What is the best firewall software of hardware for using in a webfarm for security. I only want web access to visitors and ftp access for clients. So I need to get a hardware or software solution and only allow ports 21 and I think port 80 for webaccess?

Whats recommend? Thanks

Stick to the cisco pix series!

I would start with a 505 firewall and move up to a 515 when you can justify the cost / traffic increase....

Theres a lot more than port 80 and 21 to consider though....

110 for POP3
443 for SSL
25 & 26 for SMTP ( not just relaying but for webforms etc... )
53 for DNS ( sites arent going to work without that one ;)

Then there will be specific ports for the likes of stats and webmail packages to name a few ;)

The other point is, that if its for a webfarm, what you may want to allow, wont be the same as what your customers want! You are going to have to have a standard config and then allow them to add / remove their own rules ( especially if you're charging for the service ;) )

Anyway...that said, if you have a good enough programmer who wants to write a decent linux firewall box you can do it much cheaper.....

Advantages with the pix series ( 515 + ) are auto-fallover where you can run 2 side by side, 1 which is fully redundant until the failure of the second....can get quite expensive though!

And if you decide to go with some sort of firewall protection....decide if you want an internal / external network structure or are you going to setup a DMZ for safety?

Loads a work, but sadly quite fun ;))

All the best,

Some people like CheckPoint based hardware, but we use and recommend Netscreen products. They are really easy to use & configure, are inexpensive and work really well.

Originally posted by jonny b
Stick to the cisco pix series!

I would start with a 505 firewall and move up to a 515 when you can justify the cost / traffic increase....

Theres a lot more than port 80 and 21 to consider though....

110 for POP3
443 for SSL
25 & 26 for SMTP ( not just relaying but for webforms etc... )
53 for DNS ( sites arent going to work without that one ;)

Then there will be specific ports for the likes of stats and webmail packages to name a few ;)

The other point is, that if its for a webfarm, what you may want to allow, wont be the same as what your customers want! You are going to have to have a standard config and then allow them to add / remove their own rules ( especially if you're charging for the service ;) )

Anyway...that said, if you have a good enough programmer who wants to write a decent linux firewall box you can do it much cheaper.....

Advantages with the pix series ( 515 + ) are auto-fallover where you can run 2 side by side, 1 which is fully redundant until the failure of the second....can get quite expensive though!

And if you decide to go with some sort of firewall protection....decide if you want an internal / external network structure or are you going to setup a DMZ for safety?

Loads a work, but sadly quite fun ;))

All the best,


This is the best price I could find, still a bit expensive but I don't like hackers. How are is it to configure firewalls? Does it have a control panel that you can configure using webbrowser? I want to configure just to keep hackers out so I can sleep better at night. I guess it worth the money. My servers will run freebsd so they should be pretty secure already.

http://www.starmicrotech.com/productpage.cfm?prodid=615

Hi Cluster!

Yes...the 515 is quite dear...... a few points you might want to consider first though...

1. dont buy it unless you expect to have so much traffic in the next year or so....ie. 250,000 simultaneous connections!
2. in that case, get the 505, the difference can be recouped when you actually do need the 515
3. if you want to futureproof the system now, go for the 515 or the 515 unrestricted....big money though, but will never, ever need replaced ;)

and finally.... ( simple point but sometimes overlooked ) ensure you get a 24-7 maintenance agreement with a cisco certified company....if that goes down, you're friar tucked! ( depending on your network structure! )

They arent hard to configure.....its not done from a gui but a telnet window and the language is Cisco's own ( i think? )

if you need a hand configuring it, drop me a line and i'll eMail you one of our .config scripts.....no worries!

Cheers,

My choice

A cluster of Sun Servers running Solaris 7 Rainfinity clustering software and Symatec Raptor 6 firewall.


Depends on your security levels

Checkpoint/Pix - packet filtering
Raptor - proxy (application filtering)

Originally posted by jonny b
Hi Cluster!

Yes...the 515 is quite dear...... a few points you might want to consider first though...

1. dont buy it unless you expect to have so much traffic in the next year or so....ie. 250,000 simultaneous connections!
2. in that case, get the 505, the difference can be recouped when you actually do need the 515
3. if you want to futureproof the system now, go for the 515 or the 515 unrestricted....big money though, but will never, ever need replaced ;)

and finally.... ( simple point but sometimes overlooked ) ensure you get a 24-7 maintenance agreement with a cisco certified company....if that goes down, you're friar tucked! ( depending on your network structure! )

They arent hard to configure.....its not done from a gui but a telnet window and the language is Cisco's own ( i think? )

if you need a hand configuring it, drop me a line and i'll eMail you one of our .config scripts.....no worries!

Cheers,


A engineer at Yipes recommended netscreen 100 over a cisco pix firewall of check point firewall. The netscreen is quite expensive Anyone use the product from www.netscreen.com?

We run serveral Netscreen 5s, 10s and 100s. We have access to Nokias and Ciscos and really like the Netscreens. I think they all do a great job, but the Netscreen is easy to configure and manage.

My 2 cents!

If your individual servers are running FreeBSD with a good packet filtering firewall (eg ipfw) in place, there isn't much to be gained by adding another packet filter. On the other hand adding a firewall bridge could allow for both packet accounting and packet normalization.

My personal advice would be to set up OpenBSD 3.0 as a bridge, or if you're really paranoid, set up two systems for failover capacity.

Originally posted by RackMy.com
We run serveral Netscreen 5s, 10s and 100s. We have access to Nokias and Ciscos and really like the Netscreens. I think they all do a great job, but the Netscreen is easy to configure and manage.

My 2 cents!


I have no linux or bsd experience so easy to manage and configure is nice. I am a bit paranoid cause I have a cobalt Raq3i that has been hacked before. The guy uploaded a casino site onto it and started spamming it. I got angry e-mails and I couldn't find anything in the logs. Thats why I want a firewall. I am going to use freebsd in my webservers but I want prevent hacker and dns attacks which I have experienced also. I was using Maxim and they failed to find the IP of the user that was Source Quenching my server.

I had 3 days of downtime which was a major headache. They only told me to change my admin password and delete the files on my server. The person hacked my server 3 times. Now I learned my lesson and want to do everything right.

Thanks Guys

Originally posted by ClusterMania
I am a bit paranoid cause I have a cobalt Raq3i that has been hacked before. Thats why I want a firewall.

A firewall will not block attacks against publicly accessible services.

Remember that. If you want to protect yourself against RPC attacks *don't run RPC*. Ditto for bind, sendmail, wu-ftpd, etc. Don't rely upon a firewall to protect you, because there are often a number of ways to make the attacking packets come from behind the firewall.