Solved

Which firewall?

Posted on 2004-04-20
9
357 Views
Last Modified: 2013-11-16
I'm looking for a hardware  firewall for windows 2003 server. budget: $4000
The firewall should not have limitation on the number of concurrent users or rather should be able to stand numerous connections as client anticipate huge concurrent users. About 20,000 concurrent users
Can we buy used firewall? How do we know the firewall is good?

Any help will be appreciated

 
0
Comment
Question by:iyiola
  • 4
  • 3
  • 2
9 Comments
 
LVL 32

Expert Comment

by:Luc Franken
ID: 10871366
Hi iyiola,

With a budget of $4000, think at least PIX!

Greetings,

LucF
0
 

Author Comment

by:iyiola
ID: 10871406
Hi LucF,
What is PIX?
I 'm clueless when it comes to hardware firewall. You could sell me a box I'll take it.
0
 
LVL 32

Accepted Solution

by:
Luc Franken earned 25 total points
ID: 10871585
A cisco PIX http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/

I think those are most valuable for your money.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 23

Expert Comment

by:Tim Holman
ID: 10878278
20,000 concurrent connections to a W2K server ??
You mean HTTP connections ?
That's a hell of a lot.. !  Are your W2K servers clustered ?
A firewall is NOT the be all and end all to securing your server.  You need a patch management process to ensure it's always up to date, plus you need to configure your firewall to only allow HTTP to this internal server.
A PIX 515 would be adequate for this sort of environment, or preferably two.
I would also seriously consider units that have load balancing AND firewallng built in, so you can have 2 or 3 W2K servers behind the firewall all being load balanced behind a single IP address, served by a redundant pair of load balancers.
You can buy a used Cisco PIX and buy a special license for it to bring it up to level in support terms if you like ?
We need more information about your overall business goals here...
Also, how about a firewall / load balancing device that also offers you IPS ?  eg - Check Point SmartDefense, Netscreen Deep Inpection ?
0
 

Author Comment

by:iyiola
ID: 10878415
Thanks to LucF and tim holman
From your advise, the preferred option would be PIX 515.
Tim raised a question
>Also, how about a firewall / load balancing device that also offers you IPS ?  eg - Check Point >SmartDefense, Netscreen Deep Inpection

So if we buy one of the above Check Point  etc...., we may not need to add more servers for load balancing?
I'm confused here.

Currently, the client has 2 servers DELL POWER EDGE 6350  INTEL XEON 111 4 GIM RAM, for SQL server and SAME for the application.
Are these two enough for 20,000 concurrent HTTP connections daily?

I will appreciate your input on this
Thanks
0
 
LVL 23

Expert Comment

by:Tim Holman
ID: 10879238
If the application is crucial, then you should have 2 web servers, and 2 SQL servers to cope with any downtime.  You would then load balance the web servers, so they were visible as one IP address on the Internet.
Is this where you want to go ??

If not, then how much security do you need ?  Do you need 2 firewalls for redundancy as well ?

Do you just want a firewall that allows port 80 into your web server ?  If so, more or less ANY firewall should suffice as this is a simple scenario and all firewalls provide basic HTTP server protection.

PATCH MANAGEMENT is CRUCIAL regardless !




0
 

Author Comment

by:iyiola
ID: 10879544
Thanks Tim,
The client would like to load balance after about 3 months in operation. I would recommend PIX 515 firewall. The need for a firewall is to provide additional security against hackers. Yes the PATH management is uptodate.

How much of an effort is it to load balance 2 servers?
What should we expect from an expert in terms of cost to do this assuming we have all the hardwar ready?
0
 
LVL 23

Assisted Solution

by:Tim Holman
Tim Holman earned 100 total points
ID: 10880278
A PIX will do the job, but then so would a Cisco router running a firewall feature set.
A lot of people spend more than they should on a dedicated firewall appliance when it's not really necessary except in v.high security and performance environments....
The PIX will only inspect layer 3 activity - it does leave the applcations layers open, so in theory a hacker could use sophisticated techniques embedded in HTTP packets to attack your server, which is why it's crucial the servers are all up to date.  fixup HTTP offered by PIX extends security by ensuring all HTTP is RFC compliant, but this is all very woolly and the RFCs are VERY wide and open to interpretation !

Microsoft ISA also offers reverse-proxying and can offer further protection, so:

Internet
|
Cisco router running firewall feature set
|
Microsoft ISA firewall
|
WWW server

could be a better investment, but performance could be an issue with ISA...

I suppose all I'm trying to say is there are a number of ways of approaching this, rather than seeing a firewall as a complete solution within itself, which it isn't.. !

Also consider getting the web servers hosted in an already-secured environment with firewalls and IDS being looked after by a central NOC.  May seem expensive, but things start adding up if you DIY...
0
 

Author Comment

by:iyiola
ID: 10880593
Thanks Tim,
I have awarded 100 points to you. and 25 to LucF
Thanks for the suggestions
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Static IP 5 87
Need Advise - System / Network Security 4 56
sftp access 4 52
Palo Alto Networks FW: Can you view bw utilization of specific tunnels? 2 65
Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question