Firewall Advice

Hi,

I am the Sys-Admin for a smallish Webhosting company and I am having a bit of a choice problem when it comes to a firewall/vpn/router.


My options are to go with a boxed hardware firewall/router (like a cisco 1041, watchguard X700, dlink DFL-1000, etc)
or
to go with a linux server + using iptables.

All my servers are in a DMZ, and I do NATing and port forwarding into the DMZ
(basically like i run mail on 1 server and web on another, so i would forward port 80 to server1 and port 25/110/143 to server2)

Here is my problem:

The hardware solution appeals to me more, because you are using a product which is designed for that exact purpose, it allowes us to manage our own bandwidth to each server, and the firewalling it nice and easy going, I believe it provides better IDS support than a linux box. But you can't really analyze the traffic like you can on a linux box, where you can run something like ss and squid and ethereal and actually see exactly where the traffic is going and stuff (or can you? and on what product?) Also i think this solution lacks a lot in the way of graphing and what exactly you can graph.

The Linux solution, I can use iptables to obviously nat and pat traffic, but it just doesn't have the "stability" so call it of a boxed solution.
For example, a linux box can get hacked a lot quicker than most hardware firewall/routers.
Also bandwidth shaping on a linux box is a bit of a headache, and i always seem to have issues with it.


In you "expert" opinion, what would be the best solution to go with, and why?

thanks
Dave
LVL 2
Dave_StrydomAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
IMHO

You are a Webhosting comany? People are paying you for services? Ive got nothing against Linux its a great system (smoothwall is an excellent product)
but
GO for a Hardware solution - My Preference would be CIsco PIX but you could also consider - SonicWall or Symantec.
Dave_StrydomAuthor Commented:
I would also prefer a Hardware Solution,

as far as I can tell, you a PIX won't work for me, since a PIX has no routing abilities, I would then still need a router inside the the DMZ.

Dave

pseudocyberCommented:
>>But you can't really analyze the traffic like you can on a linux box, where you can run something like ss and squid and ethereal and actually see exactly where the traffic is going and stuff (or can you? and on what product?) Also i think this solution lacks a lot in the way of graphing and what exactly you can graph.

You get what you pay for.  You're running some pretty low end firewalls there.  Step up and you can do everything you want on an "appliance box".  We can do everything you're talking about - running Checkpoint NG on Nokia IPSO boxes.
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

Pete LongTechnical ConsultantCommented:
>>as far as I can tell, you a PIX won't work for me, since a PIX has no routing abilities

You are correct - but the PIX is a Firewall NOT a router - if you have complex routing theres nothing to stop you putting a router Infront/Behind (or Both)
Dave_StrydomAuthor Commented:
pseudocyber :
That is what I am looking to do, been taking a look at the Nokia IP350 box, do you highly rate these products?
And the traffic management it provides, is it policy based or class based or what?

thanks
Dave
pseudocyberCommented:
I haven't worked with a lot of different Firewalls - but the GUI is extremely easy to use.  The IPSO OS seems fairly stable.  We don't do traffic management/shaping with the firewall.  Logging is easy to use and very detailed if you wish it.
Dave_StrydomAuthor Commented:
What would be the best thing for bandwidth shaping ?

I am even happy seperating the firewall and the bandwidth shaping.

(what cisco product does the bandwidth shaping, i know the cisco 1841 can do firewalling and routing)

pseudocyberCommented:
I'm fairly confident to say that a majority of your Cisco routers can do bandwidth shaping.  What do you mean by that - prioritizing traffic based on type of traffic?
Dave_StrydomAuthor Commented:
like to say:

serverA is allowed 25Mbit/sec upstream and 50Mbit/sec downstream
serverB is allowed 75Mbit/sec upstream and 50Mbit/sec downstream

and so on, so that traffic to say serverB can not exceed 75Mbit/sec

jabiiiCommented:
I suggest Juniper NetScreen's, they do it all, bandwidth shaping, routing, VPN, & FW.  

Ref
http://www.juniper.net/products/integrated/
http://www.experts-exchange.com/Security/Firewalls/Q_21811815.html (Another article and which FW to choose)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.