Monday 22 October 2012

Parties and a Sonicwall

First to Helen's 90th birthday party, which was a lot of fun (and salmon, and cheesecake). Then to brother-in-law for a curry in Stanmore, then home, when I once again got fed up with the way that the Sonicwall (a firewall I use in a slightly peculiar way, to segment off part of my network) cuts off any connection after several minutes.

There's a setting for that, of course, and I set it to 999 minutes ages ago, 999 minutes is several hours, and I'd be happy with that, but it doesn't obey the setting.

But this time, I got so fed up with it that I came up with the bright idea of googling the problem. It's my experience that *any* computer problem that's solvable, can be solved with Google, including many that some people have declared impossible.

And sure enough, I got a result. I've been setting the global timeout value, thinking, silly me, that this would do the job. But it turns out that there's a timeout value for each rule, which overrides the global value. And since the default value is 15 minutes, the rules I'd set up before I changed the global value, had a timeout value of ... 15 minutes.

You find these rules by clicking on the edit button for each rule in the firewall rules list, then going to the "advanced" tab. So I changed them to 999 minutes, and it works! Now I can mess around with the computers behind my internal firewall, and if I don't access one for 16 minutes, I don't find that I need to log back in to it.

Why, you might ask, do I have a firewall inside my network?

Well, it's like this.

Usually, you have three zones; outside, inside and the DMZ. Outside is the "whole world", inside is computers that you don't want the outside world to access, and the DMZ contains computers that you want to allow limited access to by the world; for example, for incoming email, or web servers. So you have to buy a firewall with three ports. And that, of course, is a corporate-type firewall and costs corporate-type prices. I mean, a few thousand pounds. That's £3000. Wow. And what you get is a little box (which is actually a computer) with three ethernet ports, and the Cisco software.

But there's another way. You get two two-port firewalls. You can get a Cisco Pix 506 with two ports, on Ebay, for £40-£50, and they don't come better than the Pix. You can get a Sonicwall for £25. I use the Pix as my main firewall, because it can easily handle the main load, and I use the Sonicwall to create the DMZ, because all it has to do is stop anyone in the DMZ from breaking out into the internal network, which is going to be light load.

Why is the Pix so cheap?  A new Pix 506E costs £700 - £900, and that price tells you something about the quality (and if it doesn't, take my word for it, a Pix is the firewall of choice). The thing about the Pix, is I don't think consumers buy them, they're a corporate buy. You have to program them in their own language, which should be "Pixie", but is actually "IOS", and it's about as easy to use as double dutch. Fortunately, I speak fluent Pixie. And I doubt if corporates buy firewalls second hand. So when they get onto the market, there's several sellers and almost no buyers, which means ... low price. You'll find that with any computer item that corporates buy and consumers don't, and since the Pix is just a box of electronics, a second hand one is pretty much as good as a new one. They don't grow old and die. No moving parts.

So the Pix bars anyone from my internal network, and allows limited access to my DMZ. And the DMZ is walled off from the internal network by the Sonicwall. I don't know anyone else who does it this way; I was quite pleased to have thought it up. It replaced the homebrew firewall (a linux box with three ethernet cards) that I used before.

I have to say, if I were doing this from scratch today, I'd use Pixes in both roles; they're easier to program. I only used Sonicwalls because I had two of them lying around doing nothing (I have two DMZs). And if they ever die, I'll replace them with Pixes.

No comments:

Post a Comment