Comment Stonesoft (Score 1) 181
Not for kids with laptops. Scalable in a very significant way. I've worked with Checkpoint, Cisco, Juniper, and a few others. Stonesoft has passed these guys.
Otherwise, openbsd with pf. But, it's a PITA to configure, and you have to be careful or you'll open up holes you didn't intend to.
Or, any good gui-based ipfilter package like the ones mentioned here, if you just want something installed, up and running, and cheap, without needing a doctorate in networking.
In the end, remember that a firewall is only as good as its ruleset, and design your network around the principle of defense in depth.
Rules of thumb:
proxy all connections in and out, no direct connections from outside to internal LAN, run multiple DMZs, and use multiple firewalls for different assets.
Avoid using the same vendor for all of your security products, so if there's an exploit in the wild and a patch is forthcoming, you're entire infrastructure isn't vulnerable, only a part.
Run a commercial IDS. Snort sucks (sorry, snort fans, I'm just not that impressed, having been forced to use it for several years now). But at least it's free, except for the hundreds of manhours you'll spend debugging and tuning.
Install access rules on your routers. Use port security. Avoid any Microsoft OS on your DMZ.
You get the picture...
