Sponsored Links

[CTI] Todd · #16 03-22-2012, 02:03 PM

Quote:

Originally Posted by jpwjpw

Looking at Astaro at the moment.

We have a couple of customers who use Astaro firewalls, from what I've seen, they're pretty slick.

skullbox · #17 03-23-2012, 03:15 PM

Quote:

Originally Posted by lynxus

Dont go near the Juniper SSG platform.
Its about to be end of sale and support.

As mentioned before, Fortinet are a good alternative to Juniper ( Fortinet was created by the guys who founded netscreen who juniper then bought for the SSG range. )

The SSG line will be supported for a while longer. I want to say until 2015 but not sure. As for the SRX, well I want to love them, but haven't played with them yet. A lot of people are saying they are much better than they were when first launched.

I've only used the Fortinet a few times and hated it. Although, it was a VERY VERY old model and I have heard decent things about them from others.

I'm not big on the ASA. I think the Juniper SSGs are better for a few different reasons. Let us know when you end up choosing.

lynxus · #18 03-23-2012, 03:43 PM

Quote:

Originally Posted by skullbox

I've only used the Fortinet a few times and hated it. Although, it was a VERY VERY old model and I have heard decent things about them from others.

Yeah I have a feeling that the FortiOS has matured quite a lot since.

They seem to do everything an SSG would do + more now.

Even though SSG's are supported for a little while longer I still would suggest you dont go there.

As for the SRX platform, we did use them when they came out initially. With crashing and just damn bad interface and the CLI being buggy we left them as quick as we took em on.. Went back to SSG and now onto Fortigates.

ServerOrigin · #19 03-24-2012, 02:28 PM

I didn't read the entire thread so I may be repeating but you're kind of talking about 2 different systems.

You mentioned a firewall and also an IPS.

You really shouldn't use a firewall at the edge of your network if this is what you mean unless you only have a couple servers.

Even the Juniper SSG's/SRX's and older NS 5200/5400 have limitations in connections so any small DDoS would still overload even the high-end ones (>300Mbps/100-200k PPS). However, from our experience (our customer's mostly) - they do hold up much better than similar ASR's. (And I am a huge fan of Juniper yet we have NS5200's in a closet... We simply don't deploy hardware firewall appliances any longer - they end up being bottlenecks)

My recommendation would be to go with BSD + pf + CARP (or pfSense which I have no personal experience but seems to be exactly BSD/PF with a simple interface) and you could easily run a SNORT system alongside.

That's the cheapest configuration if it's under 1-2Gbps of traffic.

Honestly, in that configuration you would come out much cheaper and likely get 2-3x the performance vs commercial firewalls trying to do the same.

However: If you simply have to go commercial then Juniper is the best route - I wouldn't consider Cisco, imho.

ckaraca · #20 03-24-2012, 04:27 PM

check pfsense, you need some time to configure it but it is a great appliance for free

gate2vn · #21 06-05-2012, 05:36 AM

I wonder if anyone has experience with Hacom product? They provide pfSense appliances and appear in recommended vendors on pfSense website.

Thanks.

Zhang · #22 06-05-2012, 05:48 AM

Quote:

Line rate gigabit is around 1.5Mpps. Just doing pure routing, much less packet inspection and processing, will destroy all but the most powerful x86 platforms.

No, simply.... no.
Vyatta runs on x86/x64 and does 10G interfaces at full line speed easily _without_ hardware routing.

[CTI] Todd · #23 06-06-2012, 06:10 PM

Quote:

Originally Posted by Zhang

No, simply.... no.
Vyatta runs on x86/x64 and does 10G interfaces at full line speed easily _without_ hardware routing.

10G @ 64 byte packets?? That's a ****load of interrupts . . .

**erickmiller** · #24 06-07-2012, 02:08 AM

Quote:

Originally Posted by [CTI] Todd

10G @ 64 byte packets?? That's a ****load of interrupts . . .

The last I knew, Vyatta could forward 3Mpps. Maybe this has improved? And I think this was under the best of circumstances. 10Gbps connections can theoretically forward around 20Mpps. Of course, this is very uncommon except under attack conditions.

Most software routers (OpenBSD/pf and pfSense) will forward roughly 500Kpps under the best of circumstances on great hardware, without large routing tables and without IPS/IDS and many firewall rules while maintaining state. We use them often at the edge of customer environments. If >500Kpps is expected to a single IP, we would recommend hardware, but this isn't typical. Hardware can be used to forward to many software routers/firewalls behind it based on IP addresses/ranges, which works well to distribute the load.

Eric