Looking to build a firewall - recommendations?

[denisl]

I'm a novice slowly building out some equipment in my house and would like to add some security for my network. I have a couple of VM's accessible over the internet one of which is owncloud that I'd like to protect/harden. Is pfsense the way to go? I read about sophos as well and really not sure what's the best for me - although I do enjoy all this, my time is limited so something that has a quick time to setup is preferred. But I don't want to spend $700 on a prebuild pfsense appliance. I was thinking of pfsense with snort for IDS.

My questions is both HW and SW. Was thinking a 1U ATOM 525 off ebay for $100 and pfsense/snort.

Any considerations I should be thinking about?
Thanks

 

[NSKA]

This is a really great server, I just bought one and am installing pfsense on it as we speak. Dell Poweredge R210 Server Xeon x3450 2.66ghz Quad Core 8GB Ram 500GB HDD

 

[denisl]

Thanks for the reply. How does that R210 compare to an Atom 1U server in power and fan sound?
I already have 2 servers in the rack - 1 Dell R710 (running my backups) and 1 Supermicro running vmware.
I'm looking for something with low noise, reliable and ideally low power but I would sacrifice power consumption for quietness.

 

[NSKA]

The R210 is real quiet, I was happily surprised.

 

[MiniKnight]

How much traffic are you pushing? Like do you have a 100Mbps WAN, 1Gb WAN, 10Gb WAN?

Any VPNs? I'm still a big proponent of using C2558 or C2758's as they're awesome for pfSense. A1SRi-2758F or the like.

Check out pfSense with suricata as well.

 

[Alfa147x]

I would also consider the low power AMD chips for this. They're cheap (especially when on sale) and efficient. I bought the AMD 3850 Kabini + MSI AM1I for my Sophos box.

 

[Churchill]

Bought a 1U supermicro xeon server off Mr. Rackables on Ebay for $160 shipped. 8GB RAM, Quad Core, dual intel GB NIC's. Installed PFsense and very happy with teh result.

 

[mstone]

bandwidth is a pretty important factor. most of the solutions discussed fall into the category of "overkill" for a typical home network, and the answer is basically "buy anything you like".

 

[Jeggs101]

Can I add something to this discussion?

You want low power. This is on 24/7. Quiet is nice but power to run and extra air conditioning will matter.

You also want reliable.

Finally, get something with encryption acceleration. It isn't cutting edge tech anymore as even the low end mobile chips have it.

 

[canta]

And a4-5000 quad cores mini itx is cheap.. And uses desktop ddr3. Dual slots.
I am using it now to replace poor j1800 dual cores miniitx.

A4-5000 has hardware aes .
Consume 5w more than j1800..

BTW. A4-5000 is running proxmox 4.
With router and 3 vms
Installed 16g and back to 8 g ramsince more adequate..

Without sm blower fans and 2 extra fan from lenovo ts140. Consuming 15w averagely.. With router and 3 vm Linux non gui.

I bought 35$ from jet.com when had 15$ off for first buyer

 

[Alfa147x]

Finally, get something with encryption acceleration. It isn't cutting edge tech anymore as even the low end mobile chips have it.

Is that AES instruction set for CPUs or another piece? When does encryption acceleration mostly get used when dealing with firewalls? VPN connections?

Here is a partial list I found. Surprisingly my AMD A8 has AES but I'm not sure if it's being used or not.

Looks like the AMD added AES with the release of the Jaguar family.

 

[Jeggs101]

VPN is the big one. HTTPS is another good use I think.

 

[CreoleLakerFan]

I put together a pfsense box a little over a year ago. I paired a G2 miniITX board with a 2450M. Added the 4 port Intel GbE daughtercard and put in an 24GB mSATA SSD. Threw in 2x2 GB worth of SODIMMs and put pfsense on it.

Massive, massive, massive overkill for home use - it averaged about 1-2% utilization. I ended up swapping out the CPU for a 3610M and 16GB from a laptop I wasn't using. I added a Samsung 843T for a datastore and made it my ESXi server. The pfsense VM averages about 5% utilization w/2vCPUs. The whole thing draws ~37W from the wall.

 

[canta]

Is that AES instruction set for CPUs or another piece? When does encryption acceleration mostly get used when dealing with firewalls? VPN connections?

Here is a partial list I found. Surprisingly my AMD A8 has AES but I'm not sure if it's being used or not.

Looks like the AMD added AES with the release of the Jaguar family.

true, even low-end A4-5000 has AES included in CPU + with extra features are not used as today.

I recommended A4-5000 for headless workhorse, or N3150 (intel) that has AES...
J1900 does not has AES (why did you do intel? why hicks)....

on proxmox, I has to selece CPU access directly to utilize AES on VM since virtualized CPU does not allow acces to HW AES in real CPU.

for the cheapest is AMD A4-5000 or AM1 . P pick SoC mini-itx due on cheap, and added i340 dual nic.. since has 4X pcie 2 in 16x slot.

on router:-> VPN is the damn issue when many connections with encryption. HW AES helps much!!

or if you need ecc support, you can get some AM1 motherboard that hiddenly support ECC UDIMM
stay away with FM socket.

 

[RobertFontaine]

With pfsense et al having such low Cpu requirements doesn't virtualization start to make a lot more sense? You could set up all your miscellaneous servers lamp, mail, FTP... in different environments on the box and the CPU would still never get warm.

I've been looking at sophos rather than pfsense and even wondering why we mix routers and firewalls in the same environment. With modern virtualization doesn't it make more sense to separate these two functions? Sorry if that's a naive question but if one is using the router for lan as well as wan it seems like it might be a bad idea one day?

 

[mstone]

With pfsense et al having such low Cpu requirements doesn't virtualization start to make a lot more sense? You could set up all your miscellaneous servers lamp, mail, FTP... in different environments on the box and the CPU would still never get warm.

Dealing with a hosed up vm environment without a working network sucks. Yes, you can easily virtualize a firewall on almost any hardware these days, but that doesn't make it a great idea.

 

[CreoleLakerFan]

Lots of folks on STH have virtualized their firewalls. I don't think I'd do it in a large production environment, but for home, lab, or my clients who outsource all of their small business needs it works great.

 

[RobertFontaine]

I am unaware of a single instance of anyone breaking out of a type 1'ish hypervisor. KVM, Xen, esxi...

Why is this a bad idea? I don't see the issue.

As to hosed up vm... This, is the point of having vms. Instant restore to working state, transfer to other hardware... Virtualization adds a bunch of failsafes that a spare bare metal server has a tough time matching.

 

[Alfa147x]

or if you need ecc support, you can get some AM1 motherboard that hiddenly support ECC UDIMM
stay away with FM socket.

Whoa this might be a game changer. I did a quick search but didn't find any info about AM1 running ECC memory. Any links?

Any idea of Sophos UTM or PFsense would benefit from ECC?

 

[RobertFontaine]

Any production server has ECC as a requirement. Kind of like avoiding the write hole in raid. In production it is worth while to mitigate your risks. DDR3 ECC is so affordable I don't even consider non error correcting ram. I haven't had to price ddr4 lately and am hoping it keeps dropping.