Church firewall options

[Josiah Rocke]

What do your church use for a firewall? What kinds of things do you want in a firewall? What does it end up costing you? Our old ipCop box (hardened linux distr) has been ok, but we use very few of the features and the hardware is failing. Since I have to buy new hardware, I'm open to switching to a different OS as well. Recommendations are welcome, but I'd really like to hear answers to the following questions:

1. What firewall product does your church use?
2. What services does the firewall provide (VPN, UTM, content filtering, etc)

Our ipCOP used to do all the above, but now we have a SBS2011 box that does SSL remote access & VPN server, so we only need to forward ports. We do content/malware filtering through OpenDNS.

Sorry if this is a bit off subject. But, real world issues and I'd love to learn how other churches approach this.

Thanks!

[Josiah Rocke]

Wow. Nothing?

[Darren Peck]

Hey Joaiah,

At our church I have setup a little RouterBoard 450G, powered by RouterOS, by Mikrotik.

It is a powerful little guy for the price, small, has 5 Gbit network ports, kind of like a network switch, but has a full suite of options.

It can do VPN (PPTP, L2TP, IPSec, point-to-point, etc), it has functionality for a "hotspot" page, so in other words if you stick an access point on a certain VLAN and have the hotpot running on a specific VLAN, you can have a page where users have to "agree" to terms before being able to use the internet, etc. Then it obviously supports VLANs, and a ton more. 

RouterOS is it's own Distro, not free, but if you have a spare computer lying around you can pickup a license for like $45 (Depending on your needs, they have several license levels which limit features).

You can pickup one of these routers with a case and power supply for ~ $150. Not too bad, but with one of those guys your going to be up and running for a long time. Mikrotik devices are used widely in the wireless internet service provider industry, and probably elsewhere.

You can do what ever you need with the firewall options. Unfortunately it doesn't do content filtering. But you have OpenDNS for that anyway.

You can setup DHCP servers, PPPoE servers, I mean a bunch of stuff.

Anyway, worth a look.

[Darren Peck]

Forgot to add a link:

http://www.amazon.com/Mikrotik-RB450G-Routerboard-450G/dp/B005GACVFQ

The device has a 680MHz processor, 256MB RAM, nice and beefy little router. If you buy the device it also comes with a level 5 license of the software. So much cheaper to go with a device than another computer.

[Darren Peck]

Oh, and the link to the licenses with feature limitations:

http://wiki.mikrotik.com/wiki/Manual:License

[Darren Peck]

Wow, and I just noticed I somehow misspelled your name, so sorry about that! 

[Darren Hollick]

I have actually had a lot of success with the Cisco ASA devices for protecting office networks and the last time I looked they were actually cheaper than their modern competitors (surprising considering Cisco's reputation).  We don't use it for content filtering, virus protection, or vpn.  Just firewall, nat, and port forwarding.

http://www.amazon.com/Cisco-ASA5505-BUN-K9-ASA-5505/dp/B000O0Z8GC

[Robert Larson]

Have you checked out the Church IT RoundTable site too? https://citrt.onthecity.org and http://www.churchitnetwork.com/ There is a whole group of folks out there that can weigh on this discussion a well.  There was even a church out there giving away Meraki equipment to a good home this week.  Might all be called for, but definitely worth signing up out there for non-Elexio questions.

[Josiah Rocke]

Thanks for the responses guys! I'll check these out.