Which hardware for an entreprise router/firewall/content filter/proxy on a single server [closed]

unix networking hardware firewall router

I have to set up a "secure" network for my boss. For now, I have a ADSL router linked to a switch. All users are connected to this switch. Security is obviously bad. I want to put a server between the ADSL router and the switch. This server will, I think, be a bridge. But it has to be a firewall, a proxy and a web content filter. There are about 20 users (who use a lot the Internet for surfing no downloading).

What kind of hardware should I use for the server ? Of course, I need two NICs.

  • How many RAM would be enough ?
  • Is the bridge solution a good one in term of performance ? (perhaps NAT, or static route ...)
  • Should I use Debian or NetBSD ? I read that NetBSD is good for that kind of job
  • SHould th server be the router for the lan or I keep the ADSL router ?

Thank you for your answers.

PS : Sorry for my poor english


I have the exact the same problem as you but for a slighty bigger network.

I would suggest you to use Pfsense which is based on BSD and is configured via an extremely powerful yet simple and clear web interface. It is firewalling a zones of 70 servers on a Celeron 3Ghz processor with 2GB of RAM (largely unused).

Configuring it as a transparent bridge was the most efficient setup as it allowed to modify practically nothing on the actual architecture.

I therefore suggest you either get one nice Dell server (low end will be far enough) for reliability of the hardware components and install pfsense on it. Or you can reuse two older servers on PFsense with redundancy (CARP) which is really simple to configure.


I would suggest something similar to Antoine, get a nice low-end Dell Server. 2-4GB RAM should be more than plenty. Install SHorewall as a 2 interface bridge on Debian (my Server OS of choice) - Firewall Install Squid and SquidGuard as your proxy and blacklist (can block ads as well, which users like!)

Shorewall will route the traffic and should be set as your machines default gateway. I would also recommend installing Apache on it and serving your proxy details via a proxy.pac, and/or WPAD.dat file if you are a windows house.

Related

WPA2 Enterprise - Validating Identity
How to reliably list ephemeral storage of an AWS instance?
Reverse DNS does not match SMTP Banner
iptables question: forwarding port x to an ssh port of different machine on the network
(111: Connection refused) while connecting to upstream - Opsworks Rails 4
How does the LeftHand SAN perform in a Production environment?
rsyslog server - Can you split up and organize logs?
How to delete files older than 30 days with robocopy?
FreeBSD Listen Queue Overflows - can't increase max queue size
Rsync over SSHFS hangs
SQL Server Management Studio not scripting all objects
Cisco ASA 5505 DMZ Setup Issue