[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 185
  • Last Modified:

Firewall Advice

Hi,

I am the Sys-Admin for a smallish Webhosting company and I am having a bit of a choice problem when it comes to a firewall/vpn/router.


My options are to go with a boxed hardware firewall/router (like a cisco 1041, watchguard X700, dlink DFL-1000, etc)
or
to go with a linux server + using iptables.

All my servers are in a DMZ, and I do NATing and port forwarding into the DMZ
(basically like i run mail on 1 server and web on another, so i would forward port 80 to server1 and port 25/110/143 to server2)

Here is my problem:

The hardware solution appeals to me more, because you are using a product which is designed for that exact purpose, it allowes us to manage our own bandwidth to each server, and the firewalling it nice and easy going, I believe it provides better IDS support than a linux box. But you can't really analyze the traffic like you can on a linux box, where you can run something like ss and squid and ethereal and actually see exactly where the traffic is going and stuff (or can you? and on what product?) Also i think this solution lacks a lot in the way of graphing and what exactly you can graph.

The Linux solution, I can use iptables to obviously nat and pat traffic, but it just doesn't have the "stability" so call it of a boxed solution.
For example, a linux box can get hacked a lot quicker than most hardware firewall/routers.
Also bandwidth shaping on a linux box is a bit of a headache, and i always seem to have issues with it.


In you "expert" opinion, what would be the best solution to go with, and why?

thanks
Dave
0
Dave_Strydom
Asked:
Dave_Strydom
  • 4
  • 3
  • 2
  • +1
1 Solution
 
Pete LongConsultantCommented:
IMHO

You are a Webhosting comany? People are paying you for services? Ive got nothing against Linux its a great system (smoothwall is an excellent product)
but
GO for a Hardware solution - My Preference would be CIsco PIX but you could also consider - SonicWall or Symantec.
0
 
Dave_StrydomAuthor Commented:
I would also prefer a Hardware Solution,

as far as I can tell, you a PIX won't work for me, since a PIX has no routing abilities, I would then still need a router inside the the DMZ.

Dave

0
 
pseudocyberCommented:
>>But you can't really analyze the traffic like you can on a linux box, where you can run something like ss and squid and ethereal and actually see exactly where the traffic is going and stuff (or can you? and on what product?) Also i think this solution lacks a lot in the way of graphing and what exactly you can graph.

You get what you pay for.  You're running some pretty low end firewalls there.  Step up and you can do everything you want on an "appliance box".  We can do everything you're talking about - running Checkpoint NG on Nokia IPSO boxes.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
Pete LongConsultantCommented:
>>as far as I can tell, you a PIX won't work for me, since a PIX has no routing abilities

You are correct - but the PIX is a Firewall NOT a router - if you have complex routing theres nothing to stop you putting a router Infront/Behind (or Both)
0
 
Dave_StrydomAuthor Commented:
pseudocyber :
That is what I am looking to do, been taking a look at the Nokia IP350 box, do you highly rate these products?
And the traffic management it provides, is it policy based or class based or what?

thanks
Dave
0
 
pseudocyberCommented:
I haven't worked with a lot of different Firewalls - but the GUI is extremely easy to use.  The IPSO OS seems fairly stable.  We don't do traffic management/shaping with the firewall.  Logging is easy to use and very detailed if you wish it.
0
 
Dave_StrydomAuthor Commented:
What would be the best thing for bandwidth shaping ?

I am even happy seperating the firewall and the bandwidth shaping.

(what cisco product does the bandwidth shaping, i know the cisco 1841 can do firewalling and routing)

0
 
pseudocyberCommented:
I'm fairly confident to say that a majority of your Cisco routers can do bandwidth shaping.  What do you mean by that - prioritizing traffic based on type of traffic?
0
 
Dave_StrydomAuthor Commented:
like to say:

serverA is allowed 25Mbit/sec upstream and 50Mbit/sec downstream
serverB is allowed 75Mbit/sec upstream and 50Mbit/sec downstream

and so on, so that traffic to say serverB can not exceed 75Mbit/sec

0
 
jabiiiCommented:
I suggest Juniper NetScreen's, they do it all, bandwidth shaping, routing, VPN, & FW.  

Ref
http://www.juniper.net/products/integrated/
http://www.experts-exchange.com/Security/Firewalls/Q_21811815.html (Another article and which FW to choose)
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

  • 4
  • 3
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now