Hi

We've been contemplating using Server Based PCI Firewalls. Something like the SNAPGEAR PCI (http://www.snapgear.com/pci630.html)

Does anyone know of any similiar products like the one above?

Thanks in advance

I just had a couple of them (PCI360) installed on my two servers at servermatrix. I'm not totally sold on them yet. It really seems like the web load times have gone up since I installed them.

What about the management features? Are you able to administer your firewall remotely?

Also, does it plug in like a regular network card? And am I right to assume that it actually replaced the standard NIC?

rgds

servermatrix does not allow you to administer the card, which I don't care for. Any changes you want to make you have to create a ticket.

The adminsitration is done via a web interface. I can get to the interface, but alas I don't have a login and password.

Yes it replaces an existing NIC.

Kingpcgeek,

Thank you for your reply. I am actually comtemplating the same thing because I just cannot get the software firewall to work properly. It is just too slow and blocks things which it was not supposed to block.

By the way, does Servermatrix allows you to determine which ports to open and which to remain close ? And does it come to you preconfigured or you need to get it all done yourself ?

As with most firewalls, everything is closed by default. Before installation the installer will ask what ports, on what ip addresses you want open. You will also need to reconfigure your web server software (iis in my case) since inside the firewall you will be using non-routable ip addresses (10.0.0.1...)

servermatrix does all of the installation setup and configuration changes

Thanks. It is a comfort to know that Servermatrix will have that done. So far my problem with the built-in firewall in W2k3 does not seems to allow access through Port 443 for SSL even though I had it allowed and that is a problem because there are several sites which are and will be using SSL quite exclusively. And software firewall tends to slow things down.

I do hope that the Snapgear being hardware based would provide fast access for legitimate users.

Thanks again.

Originally posted by kingpcgeek
I just had a couple of them (PCI360) installed on my two servers at servermatrix. I'm not totally sold on them yet. It really seems like the web load times have gone up since I installed them.

Any updates on this?

Is it considerably slower? Was it a good investment?

I am looking into purchasing that..But I want to know if it is worth the price tag.

Thanks!

I just got in-touch with my sales rep at Servermatrix and wasn't given too much information about the card. My fear is really speed and accessibility. I need to have my clients' clients be able to access the site via SSL. I did ask if I could sample the card but of course that was not possible. I would have to pay a month usage even if I do not use a month for it. Fair enough. But was told that there would be some charges in configuring the card if I did not know which port to open or close. The trouble is that I have never seen the card before and I do not know the settings so I am still hunting around now.

With a software, I could do it myself.. but hardware, I do not have any control over it.

I believe a firewall is essential just as long as it does it's job and the site do not go so slow as to make it unuseable.

I tried the ICF which came with W2K3 and it seems to drop my entire connection, I saw ports that I never knew I had.. I was just trying to access a site on my server. I thought that if I was just looking at web pages, it should be just port 80 but found I was doing port 68, 67, 2248 and something like that. Weird..

I am currently awaiting the Firewall Administrator response to my queries on the card, have not heard from him yet.

I guess I will wait.

Actually, there is an Online Virtual Demo admin of the Interface one of the their Websites. The demo virtual admin will allow you to connect to a virual Snapgear Unit and configure its settings. That should give you a feel of what to expect.

Cheer

Thanks. I know that but from what Kingpcgeek said, he was not given access to the card so the interface wouldn't quite be the same as issuing the tickets to servermatrix.

I tried the virutal demo but from where I am from, it was extremely slow to the point of no return. If that was something I would be facing then I better look for another alternative.

I think if you want more control, your best bet would be to go with a Sofware based firewall. I am personally leaning towards Tiny Firewall. Its only $79 now (usuall $199). However, you'll most likely have to pay a setup fee for them to install it

From my testing, the built in Firewall in Win2003 is very limited.

I will try the tiny firewall on my system and see how it goes first before putting it on the server.. at least if I lock my laptop up I can recover..

One quick piece of advice :

Dont try to install Tiny Firewall(ver 5) remotely. You'll most likely lock yourself out :-)

Cheers

Yeah, that's why I was testing it locally. It was so overwhelming.. Got to see if the Servermatrix tech support are familiar with the program.

I will give TCP/IP Filtering another try and see if that works.

You do have to create a ticket for any change. Response time has varied greatly. One time I created a ticket early Friday evening, and never heard anything until I called on Tuesday. On the other hand I created two different tickets through the day this past Tuesday and they were both responded to and completed within two hours. One problem I have seen is that not every tech will work on the firewalls, only the "firewall department" and they work 8-6.

Installaiton was a real bear, both of my servers were supposed to be down about an hour a piece, and were down about 3 hours. After they were brought up I had multiple problems because of the public ip addressing to private ip addressing change. I had the smtp server in IIS set to only allow connections/relays from my real ip addresses, so for about 5 hours after being back up I had a about 100 emails from one of my processing pages rejected. I removed the restrictions and things started sending again. Then port 25 had been left open to inbound connecitons, eventhough I had not requested it. A spammer(s) found it and I got three warnings from theplanet for spamcop reports. I put the restrictions back on to private ips and had port 25 closed by tech support. I had 26,000 spams still sitting in the queue after that fiasco.

As far as the speed, it just seems to feel like my home page at www.cruiseamerica.com (www.cruiseamerica.com) used to load quicker. I have no before and after measurements. No one is complaining or anything, it still loads quickly abeit maybe a little slower.

If anyone does plan on installing one I can provide advice that would help ensure that the probelms I experienced don't happen again.

Thanks. It does sounds like a bear. I tried your site with and without https and they work reasonably fast enough. Good enough for me. Currently I am waiting for the firewall department to respond to some of my queries and see how to proceed there.

By the way, on the w2k3 which are the 'other' ports to be left open apart from the standard ports ?

I might just do it over the labor day weekend, not sure if the firewall dept works over the weekend though.

w2k3 requires no special ports. You will need 3389 open for terminal services, unless you change its port like I do.

ports can be opened based on ip address as well.

example:

64.1.1.1 forwards to 10.0.0.2 ports 21, 25, 80, 443, 3389
64.1.1.2 forwards to 10.0.0.3 ports 80, 443
64.1.1.3 forwards tp 10.0.0.4 ports 80

You won't get it done over the weekend.

I am quite suprised as to why you are not given access to the GUI for the PCI card.

It comes with an admin interface, anyone asked why they dont supply access to it ?

It could be because it is managed or they are afraid you mess up. I am not sure.. I am still waiting for the firewall admin's reply to my queries. Will post when I get more info.

Just got word from Servermatrix Tech, it is confirmed that as a customer you do not have access to the firewall card directly and the administration is via support ticket. I guess they do not want you to mess up the card and lock yourself out.

I think I would just do it.. better safe than sorry.

Just an Update. I just ordered the Snapgear PCI630 installed to my W2k3 server and everything worked beautifully after settling the issues of the internal port assignments.

Everything seems to be as snappy as it was before the installation. :)

Originally posted by eddy2099
JEverything seems to be as snappy as it was before the installation. :)
I wish I could say the same. I still feel like my performance has decreased. To test this I added my main site to my dv2 server. The dv2 server is a 1½ old AMD 1600 with slower hard drives, and less ram then my 4 month old servermatrix p4 2.4.

I notice a definite difference in load times between the two. SM can take up to 10 second to load everything, dv2 never more then 2 seconds. I am in AZ, traces to both are 12 hops, pings to SM are 25ms, 40ms to dv2. I would appreciate it if others would check the load times and let me know your results.

www.cruiseamerica.com

www3.cruiseamerica.com

I am from Singapore and both the links took about 4 seconds each to load. No difference here.

The first link is 258ms and the second is 276ms avg from here.

Originally posted by kingpcgeek
I wish I could say the same. I still feel like my performance has decreased. To test this I added my main site to my dv2 server. The dv2 server is a 1½ old AMD 1600 with slower hard drives, and less ram then my 4 month old servermatrix p4 2.4.

I notice a definite difference in load times between the two. SM can take up to 10 second to load everything, dv2 never more then 2 seconds. I am in AZ, traces to both are 12 hops, pings to SM are 25ms, 40ms to dv2. I would appreciate it if others would check the load times and let me know your results.

www.cruiseamerica.com

www3.cruiseamerica.com

both load the same for me... about 3 to 4 seconds

Originally posted by kingpcgeek
the two. SM can take up to 10 second to load everything, dv2 never more then 2 seconds. I am in AZ, traces to both are 12 hops, pings to SM are 25ms, 40ms to dv2. I would appreciate it if others would check the load times and let me know your results.

www.cruiseamerica.com

www3.cruiseamerica.com

I pinged from a fast server in denmark. www.cruiseamerica.com´said:

PING www.cruiseamerica.com (64.5.54.36): 56 data bytes
64 bytes from 64.5.54.36: icmp_seq=0 ttl=52 time=142.510 ms
64 bytes from 64.5.54.36: icmp_seq=1 ttl=52 time=141.843 ms
64 bytes from 64.5.54.36: icmp_seq=2 ttl=52 time=142.322 ms
64 bytes from 64.5.54.36: icmp_seq=3 ttl=52 time=145.332 ms
64 bytes from 64.5.54.36: icmp_seq=4 ttl=52 time=141.782 ms
^C
--- www.cruiseamerica.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 141.782/142.758/145.332/1.317 ms

and www3 said:

PING www3.cruiseamerica.com (209.51.143.204): 56 data bytes
64 bytes from 209.51.143.204: icmp_seq=0 ttl=112 time=117.351 ms
64 bytes from 209.51.143.204: icmp_seq=1 ttl=112 time=117.517 ms
64 bytes from 209.51.143.204: icmp_seq=2 ttl=112 time=116.265 ms
64 bytes from 209.51.143.204: icmp_seq=3 ttl=112 time=116.983 ms
64 bytes from 209.51.143.204: icmp_seq=4 ttl=112 time=117.040 ms

--- www3.cruiseamerica.com ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 116.265/117.031/117.517/0.431 ms