Results 1 to 25 of 30
Thread: Firewall advice for 1-3 servers
-
11-18-2009, 03:26 PM #1Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 68
Firewall advice for 1-3 servers
We are looking for a good firewall appliance to purchase as we are moving from dedicated to colo. We will only be using one server (webserver running WHM/cpanel) initially, but may add another in a few months (either a backup server or another webserver plus a backup server).
Since we're going colo, we've decided not to go the pfsense/etc route since we don't want to buy more U-space just for that machine.
We'd like to keep it under $600, but we're flexible. We also prefer a decent GUI (we're not network guys), and maybe even auto-updates from the vendor. IDS/IPS is also a feature we'd like to see.
We are considering Juniper's Netscreen line, the Cisco ATA 55xx series, and even Sonicwall - but we want to get some advice from the experts first. Thanks for your input.
-
11-18-2009, 03:34 PM #2Web Hosting Master
- Join Date
- Apr 2007
- Posts
- 3,531
I would recommend the Netscreens for a setup like yours. they are a decent price and do the job well.
BotWars.io - Code the AI of your Battle Bot!
-
11-18-2009, 04:13 PM #3Private Citizen
- Join Date
- Jan 2009
- Posts
- 3,878
I'd avoid Sonicwall due to "I hate them reasons." I always end up with ones that don't like to reboot properly and freak out all the time. TZ170's and TZ190's mostly. That being said, I will throw my hat in with something like a Cisco ASA 5505 as a good firewall. You can pick those up brand new from $400-$600 from various vendors. PC Mall, PC Nation, PC Connection, CDW and Newegg if you want it fast and easy. No experience with Juniper, but there is no shortage of good things I hear about them.
-
11-18-2009, 04:24 PM #4Junior Guru Wannabe
- Join Date
- Jun 2008
- Posts
- 66
I would recommend SmoothWall. You can place it on hardware of your choice and add options as you need them. They have optional spam/virus filtering if you decide to turn it on later.
Smoothwall is an open source product that has both free and pay versions. The pay versions are excellent. I have used them for around 7 years now and neverhad any issues. If you need more info, I would be happy to tell you anything you want to know.
www.smoothwall.net - pay version
www.smoothwall.org - free versionJerel Byrd
HostingTulsa.com
-
11-18-2009, 06:44 PM #5Junior Guru Wannabe
- Join Date
- Sep 2009
- Location
- Stockholm
- Posts
- 43
A linux box with IPTables? =)
Portlane Networks (AS42708) - Stockholm, Sweden
Colocation, Dedicated Servers, Internet/Transit
www.portlane.com || info@portlane.com
-
11-18-2009, 07:00 PM #6Aspiring Evangelist
- Join Date
- Jun 2009
- Location
- Washington
- Posts
- 374
-
11-19-2009, 10:15 AM #7Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 68
Thanks for the responses so far - I'm surprised at the general lack of options in this space though. I expected to have several different options for this decision, but it appears to be coming down to either an ASA5505 or a Netscreen.
Thanks for the other suggestions too, and for other applications we're all over freeware alternatives - just not for this project.
Which Netscreen would be most comparable in both price & features to the ASA5505?
-
11-19-2009, 10:34 AM #8Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 68
Ok, another question... It looks like the Netscreens are EOL - which of Juniper's other product lines would you folks recommend? SRX? SSG? This just got a bit more confusing...
And that GUI is still very important to us.Last edited by IIIBradIII; 11-19-2009 at 10:41 AM.
-
11-19-2009, 11:31 AM #9Disabled
- Join Date
- Nov 2009
- Posts
- 1
I would recommend the Juniper SSG5 firewall. We have about 25 in use and they are great for a few servers all the way up to a full rack. We have had almost zero issues with them and you can find them online for a good price sometimes. I hope this helps.
-
11-19-2009, 11:43 AM #10Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 68
So what I'm hearing so far is that the Cisco is great, but difficult to work with unless you know Cisco IOS well. I've worked with IOS on 2950 switches over the years, but nothing deep and certainly nothing having to do with routing (maybe in our application routing wouldn't even be required though?). I'm not sure we could manage it correctly.
The SonicWalls seem to be on our knowledge level, but are not as reliable as Cisco or Juniper. Reliability is more important to us than a nice GUI, so that almost takes them out of the running IMO.
How simple are the Junipers to manage? And is the SRX line just the newer version of the legacy SSG?
-
11-19-2009, 12:04 PM #11Aspiring Evangelist
- Join Date
- Mar 2007
- Posts
- 402
There is a very lengthy thread 3 down from you right now that goes over the exact same question. There are some good replies in there:
http://www.webhostingtalk.com/showthread.php?t=900051█ iCall Carrier Services - Carrier-grade VoIP services from a licensed CLEC - http://carriers.icall.com
█ Domestic termination and origination, toll-free origination, A-Z International termination, dedicated servers, and colocation in our wholly-owned datacenter
█ Real-time ordering via our control panel or XML-based API with over 20,000 numbers in stock
-
11-19-2009, 05:53 PM #12Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 68
Another question... Are the services (IPS/DI/AV/etc) useful at all for a colo setup like we are planning? Or are those additional services only useful for remote office deployments like these devices seems to be built for?
-
11-19-2009, 07:35 PM #13Web Hosting Master
- Join Date
- Feb 2004
- Posts
- 633
I think you'll find that in the web hosting world, security is largely derived from networking vendors' products, hence Cisco and Juniper dominate. Based on what I've read here, some have also recommended Astaro and Fortinet products, so you might want to check them out. Outside of the hosting world, in the so-called "enterprise data center" security market, you'll find a lot more variety of products--SecureComputing/McAfee, Checkpoint, CrossBeam, IBM/ISS, Palo Alto Networks, etc. These are generally for securing much larger networks that don't push as much traffic, and aren't typically used much in the hosting world.
-
11-19-2009, 11:26 PM #14Junior Guru
- Join Date
- Oct 2009
- Posts
- 188
Hi!
+1 for Linux box with iptables.
I mean, there is nothing an appliance do that you can't do with a Linux firewall (at least as far as I know, if somebody knows, tell me!). As a matter of fact, there are some boxes that actually runs Linux internally.
I have been able to:
+ Load balance several Internet Links.
+ Configure BGP.
+ Configure VLANs: some time in the past, we was even able to replace a Core router with a Linux box, the core died, and it would take months to get a replacement, so.... in the end, the Linux box stayed there for around 1 year.
+ Do policy routing.
+ Normal NAT (SNAT, DNAT).
+ Other stuff that I can't remember now.
All of that, only a basic Linux firewall, if you add other software, there a lot more that you can do.
I hope this helps,
Ildefonso Camargo
-
11-20-2009, 04:08 AM #15Aspiring Evangelist
- Join Date
- Jun 2009
- Location
- Washington
- Posts
- 374
-
11-20-2009, 09:47 AM #16Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 68
Thanks guys, but we're not considering a linux box because we don't want to pay for the extra U space for it.
-
11-21-2009, 10:57 PM #17Newbie
- Join Date
- Nov 2009
- Posts
- 24
I'd go with a used Sonicwall Pro series; we use the Pro 2040 and it works just fine for what we need. It's simple to use and we haven't had any real issues with it.
-
11-21-2009, 11:07 PM #18Junior Guru
- Join Date
- Oct 2009
- Posts
- 188
-
11-21-2009, 11:35 PM #19Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 68
Not if we can get one small enough - so far the ASA5505 and maybe one of the smaller Junipers are small enough to fit in the rack behind the server.
-
11-22-2009, 12:21 AM #20Junior Guru
- Join Date
- Oct 2009
- Posts
- 188
Ok... my curiosity grows.... http://www.cisco.com/en/US/docs/secu...html#wp1035111 <--- ok, rack mount, no problem this far... but.. behind the server.... (this is getting a little off-topic, but is interesting for me), how? (maybe I'm missing something in the rack structure).
-
11-22-2009, 01:01 AM #21Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 68
Dimensions 7.9" x 6.9" x 1.8"
Not to mention the power consumption on a small appliance like this is considerably less than if we stuck a dedicated 1U machine in there as a fw.Last edited by IIIBradIII; 11-22-2009 at 01:05 AM.
-
11-22-2009, 01:04 AM #22Aspiring Evangelist
- Join Date
- Jun 2009
- Location
- Washington
- Posts
- 374
Yep, it is a 'strap on', where it does not matter if it hangs out on the back end cause there is no back panel/door to squish it?
Or maybe some 'speciality built short server'?
Hey, I have some really large 7U servers and I am sure you could fit that asa 5505 'inside' the server, but you need be adaptive to suspend it so it does not touch anything and then maybe drill a hole or two the wire it up nice.
<smiles>ABSF
Arrogant Bastard Server Farm
Built from scratch Data Center serving
100 year-old Metaphysical Library
-
11-22-2009, 04:10 AM #23Web Hosting Guru
- Join Date
- Sep 2004
- Location
- Beaverton, OR
- Posts
- 261
Just a little perspective here, I've never dealt with CISCO hardware myself until very recently. A couple months ago I switched our office network to use a CISCO ASA 5505. I had a contractor do the initial configuration (VPN, VOIP QOS, dual-wan routing w/failover, etc). After the appliance was deployed I took over the maintenance and have been using the ASDM GUI.
It didn't take too long to get the hang of it and I'm regularly modifying routing, firewall and VPN settings. It's definitely more complicated than any firewall/router I've dealt with but it's "learnable". One of the issues I keep running into is the fact that most of the knowledgeable CISCO folks don't use the GUI and I tend to have to a) figure it out on my own or b) drop into the IOS CLI. Also, from what I gather, the GUI used to be limited in what it could do but as far as I can tell the later versions handle everything that you need.
That said I love this little guy, it's got more features than I know what to do with and has been extremely stable for us. I know this is not the same as a server environment but I figured it may be of some use.
Regards,
Jerret
-
11-22-2009, 09:36 AM #24Junior Guru
- Join Date
- Oct 2009
- Posts
- 188
Hi!
I see the point, in the DC that I have installed systems (CANTV), the people there wouldn't let use put a "box hanging" behind the server, they were very direct: rack mount devices *only*..... inside the server: I think there shouldn't be any problem.
Now, if talking about small devices:
http://www.mini-itx.com/store/?c=40
or
http://www.pcengines.ch/ ----> http://www.pcengines.ch/alix2d13.htm
Along with a box, like this: http://www.pcengines.ch/case1c2.htm
The advantage of the pcengines hardware is: low power (very low power), and DC power supply (~12V, and that's all).
Anyway, just wanted to share these "little toys" with you all.
Sincerely,
Ildefonso Camargo
-
11-23-2009, 09:53 AM #25Junior Guru Wannabe
- Join Date
- Mar 2004
- Posts
- 68
Similar Threads
-
Firewall Advice
By urzevel in forum Colocation, Data Centers, IP Space and NetworksReplies: 3Last Post: 11-14-2009, 08:44 PM -
Firewall Advice - Looking at Juniper
By marsupillami in forum Colocation, Data Centers, IP Space and NetworksReplies: 21Last Post: 10-11-2009, 06:03 AM -
Hardware Firewall Advice?
By blueskimonkey in forum Running a Web Hosting BusinessReplies: 20Last Post: 01-02-2009, 06:33 AM -
Hardware Firewall Advice?
By dcpaq2 in forum Hosting Security and TechnologyReplies: 12Last Post: 06-17-2005, 11:30 AM -
Firewall advice?
By aliston in forum Hosting Security and TechnologyReplies: 17Last Post: 12-02-2003, 09:18 PM