PDA

View Full Version : Basic question about replacing hardware firewall with Mac Pro server




rainman::|:|
Jul 24, 2011, 11:19 AM
Long time no post,

Basic questions about OS X server... hard to get detailed answers on Apple's website anymore. I work for a company with about 20 PCs and 1 mac (soon to be replacing PC workstations with Mac Minis, I hope), Windows 2003 server, and a wired network connected to the internet through a dedicated Sonicwall firewall device (also badly manages our VPN connections). The hardware firewall seems overkill, but our work is very sensitive.

I'm making a proposal to upgrade to a Mac Pro server running Lion Server, it's a huge cost increase over a custom-built Windows server, but I'm saying it would eradicate the $2k we spend a year on support for the damn Windows server and Sonicwall. But in order to do that, I have to justify eliminating the Sonicwall entirely.

The Mac Pro has 2 gigabit ethernet ports... surely I can connect the DSL to one and the wired network to the other? Does OS X Server have built-in network-wide firewall capabilities? With so many PCs, we can't have a patchwork of individual firewalls, the machines have to be physically separated from the open internet.

Thanks!



dyn
Jul 24, 2011, 05:43 PM
A dedicated device for firewalling is never an overkill, it is the proper way of doing things from a security point of view. Simply put it comes down to this: if you hack the firewall, you only hacked the firewall. If you use a server that does filesharing, firewalling, etc. and you hack the firewall you also hack everything else.

The firewall is an added security layer, be wise and do not remove that extra layer especially since your work is sensitive. Replace the firewall if you're not satisfied by it, there are many competitors out there (GTA, Cisco, Linux, FreeBSD based, OpenBSD, etc.). You could use the Mac Pro for this but be sure to only do firewalling with it. In that case getting a normal dedicated firewall is a cheaper option, the Mac Pro can then still be used as a normal workstation or server. If you do want to use OS X then check out ipfw (it is a FreeBSD thing so check out their documentation), this is a very good firewall which is widely used.

qwerty9
Jul 28, 2011, 10:06 AM
Long time no post,

Basic questions about OS X server... hard to get detailed answers on Apple's website anymore. I work for a company with about 20 PCs and 1 mac (soon to be replacing PC workstations with Mac Minis, I hope), Windows 2003 server, and a wired network connected to the internet through a dedicated Sonicwall firewall device (also badly manages our VPN connections). The hardware firewall seems overkill, but our work is very sensitive.

I'm making a proposal to upgrade to a Mac Pro server running Lion Server, it's a huge cost increase over a custom-built Windows server, but I'm saying it would eradicate the $2k we spend a year on support for the damn Windows server and Sonicwall. But in order to do that, I have to justify eliminating the Sonicwall entirely.

The Mac Pro has 2 gigabit ethernet ports... surely I can connect the DSL to one and the wired network to the other? Does OS X Server have built-in network-wide firewall capabilities? With so many PCs, we can't have a patchwork of individual firewalls, the machines have to be physically separated from the open internet.

Thanks!

Mr. Rainman,
Endian On any old PC's that you are replacing can act as a better firewall than Mac Server. Refer to Endian OS.
Earlier I was considering Sonic, Barracuda etc.. But am so happy and secure with Endian and no subscription on top of it, unless you go for their hardware.
Thanks,

Silencio
Jul 28, 2011, 12:45 PM
Which SonicWall do you have, and what exactly is the matter with it?

I've been mostly pleased with the SonicWalls I've rolled out for clients so far. Once one gets accustomed to how things are configured, it's generally not hard to get them to do what you want. I also found it incredibly easy to set up and manage VPN over L2TP connections on them.

I haven't tried running Firewall on Mac OS X Server since the days of Tiger Server on a PowerMac G5. The performance and throughput was traumatically slow. I'm sure that's not so much of an issue on modern Intel Macs, but I still think it's generally a better practice to run a firewall on a separate device.

HellDiverUK
Jul 28, 2011, 12:54 PM
The hardware firewall seems overkill, but our work is very sensitive.


If your work is very sensitive, then the hardware firewall is not overkill. In fact, the one you have is probably nowhere near good enough. :rolleyes:

You should be looking at a proper firewall, and the LAST thing you should consider is putting your server anywhere near the WAN.

In what universe is putting your server on the internet safer than a hardware firewall? It certainly isn't in this one.

DustinT
Aug 3, 2011, 07:16 PM
IPSW is a terrific firewall that is highly secure. It is also completely free. You simply need a pc that can run it. Most system setup with a couple of NICS would do the job just fine for 20 users. Unless your work is *really* sensitive you should be fine.

Then, you can proceed with your plan to deploy Lion Server.

robvas
Aug 3, 2011, 08:07 PM
You could but it's overkill. We run m0n0wall as our firewall/vpn server. You can use any old PC or buy a low-power 1U server (with it already installed) on eBay for like $100.