Installation guide

22
STEP 8: Suggested firewall products
Your choice of firewall depends on both your needs and IT skills, and with some solutions it also depends
on your budget.
Government Security Adviser (DSD) recommendations
The Australian Government also provides recommendations and advice on firewall products, through the
Governments Security Advisor, Defence Signals Directorate (DSD). DSD provides a list of evaluated
products that are certified under a rigorous evaluation program, where the security claims of the vendor are
tested using international evaluation criteria. These products are applicable to larger organisations and as
such meet higher-end security needs and cost more. The most up-to-date DSD approved product listing is
at
www.dsd.gov.au/infosec/evaluation_services/epl/dap.html
There is also useful tabular overview of firewalls / routers commonly available in Australia available at
www.ozcableguy.com/quickref.html.
General practice tested solutions
The solutions suggested in this tutorial are limited to products that have been tested by General Practice
experts, who have provided ‘peer reviews’ of the products and solutions. There are many other viable
solutions available on the market, but the GPCG cannot comment on suitability nor give advice on
configuration of these. This tutorial only suggests products where commercial support is available. (This
does not mean that non-commercial products are inferior, but using them requires such a high level of
expertise that people able to use them without risk would not require the help of this tutorial.)
The general recommendation for any practice would be a router/firewall appliance with:
Failover / load balancing dual WAN (Internet) ports – meaning it can connect simultaneously
to two different broadband providers (e.g. ADSL + Satellite, ADSL + different ADSL provider,
ADSL + Wireless, cable + ADSL). That way you can not only improve the performance of
your Internet connection substantially but if one connection fails, the device will automatically
re-route all traffic to the other provider. If you depend on the Internet – and most of us will
depend on it sooner or later – this is one indispensable feature.
Good logging facilities – no firewall is perfect, and you have to know when you are under
attack. Most people will rarely inspect cryptic log files that are a hassle to access, but some
firewall appliances will email you such logs in understandable form
VPN capabilities – sooner or later you will discover the convenience of being able to access
your surgery remotely via the Internet. Of course, such connections have to be as secure as
possible. Quality products rely on the IPsec standard for such virtual private tunnels through
the Internet. They automatically establish a secure link between two connecting appliances,
and allow you to use any IPsec compliant client software on your own computer when you
cannot connect from one device to another directly (e.g. between branch surgeries with two
compatible devices installed).
Unfortunately, not many devices meet these recommendations. Here are a few suggestions according to
price:
1 under A$500 – Netcomm NB740
2 under A$600 – Linksys RV082
3 under A$1 200 – Zyxel ZY70
4 under A$2 000 – SonicWall TZ170E
There is a product for less than A$200 which appears to fulfil all criteria, but it doesn’t have an Australian
distributors yet (and is yet to be tested by General Practice testers). It is the
Hawking H2WR54G.
Products costing more than the A$600 solution offer some additional features. Always study the product
information thoroughly before making a decision.