Last week this group was discussing "best low cost firewalls". Here
was my (late)
response which got burried in the middle of all the other posts:

---------------------------------------------------------------------------------------------------------------
How about the real IP/subnetmask/port firewall built into your
DSL/CableModem?
It's free, it operates at layer 3, and it is working outside your PC's
messy world,
inline before the Ethernet frames even reach your PC. The ones I have
configured
(cisco/linksys) are capable of doing some filtering for the OSI layers
4-7 (anti-virus/
spyware) again *before* the encapslated data even reaches the insecure
world of
your PC. These kind of devices also can do NAT to hide the IP address
of your
internal private network.
----------------------------------------------------------------------------------------------------------------

Here is my question for the group:

What about low cost NAC devices that inspect layers 4-7 to identify who
you are and
where you can go on the network? According to InfoWorld (June 2006)
Caymas
systems has the best upper end product, where prices are in the tens of
thousands
of dollars, and where there is a need for 4 Gigabit interfaces, strong
authentication,
and strong encryption for upwards of 5,000 concurrent users. Thus
creating VPNs
for those clients using LDAP, SecureID, Radius, etc).

Has anyone on the list done research on low cost (< $3k, for example)
devices
for upper layer protection *before* the data even reaches the insecure
world of Windows?

I'm aware of what can be built using UNIX/LINUX but what about low cost
off the shelf
device that does heavy statefull inspection of layers 4-7 *before* the
data even reaches
the insecure world of your PC?

Cheers, ~DRH~