The other day I did a blog post about poking a hole in SBS 2008’s internal firewall to ensure that Quickbooks ran properly and someone said that I needed to run an external firewall because SBS’s looked like swiss cheese.  And he’s right, I do need to run a proper firewall because the firewall on the Internal nic is NOT (let me repeat that) NOT to be seen/used/or thought of as an external facing firewall.  While you should not disable it as it provides critical hardening services to that firewall/networking stack, it should not be seen as any substitute for the external firewall.  Any application sitting on that server will need a policy/exclusion/allowance in that firewall policy.  Turn the firewall off, and you just locked yourself out of RDP.

This is the “swiss cheese” of SBS 2008’s firewall in image form:

(Note I enable network discovery so that exception is not standard)

I also for grins clicked on that “notify me” just to see if it would do anything.

But bottom line, that’s not the firewall settings of an outward facing firewall.

So what firewalls are good for SBS 2008?

Depends on your budget.  I don’t consider Linksys style of firewalls to be “business” quality but I certainly have two here at home to be able to run a SBS 2003 and a SBS 2008 so that they don’t complain about one another (if you need the ability to have a network outside of your SBS network, consider having two routers to provide this ability).

In a business setting, I want more.  The firewall guru of SMB, Amy Babinchak recommends  I like them for several reasons, one of them purely emotional.  If you remember Sally Fields emotional award ceremony a few years back.. “You like me, you really really like me!”…. one can say similar about Calyptix and the SMB space.  “They like us, they really really like us”.  We’re not a “Enterprise cut down cost center” like some firewalls, nor are the interfaces need a degree in rocket science to set up.  And you can’t go wrong with a paranoid Lawyer being the CEO either.   

I think you need to look at your budget and paranoia, and standardize on models for your client base.  It makes it much easier to manage.


10 Responses to So what’s the best firewall for SBS 2008?

  1. Andy Parkes says:

    We use Sonicwall

    Reasonably priced for the SMB space and some decent features

    Support while not spectacular is ok

  2. This is a great topic Susan. I can tell you what I believe to be true, and as the future Secty of State, I will not take sides 🙂

    This weekend I am wrapping up Chapter 6 of our new SBS 2008 book that is mere days away from going to press. This is the security chapter and I am testing Calyptix, SonicWall and WatchGuard, Philip Elder is testing Untangle and ISA.

    The conclusions we are seeking to arrive at are: does Brand X workw ith SBS 2008? Do far, I have the most experience with Calyptix (ran it for 38-days straight on my SPRINGERS test network and I am pleased, epsecially with the short Getting Started Guide as I have a short attention span.

    I have just completed my testing of the SonicWALL NSA 240 and I really liked it being set to static IP on the X0 (LAN port) so the SBS 2008 machine didn’t get upset). It worked as expected.

    I am just now testing the WatchGuard FireBox Edge device and, so far, so good. I will have this testing completed this evening and post up more information. So far I like the fact WatchGuard is in downtown Seattle within walking distance form where the Bainbridge Island ferry docks when I come into town (hi guys!) 🙂

    Philip and I both worked with Untangle successfully a few months ago in a SBS 2008 \ Untangle webinar that was well attended and the Untangle solution, based on the big O (open source) worked fine.

    Philip is writing the section on using ISA as he feels passionate about this MS-based solution. I will ask him to post up here.

    So the point is this – we have, are and will have completed our “intriductory” testing on all popular SBS 2008 firewall solutions (that we could get our hands on) and are likely able to render a verdict that “they all worked”

    Then it is customer choice (in my opinion). Take our research, be a smart shopper, compare at least two options to protect your SBS network and best of luck.

    BTW – our advanced SBS 2008 book in mid-2009 while have much more exhaustive testing aking to a “shoot-out” with a scorecard bot for our introductory book, we simply wanted to introduce the community to what’s available, what we tested and for God’s sake USE SOMETHING to protect your SBS 2008 network.

    Thanks Susan – harrybbbbb

  3. Brian says:

    I’m a fan of Cisco’s ASA 5505. Sure, they used to be thousands of dollars for a firewall, but the lights have come on at Cisco is more recent years. The ASA’s a very capable device, pretty easy to manage and has a nice dashboard for the admin who needs to do any troubleshooting (ie, external site-to-site links).

    They can be found on Newegg for as little as $375.

  4. We went through the same shootout Harry is doing for his book, and we came to the same results as Amy – the Calyptix Access Enforcer is the unit we are rolling out and have had great success with it.


  5. William says:

    From Calyptix this weekend: “At this time we are working on export licenses for a number of international countries. The process is not fast because of the nature of our product, but we hope to have it completed in 2009.”

    So that’s them off the shortlist, for me in the UK.


  6. John says:

    Kerio WinRoute Firewall has more integrated features, much easier to administer and half the price of ISA. It’s software so it integrates well with SBS and it also works with AD. The web reporting is a tool that all CEO’s and business managers will love.

  7. Mneumonic says:

    Fortigate’s from Fortinet -( is also absolutley great appliance with great support!

    Features :- Firewall, VPN, Intrusion Prevention, Antivirus, Web Filtering and Traffic Shaping

  8. someutdude says:

    Any update on the Firebox Edge with SBS 2008? Having issues getting past the connect to the internet wizard because of the DHCP server on the edge that cannot be disabled.

  9. Mike says:

    Any chance Astaro will be in the mix of evaluated appliances?