johnathon_doe
asked on
small ISP router/security box/Snort/Content filtering
I need to put a router/firewall in place at a teleport that i uplink from to the satelltie i use to deliver BW to my small client base. Because we are planning on putting a WAN accelerator at the HUB the teleport has told me that i need to install my own routing/firewall equipment as the routing becomes a bit more involved with the WAN accelerator in my network and therefore trouble shooting becomes a problem for them. They say things stay much simpler if i have my own gear installed.
Ok so i am going ahead and am going to install my own router/firewall. They have told me a Cisco 5510 or 5520 ASA is appropriate. Not being a Cisco guy at all and NOT knowing the Cisco interface/OS i have no alleigance to Cisco in anyway.
So should i put in the Cisco box or should i look at Vyatta subscription based box or maybe even PFsense with a professional support contract from the company that makes PFSENSE?
I know you cant go wrong with Cisco gear but its a tad expensive and locks me in to the Cisco platform.
I might add i want to install a snort box and Vyatta has this onboard. I am also looking at a Scrutinizer server that can give lots of information from probes behind each satellite modem in the field about traffic flows top talkers etc so that we can pinpoint abusers etc. I also want to filter traffic to individual sites to stop P2P/facebook etc as all our links are business links and 99% of our clients want that type of traffic blocked. I need to be able to do this on a site by site basis. Each site has its own Public IP /30 so i am hoping we can filer each site separately as not every site will need to be locked down to the same degree - depending on what each business owner/manager wants. All this is relevant to my original question because i need to make sure i can get all this working together.
Thanks
JD
Ok so i am going ahead and am going to install my own router/firewall. They have told me a Cisco 5510 or 5520 ASA is appropriate. Not being a Cisco guy at all and NOT knowing the Cisco interface/OS i have no alleigance to Cisco in anyway.
So should i put in the Cisco box or should i look at Vyatta subscription based box or maybe even PFsense with a professional support contract from the company that makes PFSENSE?
I know you cant go wrong with Cisco gear but its a tad expensive and locks me in to the Cisco platform.
I might add i want to install a snort box and Vyatta has this onboard. I am also looking at a Scrutinizer server that can give lots of information from probes behind each satellite modem in the field about traffic flows top talkers etc so that we can pinpoint abusers etc. I also want to filter traffic to individual sites to stop P2P/facebook etc as all our links are business links and 99% of our clients want that type of traffic blocked. I need to be able to do this on a site by site basis. Each site has its own Public IP /30 so i am hoping we can filer each site separately as not every site will need to be locked down to the same degree - depending on what each business owner/manager wants. All this is relevant to my original question because i need to make sure i can get all this working together.
Thanks
JD
ASKER
Being an RF tech who installs/repairs satellite communications equipment i'm not a networking/server guy. Given that point, if i listen to the network guys i rub shoulders with at times they all say Cisco, Cisco, Cisco.
Do i miss anything if i give Cisco a miss? Will things be much simpler for integrating a Snort box if it is built into the router like Vyatta does it? Or is it better to keep all the various boxes separate from each other?
Whatever i do i will get the appropriate consultant to set it all up as i cant afford for any network issues or outages.
What i am trying to do is educate myself on the appropriate strategy before i start down any particular road.
Do i miss anything if i give Cisco a miss? Will things be much simpler for integrating a Snort box if it is built into the router like Vyatta does it? Or is it better to keep all the various boxes separate from each other?
Whatever i do i will get the appropriate consultant to set it all up as i cant afford for any network issues or outages.
What i am trying to do is educate myself on the appropriate strategy before i start down any particular road.
Whatever you do - as long as you do not know what you're doing security always will be a 50/50 percent success story. And if you know what you're doing, you can make your nework secure using cisco as well as a linux box as well as hundreds of other solutions.
Cisco is surely not wrong. But you'll have to learn how to set it up. Using the linux box secures your system to the same level but you'll have to learn how to set it up as well. Facing security there is no difference between both solutions. Facing costs there is a difference because you do not need a thousand dollar and more server for a linux based firewall. And software is open source and free. Many firewall solutions you can buy are linux/iptables based with a simplifies user interface (e.g. astaro).
There is another issue that makes me tend to linux reflecting security issues. Boxes like cisco always are kind of black boxes where you never can be sure if there are backdoors or other features you do not know about. If you use a linux box you can be sure if there's some malware integrated in the kernel, it's a matter of days and the hole is fixed.
Cisco is surely not wrong. But you'll have to learn how to set it up. Using the linux box secures your system to the same level but you'll have to learn how to set it up as well. Facing security there is no difference between both solutions. Facing costs there is a difference because you do not need a thousand dollar and more server for a linux based firewall. And software is open source and free. Many firewall solutions you can buy are linux/iptables based with a simplifies user interface (e.g. astaro).
There is another issue that makes me tend to linux reflecting security issues. Boxes like cisco always are kind of black boxes where you never can be sure if there are backdoors or other features you do not know about. If you use a linux box you can be sure if there's some malware integrated in the kernel, it's a matter of days and the hole is fixed.
ASKER
Sure - understand.
I am not asking how to do the config of all this - just some strategy. You know, is it preferable to do it via an appliance, a quality server and software like the Vyatta solution, pfsense based solution etc and why - pro's - con's etc. Anything i need to carefully consider etc I mean is Pfsense good enough? anyone have any reasons why i should not use pfsense etc. Which ever way i go i will buy professional support for the solution.
As i said earlier i work on satellite RF carriers and trouble shoot interference issues, SNR's, faulty High power Amps etc. Once i figure out a good approach to routing/fire walling it looks like i am off on another course to learn the nuts and bolts of the solution. As it stands we do a great job of keeping our network UP from a satcomms point of view - the teleport up till now has done the routing etc and we have had zero issues. But time has come to now put in our own routing/firewall gear etc.
I like the Vyatta solution and having done a lot of reading on pfsense it seems ISP's do use it. I just wish i could hear some success/horror stories of why each solution may/maynot work. Bottom line is Cisco WILL do what i want but i fear being locked into Cisco. I like open source - not because of $$$ but flexibility. Am i wrong on this? If so why? I came in here because i was hoping for unbiased opinions from those who actually use the stuff instead of just selling it.
I am not asking how to do the config of all this - just some strategy. You know, is it preferable to do it via an appliance, a quality server and software like the Vyatta solution, pfsense based solution etc and why - pro's - con's etc. Anything i need to carefully consider etc I mean is Pfsense good enough? anyone have any reasons why i should not use pfsense etc. Which ever way i go i will buy professional support for the solution.
As i said earlier i work on satellite RF carriers and trouble shoot interference issues, SNR's, faulty High power Amps etc. Once i figure out a good approach to routing/fire walling it looks like i am off on another course to learn the nuts and bolts of the solution. As it stands we do a great job of keeping our network UP from a satcomms point of view - the teleport up till now has done the routing etc and we have had zero issues. But time has come to now put in our own routing/firewall gear etc.
I like the Vyatta solution and having done a lot of reading on pfsense it seems ISP's do use it. I just wish i could hear some success/horror stories of why each solution may/maynot work. Bottom line is Cisco WILL do what i want but i fear being locked into Cisco. I like open source - not because of $$$ but flexibility. Am i wrong on this? If so why? I came in here because i was hoping for unbiased opinions from those who actually use the stuff instead of just selling it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks brb6708. I appreciate your help and your point of view. That's exactly what i am after - real world practical experience on why one way is great, another good and the pitfalls of any of them. I realize there is no all right/all wrong answer - so many variables involved.
Up till this stage i have only had to focus on what goes on over the bird and manage my freq's , carriers, power levels to the transponder,footprints, Link Budgets etc etc. Not had to worry about the IP side of it toooooo much! A little here and there for sure but the meaty stuff has been done by our teleport. They're good guys don't get me wrong - but they are a Cisco shop - fairly major one too. Whatever i do i have to pay for support and config of the network. I plan to hire a Cisco/Server guy (hopfully MS and Linux - is that realistic?) within the next 3 - 4 months. Until then i plan to just bring in whoever i need to set it up. Once the basics are in place they are in place and i expect that whatever we end up doing it will be on a hardened OS of some sort - Linux, Unix, lOS - whatever. So provided its all setup right from the outset the problems along the way should be minimal - at least i can hang on till i get my Server guy in house. At the end of the day i cant do it all myself - i am employed full time with my satcomms and managing the carriers. But as the owner of my little enterprise, i have to set the direction of how things do get setup or at least know enough to know the basic direction i should head in. I do have some ideas I'm not totally clueless :-P but to hear how the experts have done it is valuable. No use re-inventing the wheel.
The teleport guys only speak Cisco so I'm not going to get any other point of view there. I'll have to pay them like i will have to anyone else so there is no $$$ advantage either way from that point of view. I like the Vyatta and the pFsense way of doing things - you've mentioned a linux box with Iiptables - what other solutions should i at least consider? You mention Linux - Debian seems to be the way to go there?? I've installed a few Linux distro's here and there for various reasons but all I've ever done is insert the CD and make menu choices through the installation - that's not really Linux work is it....... I can say one thing though, i really find networking interesting and am keen to get under the hood with it all so to speak
Up till this stage i have only had to focus on what goes on over the bird and manage my freq's , carriers, power levels to the transponder,footprints, Link Budgets etc etc. Not had to worry about the IP side of it toooooo much! A little here and there for sure but the meaty stuff has been done by our teleport. They're good guys don't get me wrong - but they are a Cisco shop - fairly major one too. Whatever i do i have to pay for support and config of the network. I plan to hire a Cisco/Server guy (hopfully MS and Linux - is that realistic?) within the next 3 - 4 months. Until then i plan to just bring in whoever i need to set it up. Once the basics are in place they are in place and i expect that whatever we end up doing it will be on a hardened OS of some sort - Linux, Unix, lOS - whatever. So provided its all setup right from the outset the problems along the way should be minimal - at least i can hang on till i get my Server guy in house. At the end of the day i cant do it all myself - i am employed full time with my satcomms and managing the carriers. But as the owner of my little enterprise, i have to set the direction of how things do get setup or at least know enough to know the basic direction i should head in. I do have some ideas I'm not totally clueless :-P but to hear how the experts have done it is valuable. No use re-inventing the wheel.
The teleport guys only speak Cisco so I'm not going to get any other point of view there. I'll have to pay them like i will have to anyone else so there is no $$$ advantage either way from that point of view. I like the Vyatta and the pFsense way of doing things - you've mentioned a linux box with Iiptables - what other solutions should i at least consider? You mention Linux - Debian seems to be the way to go there?? I've installed a few Linux distro's here and there for various reasons but all I've ever done is insert the CD and make menu choices through the installation - that's not really Linux work is it....... I can say one thing though, i really find networking interesting and am keen to get under the hood with it all so to speak
Don't make yourself confused by considdering too many alternatives. If it's a firewall with a well reputed company behind it, it does what it should do. Difference normally is user interface not technology.
If you considder Linux there is the same thing: The distro doesn't play a big rolle. Software is always the same. Difference is user interface and installation procedure. I myself prefere debian based distros because they have installation procedures I like more than others.
The most important thing for you in my opinion is a consultant who's able to understand your ideas and is not fixed to a particular way of solution so he can propose you a firewall that fits your needs without making you burn money. So in your situation I'd write down what you have and what you intend to achieve. And with this briefing go to several consultants and ask them about their way to do it. The guy who best takes care on your ideas is it.
If you considder Linux there is the same thing: The distro doesn't play a big rolle. Software is always the same. Difference is user interface and installation procedure. I myself prefere debian based distros because they have installation procedures I like more than others.
The most important thing for you in my opinion is a consultant who's able to understand your ideas and is not fixed to a particular way of solution so he can propose you a firewall that fits your needs without making you burn money. So in your situation I'd write down what you have and what you intend to achieve. And with this briefing go to several consultants and ask them about their way to do it. The guy who best takes care on your ideas is it.
I would stick with Cisco. Even though it is not a strong suite you can learn the Cisco IOS and it is applicable across all of thier routers. So it is not restricted to just one box or a simple series of devices.
I work for a carrier that has an all Cisco core network to supply Data, MPLS, and voice out to our business customer network. When people count on you for services you need something more than a friendly web blog to go to for support. I have used Linux for a lot of "Testing" platforms but never have we been able to trust the support piece of it enough to put customer services other than some webhosting solutions on it...
I work for a carrier that has an all Cisco core network to supply Data, MPLS, and voice out to our business customer network. When people count on you for services you need something more than a friendly web blog to go to for support. I have used Linux for a lot of "Testing" platforms but never have we been able to trust the support piece of it enough to put customer services other than some webhosting solutions on it...
ASKER
Sorry for delay in coming back to this. Been out in the boonies trouble shooting a link that went down.
Anyway back to the point. As i said from the outset there is no right or wrong answer to this, its only differing opinions which is exactly what i wanted so i could deliberate the pros and cons on either way of going about it.
brb6708, many thanks for your patience. You've put up some good points. cwoolsey, thanks for your input. I agree with you whole heartedly about when you supply a service you need reliability. There is no doubt Cisco give you that. Going Cisco sure would not be a wrong choice but i just wonder if some of the good heavy duty open source products are not a whole lot more flexible. I don't want vendor lock in which is what Cisco gives you.
Anyway back to the point. As i said from the outset there is no right or wrong answer to this, its only differing opinions which is exactly what i wanted so i could deliberate the pros and cons on either way of going about it.
brb6708, many thanks for your patience. You've put up some good points. cwoolsey, thanks for your input. I agree with you whole heartedly about when you supply a service you need reliability. There is no doubt Cisco give you that. Going Cisco sure would not be a wrong choice but i just wonder if some of the good heavy duty open source products are not a whole lot more flexible. I don't want vendor lock in which is what Cisco gives you.
ASKER
not enough in depth discussion but i see its not going anywhere so time to drop it.
if you set up DROP as default policy you make it impossible to acces your server from outside. After that you can set up se rules according to your needs.
If you need help in configuring iptables feel free to ask.