What do you think are the best small business firewalls?  (up to 100 employees)  I'm thinking of hardware (routers... etc)  

Currently we have the firebox soho6 (router/firewall,) which seems good, but is proprietary, upgrades cost $ - the unit was around $300 when we purchased about 18 months ago.  

I've also used Linksys wrv54g and wrt54g.  I think these have pretty standard firewall features.  Any advantages to the more expensive units?

In fact, the DLink DI524 seems fine too.  Any disadvantage to going with a unit like this?  For the $$ it seems pretty hard to beat.

I haven't seen any real advantage to the soho6.  It has a maintenance feature that allows a vpn client.  Thats about all I can think of.

Also, I've been hearing about the barracuda firewall.  From my reading, it sounds like something this advanced is mostly for companies that do hosting or have bigger networks than what I'm looking at.  What do you think?

Also, are there any stand alone firewalls (no router) worth mention?  Does that even exist?

Thanks in advance to anyone who contributes!
J

There is an extensive article in the February 21, 2006 PC Magazine entitled "Protect Your Business" which discusses two hardware firewalls as well as other measures for small businesses.

http://www.pcmag.com/article2/0,1759,1916250,00.asp

The Cisco Pix is the industry leader, as Cisco tends to be.  The only disadvantage of the Cisco is that you have to learn how to configure it.  That's no big deal, though, because there are lots of Cisco certified people around.  If you want something scaleable and secure, the Pix is what people in the profession drool over.

The SonicWall is another popular one.  I have no direct experience with it, so I can't tell you what the pro's and con's are.

For my connection, I just installed OpenBSD on an old computer I had laying around and used the PF firewall daemon.  If you are willing to learn a little Unix, you can build it for the cost of a few network cards.  OpenBSD is the most secure operating system in the world, and PF is a professional grade firewall.  The thing is endlessly configurable and nearly unhackable.  Once you get it up and running, you could also run a dhcp server, dns, ftp, sendmail, or pretty much anything else you need on your network.

well, yeah, i've always heard the best firewall was an old throw-away pc, running some variant of linux or openbsd, with one of the open source firewalls available.

close as you can get to unhackable.

now that's a guide i think would be cool, but there's probably already one out there, no?

There is a great guide on how to install OpenBSD on the OpenBSD.org website.  I was able to get it installed in one evening with no prior Unix (and very little Linux) experience.  There is also a PF User's Guide in the FAQ on that site.  PF took me a little longer, but it's not hard.  I was just new to it.

I'd consider writing a guide, but don't think I'll be able to out-do the devolpers' version.  There is also a guide somewhere on how to create a firewall with OpenBSD and PF that doesn't use IP addresses.  It's even more secure that way and conserves your IP Addresses if you are worried about that.  I could dig it up if anyone is interested.

A guide I do plan to write is how to boot OpenBSD from a flash drive.  My firewall box is driveless.  The old hard drive that was in the computer was so noisy it was disrupting people.  So, I replaced it with a 512 MB USB thumb drive.  The computer was too old to boot off USB, so I had to make a custom kernel to put on a CD that would load USB support and then transfer control over to the USB drive.  It took some doing, but it works great now and the computer is nearly silent.  

If anyone is interested, I can put that guide into high gear.  I took good notes along the way, so it wouldn't take long to type up and throw up on a page on my site.

Thats awesome.  I'd love to see how you did it.  Also the link to setting up a non-ip firewall.  Must be using mac addresses, right?  

Consensus seems to be that, on a budget, a linux/bsd solution running pf is the way to go.  If you have some money... go with the Cisco Pix.  

I do like the idea of having spam/viruses filtered at the firewall.  Can this be done with a linux/bsd solution?  I'd imagine that there would be some sort of subscription fee to do this...

Another question.  Is there a downside to the smaller inexpensive units like d-link and such?  I guess you get basic NAT features and not a lot else.

The cheaper firewalls work ok, but they lack the features and configuration options of the better ones.  They are 100 times better than not having any protection, and you can get them up and running easily, but they don't scale well to bigger networks if your network ever grows.

Here is a guide to installing OpenBSD:
http://www.openbsd.org/faq/faq4.html

Here is the PF User's Guide:
http://www.openbsd.org/faq/pf/index.html

Here is a guide to setting up a firewall without IP Addresses:
http://ezine.daemonnews.org/200207/transpfobsd.html

And here is a guide to setting up a spam filter:
http://www.pingwales.co.uk/2005/06/10/Filtering-Spam-with-OpenBSD.html

There are lots of guides on these subjects, and each one does it slightly different.  I'll try to work on my guide to booting from a flash drive this weekend.

If you decide to learn BSD (or any Linux/Unix OS), the man pages will be invaluable:
http://www.openbsd.org/cgi-bin/man.cgi

Awesome awesome stuff.  I especially like the stuff about spamd.  Do you know of anything like this for spyware/virus signatures?

I also liked your analysis of the smaller routers.  Simplistic and not very elegant, but it gets the job done.  Just like a frozen pizza.  Its a cheap one course meal.  But its good.  In fact its about 100 times better than nothing.

J

To filter for spyware and virus signatures you would need something more like a proxy server.  Unix has several proxy server programs.  I think the most popular one for OpenBSD is called squid.  I don't know how to get a proxy server to filter for malware, but I'm sure it can be done.  The only thing is I'm guessing it is going to use a lot of resources, so you might need a more powerful computer than you would need for just the firewall.

I did a quick Google search and found lots of utilities that will scan email going thorugh the server.  I also found one that will do exactly what you want for all http and ftp traffic.  The only problem is that it is for FreeBSD and not OpenBSD.  They are simular (but not the same), so I'm sure there are utilities out there.

http://www.icewalkers.com/Linux/Software/523900/AVIRA-Antivirus-for-WebGate.html