Dave_Strydom
asked on
Firewall Advice
Hi,
I am the Sys-Admin for a smallish Webhosting company and I am having a bit of a choice problem when it comes to a firewall/vpn/router.
My options are to go with a boxed hardware firewall/router (like a cisco 1041, watchguard X700, dlink DFL-1000, etc)
or
to go with a linux server + using iptables.
All my servers are in a DMZ, and I do NATing and port forwarding into the DMZ
(basically like i run mail on 1 server and web on another, so i would forward port 80 to server1 and port 25/110/143 to server2)
Here is my problem:
The hardware solution appeals to me more, because you are using a product which is designed for that exact purpose, it allowes us to manage our own bandwidth to each server, and the firewalling it nice and easy going, I believe it provides better IDS support than a linux box. But you can't really analyze the traffic like you can on a linux box, where you can run something like ss and squid and ethereal and actually see exactly where the traffic is going and stuff (or can you? and on what product?) Also i think this solution lacks a lot in the way of graphing and what exactly you can graph.
The Linux solution, I can use iptables to obviously nat and pat traffic, but it just doesn't have the "stability" so call it of a boxed solution.
For example, a linux box can get hacked a lot quicker than most hardware firewall/routers.
Also bandwidth shaping on a linux box is a bit of a headache, and i always seem to have issues with it.
In you "expert" opinion, what would be the best solution to go with, and why?
thanks
Dave
I am the Sys-Admin for a smallish Webhosting company and I am having a bit of a choice problem when it comes to a firewall/vpn/router.
My options are to go with a boxed hardware firewall/router (like a cisco 1041, watchguard X700, dlink DFL-1000, etc)
or
to go with a linux server + using iptables.
All my servers are in a DMZ, and I do NATing and port forwarding into the DMZ
(basically like i run mail on 1 server and web on another, so i would forward port 80 to server1 and port 25/110/143 to server2)
Here is my problem:
The hardware solution appeals to me more, because you are using a product which is designed for that exact purpose, it allowes us to manage our own bandwidth to each server, and the firewalling it nice and easy going, I believe it provides better IDS support than a linux box. But you can't really analyze the traffic like you can on a linux box, where you can run something like ss and squid and ethereal and actually see exactly where the traffic is going and stuff (or can you? and on what product?) Also i think this solution lacks a lot in the way of graphing and what exactly you can graph.
The Linux solution, I can use iptables to obviously nat and pat traffic, but it just doesn't have the "stability" so call it of a boxed solution.
For example, a linux box can get hacked a lot quicker than most hardware firewall/routers.
Also bandwidth shaping on a linux box is a bit of a headache, and i always seem to have issues with it.
In you "expert" opinion, what would be the best solution to go with, and why?
thanks
Dave
ASKER
I would also prefer a Hardware Solution,
as far as I can tell, you a PIX won't work for me, since a PIX has no routing abilities, I would then still need a router inside the the DMZ.
Dave
as far as I can tell, you a PIX won't work for me, since a PIX has no routing abilities, I would then still need a router inside the the DMZ.
Dave
>>But you can't really analyze the traffic like you can on a linux box, where you can run something like ss and squid and ethereal and actually see exactly where the traffic is going and stuff (or can you? and on what product?) Also i think this solution lacks a lot in the way of graphing and what exactly you can graph.
You get what you pay for. You're running some pretty low end firewalls there. Step up and you can do everything you want on an "appliance box". We can do everything you're talking about - running Checkpoint NG on Nokia IPSO boxes.
You get what you pay for. You're running some pretty low end firewalls there. Step up and you can do everything you want on an "appliance box". We can do everything you're talking about - running Checkpoint NG on Nokia IPSO boxes.
>>as far as I can tell, you a PIX won't work for me, since a PIX has no routing abilities
You are correct - but the PIX is a Firewall NOT a router - if you have complex routing theres nothing to stop you putting a router Infront/Behind (or Both)
You are correct - but the PIX is a Firewall NOT a router - if you have complex routing theres nothing to stop you putting a router Infront/Behind (or Both)
ASKER
pseudocyber :
That is what I am looking to do, been taking a look at the Nokia IP350 box, do you highly rate these products?
And the traffic management it provides, is it policy based or class based or what?
thanks
Dave
That is what I am looking to do, been taking a look at the Nokia IP350 box, do you highly rate these products?
And the traffic management it provides, is it policy based or class based or what?
thanks
Dave
I haven't worked with a lot of different Firewalls - but the GUI is extremely easy to use. The IPSO OS seems fairly stable. We don't do traffic management/shaping with the firewall. Logging is easy to use and very detailed if you wish it.
ASKER
What would be the best thing for bandwidth shaping ?
I am even happy seperating the firewall and the bandwidth shaping.
(what cisco product does the bandwidth shaping, i know the cisco 1841 can do firewalling and routing)
I am even happy seperating the firewall and the bandwidth shaping.
(what cisco product does the bandwidth shaping, i know the cisco 1841 can do firewalling and routing)
I'm fairly confident to say that a majority of your Cisco routers can do bandwidth shaping. What do you mean by that - prioritizing traffic based on type of traffic?
ASKER
like to say:
serverA is allowed 25Mbit/sec upstream and 50Mbit/sec downstream
serverB is allowed 75Mbit/sec upstream and 50Mbit/sec downstream
and so on, so that traffic to say serverB can not exceed 75Mbit/sec
serverA is allowed 25Mbit/sec upstream and 50Mbit/sec downstream
serverB is allowed 75Mbit/sec upstream and 50Mbit/sec downstream
and so on, so that traffic to say serverB can not exceed 75Mbit/sec
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
You are a Webhosting comany? People are paying you for services? Ive got nothing against Linux its a great system (smoothwall is an excellent product)
but
GO for a Hardware solution - My Preference would be CIsco PIX but you could also consider - SonicWall or Symantec.