status and levels of attack: or even simply port accesses.

Such a device is massively more sophisticated than an Airport or Time Capsule. edit: in firewall terms at the very least

Do I think I needed it? No not really - except the Cellphone WiFi system backup and also ( a major point for me) is that it runs of 12 volts (which means a car battery- though regulated source would be a good idea)

It also offers multiple WiFi networks so you can have your own or put your voip wireless phones or whatever through a separate net.

Don't think it offers the 5gig network I just found my TC offers.

I am now playing with the TC setup and Server Firewall, so I'll be using these for the reason of simplicity until I have more confidence - and there's nothing but test data on the whole machine anyway.

If I had to stick my neck out to answer your question I'd suggest worthy of review is thatthe dedicated firewall offers "stateful inspection" and denial of service attack defence whereas the Apple items do not.

Anthony

Message was edited by: Anthony Mellor

Message was edited by: Anthony Mellor

about face. Just peeked into the Server firewall settings. This all looks pretty sophisticated stuff; my point being it may well give balance to my comments above about Apple TC and router not being so clever. The difference here is that the firewall stuff is built in to the server not the hardware - which is a whole other design discussion but clearly Apple have come down on the side of putting it in the software.

I'd better stop talking: see About Firewall Security in Server Help.

anthony

Message was edited by: Anthony Mellor

here's how I just enabled server management of airport/time capsule:

(1) changed Time capsule Connection sharing to Share a public ip address
(which makes "advanced" "port mapping" appear.)
(2) set Time capsule Internet connection to connect to router on 192.168 network
(3) set Time capsule to offer DHCP in 10.0.1 range
(4) set Time capsule own address to be 10.0.1.1
PLUG in ethernet cable to Mac Mini and Time Capsule
Activate Ethernet and deactivate Airport
(5) set Mac Mini Server Manual ip address to 10.0.1.2
(6) set Mac Mini Server DNS addresses to 127.0.0.1, 10.0.1.1
(7) set Mac Mini Server / Server Admin / DNS / Zones / Machine name / IP Address = 10.0.1.2

and now I am seeing if anything still works - report back shortly.

So:

Server reads it's own web pages and surfs the internet
Client on the 10.0.1 network does not, it has DHCP DNS given as 10.0.1.1 (the Time Capsule "router"). I have added 10.0.1.2 and since that overwrote the DHCP provided entry also 10.0.1.1 and this client laptop now access both the server web pages and surfs the internet. edit: laptop NOT accessing server... it hits the 192.168 networked router (the one whose WAN faces the outside world) and one beyond the Time Capsule.





Message was edited by: Anthony Mellor

Message was edited by: Anthony Mellor

Message was edited by: Anthony Mellor

An Apple Airport is a reasonable choice for a home user, and not as good for servers; ask your boss's nephew how to establish a VPN into the LAN when the server is down, for instance. If you use a remote power strip (about US$100) to force a reboot of this box, you need to connect to the power strip.

A mid-grade firewall will also prevent the riff-raff from hitting and loading up the server itself, too.

There are also some issues with Airport and L2TP; there are various reports around the forums ([here is one|http://discussions.info.apple.com/thread.jspa?threadID=2316810]) that the device does not necessarily correctly pass a VPN through to the host.

i've also had general issues with airport bases not reliably passing ipsec traffic, and there's not much you can do to configure them if they're not doing what you want.

i generally only tolerate the airport units in situations where consumer/home users have already bought them and have no firewall in place already. otherwise, i only recommend using the airport base stations for wireless access points.

What about using a dedicated mac mini configured as a firewall? Would this be a lower cost solution than the firewall appliances?