Results 1 to 25 of 26
-
03-19-2012, 11:57 PM #1Temporarily Suspended
- Join Date
- Jul 2011
- Posts
- 222
Which firewall is good for packet monitor / IPS ?
Which is the best choose for deploy a firewall in data center ?
It can check the packet in and out for any attacking issue.
And monitor the traffic type/.
-
03-20-2012, 12:05 AM #2Junior Guru Wannabe
- Join Date
- Jan 2006
- Posts
- 46
You could consider Palo Alto Firewall.
http://www.paloaltonetworks.com/
-
03-20-2012, 04:32 AM #3WHT Addict
- Join Date
- Jun 2009
- Location
- Stockholm
- Posts
- 136
I'm going to take a plunge here and recommend a bsd-based appliance on a decent server with good nics and CPU and pf + snort for packet inspection and firewalling. There is tons of howtos out there, google is your friend. ;-) this can even be done with proper redundancy via "carp", I think pfSense does exactly this and is open source and "free" except the hardware.
In my experience Linux or BSD open source firewalls outperforms hardware firewalls massively and at a fraction of the price. For example a €100k Clavister dual-node cluster can handle about 100mbps of traffic while we are running two sun fire x4100s with pfSense with battle-proven and workin redundancy which even share the established flows between the nodes that pushes about 644mbps as we speak. This setup was about €4k.
//TLast edited by rnts; 03-20-2012 at 04:35 AM.
-
03-20-2012, 10:44 AM #4Web Hosting Master
- Join Date
- Jul 2009
- Location
- The backplane
- Posts
- 1,788
I'm not sure how anyone can make any recommendations without some basic info like what kind of of PPS the op needs to be able to process. A software solution could be a complete disaster in any number of scenarios.
-
03-20-2012, 10:53 AM #5Lord of live chats
- Join Date
- Jul 2009
- Location
- UK
- Posts
- 1,312
Fortinet do some very good firewalls ( Essentially a netscreen but with more features )
They have great IPS / IDS and reporting tools.
They also do VM appliance versions if you dont want to use rackspace!Live Chat Support Software for your Business website - IMsupporting.com
-
03-20-2012, 10:55 AM #6WHT Addict
- Join Date
- Jun 2009
- Location
- Stockholm
- Posts
- 136
True, but if you are representing a company that needs millions of 64-byte pod or multi-10G speeds I doubt you go to WHT to ask which firewall would fit his environment. If anyone is representing a company that has the cash for the €1m+ firewall systems I also doubt you come to WHT for advice, especially if the poster omits information such as expected flows, pps, mbps, sessions per second etc etc.
A software based firewall (done properly) will outperform any budget hardware firewall.
Oh, and I'm not bashing either the posters of WHT or th forum itself, it's an amazing source of information and have (had) a great feeling/community.
//T
-
03-20-2012, 11:12 AM #7Web Hosting Master
- Join Date
- Jul 2009
- Location
- The backplane
- Posts
- 1,788
Line rate gigabit is around 1.5Mpps. Just doing pure routing, much less packet inspection and processing, will destroy all but the most powerful x86 platforms. Did you notice the OP's sig? Certainly that leaves open a possibility of significant amounts of bandwidth in an environment that might well face DDoS attacks.
Software platforms surely have their place, but I would not feel comfortable making recommendations without knowing what the technical requirements are. Might even be a fit here, but the bottom line is we have not been provided with any actionable information yet.
-
03-21-2012, 05:02 AM #8WHT Addict
- Join Date
- Jun 2009
- Location
- Stockholm
- Posts
- 136
Well, I did not see his signature since I'm in the mobile version of the page. You are right in that we have no substantial information to do any real recommendations. My point was that investigate software based firewalls such as pfSense and try it out before resorting to overpriced hardware appliances. My long term agenda is to get the hardware firewall manufacturers to set their pricing to a level based on their actual performance instead of their brand.
Another hidden agenda of mine is that I absolutely loathe Clavister and their retarded GUI and cli and performance for their absolutely ridiculous price. :-)
TL;DR always start with open source/software before engaging hardware appliance firewall suppliers.
//T
-
03-21-2012, 02:03 PM #9Web Hosting Master
- Join Date
- Aug 2009
- Location
- Orlando, FL
- Posts
- 1,063
+1 for Palo Alto firewalls. I'm going to agree with CTI Todd that software based solutions aren't meant for the data center. Everytime we get into this debate, the PFsense fanboys show up and start claiming it's hands down that best solution for everything.
There are hardware firewall for a reason... think about it.-=SKULLBOX.NET=-
-
03-21-2012, 03:00 PM #10Temporarily Suspended
- Join Date
- Jul 2011
- Posts
- 222
I cannot found the cost of Palo Alto firewalls.
How much is it ?
-
03-21-2012, 05:07 PM #11Web Hosting Master
- Join Date
- Aug 2009
- Location
- Orlando, FL
- Posts
- 1,063
Not cheap, this will give you a good idea:
http://www.ebay.com/itm/Palo-Alto-Ne...item519e06648e-=SKULLBOX.NET=-
-
03-22-2012, 08:52 AM #12WHT Addict
- Join Date
- Jun 2009
- Location
- Stockholm
- Posts
- 136
I'm deff not a "pfSense fanboy" but on the other hand I do think software based firewalls has it's place in data centers. It all depends on your application, as I said, one of my customers runs a successful high-traffic/usage business (online backups) on a pfSense-cluster firewalls that pushes 600-800 Mbps constantly (for the last two years) with no problems at all. Another customer of mine runs a Clavister-cluster (SG3200) which is absolutely dreadful and falls over at ~ 300 Mbps normal web traffic.
Yes there is a reason, for someone to make money. There is people that want to do a "better solution" than others, but they are few. I could smack together a pfSense, bsd/pf/carp/snort or linux/iptables/ip6tables solution and put it on a Supermicro/micro-server box w/ the ports on the front and sell it as an appliance for 1000% the price of the components, and frankly, that is what 75% of the "hardware firewall" companies do. Few actually create/program ASICs to do hardware-firewalling.
To the OP though; you might want to look at Juniper SSG or SRX solutions as well, they are quite competent as hardware firewalls. I've also used Cisco ASA's in a couple of installations and they are "OK" at best. :-)
//TQuickVZ - Enterprise VPS Hosting, High-End Dedicated Servers & Co-location Services
http://www.quickvz.com
-
03-22-2012, 09:30 AM #13Lord of live chats
- Join Date
- Jul 2009
- Location
- UK
- Posts
- 1,312
Dont go near the Juniper SSG platform.
Its about to be end of sale and support.
As mentioned before, Fortinet are a good alternative to Juniper ( Fortinet was created by the guys who founded netscreen who juniper then bought for the SSG range. )Live Chat Support Software for your Business website - IMsupporting.com
-
03-22-2012, 09:45 AM #14WHT Addict
- Join Date
- Jun 2009
- Location
- Stockholm
- Posts
- 136
Ah yeah, I forgot they're ending the SSG-platform. I believe that all the security features from the SSG-platform is integrated into the SRX-platform together with JunOS. That's what they are saying at least and to be fair, the security sections for JunOS (I run it on a couple of SRX240H, SRX210H and J2320) is quite good.
//TQuickVZ - Enterprise VPS Hosting, High-End Dedicated Servers & Co-location Services
http://www.quickvz.com
-
03-22-2012, 01:21 PM #15Aspiring Evangelist
- Join Date
- May 2005
- Location
- London, United Kingdom
- Posts
- 390
"For example a €100k Clavister dual-node cluster can handle about 100mbps of traffic"
Someone got ripped off then No one pays that amount for a firewall cluster that can only handle a small amount of traffic.
Am currently looking in this area too.
Looking at Astaro at the moment. They do hardware applicances and software, so you could buy your own hardware and size it to your needs.
I had a look at Cyberroam the other week too. There are some decent packing capturing tools on that.
No idea about the performance of these platforms, am looking to migrate away from Juniper SSG myself.
-
03-22-2012, 02:03 PM #16Web Hosting Master
- Join Date
- Jul 2009
- Location
- The backplane
- Posts
- 1,788
-
03-23-2012, 03:15 PM #17Web Hosting Master
- Join Date
- Aug 2009
- Location
- Orlando, FL
- Posts
- 1,063
The SSG line will be supported for a while longer. I want to say until 2015 but not sure. As for the SRX, well I want to love them, but haven't played with them yet. A lot of people are saying they are much better than they were when first launched.
I've only used the Fortinet a few times and hated it. Although, it was a VERY VERY old model and I have heard decent things about them from others.
I'm not big on the ASA. I think the Juniper SSGs are better for a few different reasons. Let us know when you end up choosing.-=SKULLBOX.NET=-
-
03-23-2012, 03:43 PM #18Lord of live chats
- Join Date
- Jul 2009
- Location
- UK
- Posts
- 1,312
Yeah I have a feeling that the FortiOS has matured quite a lot since.
They seem to do everything an SSG would do + more now.
Even though SSG's are supported for a little while longer I still would suggest you dont go there.
As for the SRX platform, we did use them when they came out initially. With crashing and just damn bad interface and the CLI being buggy we left them as quick as we took em on.. Went back to SSG and now onto Fortigates.Live Chat Support Software for your Business website - IMsupporting.com
-
03-24-2012, 02:28 PM #19Web Hosting Master
- Join Date
- Jun 2006
- Location
- NYC / Memphis, TN
- Posts
- 1,454
I didn't read the entire thread so I may be repeating but you're kind of talking about 2 different systems.
You mentioned a firewall and also an IPS.
You really shouldn't use a firewall at the edge of your network if this is what you mean unless you only have a couple servers.
Even the Juniper SSG's/SRX's and older NS 5200/5400 have limitations in connections so any small DDoS would still overload even the high-end ones (>300Mbps/100-200k PPS). However, from our experience (our customer's mostly) - they do hold up much better than similar ASR's. (And I am a huge fan of Juniper yet we have NS5200's in a closet... We simply don't deploy hardware firewall appliances any longer - they end up being bottlenecks)
My recommendation would be to go with BSD + pf + CARP (or pfSense which I have no personal experience but seems to be exactly BSD/PF with a simple interface) and you could easily run a SNORT system alongside.
That's the cheapest configuration if it's under 1-2Gbps of traffic.
Honestly, in that configuration you would come out much cheaper and likely get 2-3x the performance vs commercial firewalls trying to do the same.
However: If you simply have to go commercial then Juniper is the best route - I wouldn't consider Cisco, imho.Last edited by PeakVPN-KH; 03-24-2012 at 02:32 PM.
≈ PeakVPN.Com | Complete Privacy VPN | Cloud Hosting | Guaranteed Security | 1Gbps-10Gbps Unmetered
≈ PeakVPN | 31 VPN Servers | 17-Years Experience | Emergency 24/7 Support
≈ Visit us @ PeakVPN.Com (Coming SOON) | ASN: 3915
-
03-24-2012, 04:27 PM #20Newbie
- Join Date
- Feb 2012
- Posts
- 18
check pfsense, you need some time to configure it but it is a great appliance for free
-
06-05-2012, 05:36 AM #21Temporarily Suspended
- Join Date
- Oct 2003
- Location
- Hanoi
- Posts
- 4,309
I wonder if anyone has experience with Hacom product? They provide pfSense appliances and appear in recommended vendors on pfSense website.
Thanks.
-
06-05-2012, 05:48 AM #22Now renamed!
- Join Date
- May 2009
- Location
- Vaduz/LI
- Posts
- 2,778
Line rate gigabit is around 1.5Mpps. Just doing pure routing, much less packet inspection and processing, will destroy all but the most powerful x86 platforms.
Vyatta runs on x86/x64 and does 10G interfaces at full line speed easily _without_ hardware routing.
-
06-06-2012, 06:10 PM #23Web Hosting Master
- Join Date
- Jul 2009
- Location
- The backplane
- Posts
- 1,788
-
06-07-2012, 02:08 AM #24Aspiring Evangelist
- Join Date
- Jul 2006
- Location
- Lake Zurich, IL
- Posts
- 436
The last I knew, Vyatta could forward 3Mpps. Maybe this has improved? And I think this was under the best of circumstances. 10Gbps connections can theoretically forward around 20Mpps. Of course, this is very uncommon except under attack conditions.
Most software routers (OpenBSD/pf and pfSense) will forward roughly 500Kpps under the best of circumstances on great hardware, without large routing tables and without IPS/IDS and many firewall rules while maintaining state. We use them often at the edge of customer environments. If >500Kpps is expected to a single IP, we would recommend hardware, but this isn't typical. Hardware can be used to forward to many software routers/firewalls behind it based on IP addresses/ranges, which works well to distribute the load.
EricGenesis Hosting Solutions, LLC (genesishosting.com)
Genesis Public Cloud - No Compromise On-Demand OpenStack infrastructure
Genesis VMs - Easy to provision single VMs on our Genesis Public Cloud
Compare us against others at vpsbenchmarks.com!
-
06-07-2012, 02:20 AM #25Aspiring Evangelist
- Join Date
- Jul 2006
- Location
- Lake Zurich, IL
- Posts
- 436
I just saw this:
http://www.vyatta.com/news-events/pr...-vyatta-vplane
Would be interested in knowing if anyone has used it.
EricGenesis Hosting Solutions, LLC (genesishosting.com)
Genesis Public Cloud - No Compromise On-Demand OpenStack infrastructure
Genesis VMs - Easy to provision single VMs on our Genesis Public Cloud
Compare us against others at vpsbenchmarks.com!
Similar Threads
-
Packet-filtering software firewall for Windows Server 2008
By ejhay0101 in forum Hosting Security and TechnologyReplies: 4Last Post: 05-12-2012, 03:06 PM -
Packet loss on cPanel IPs
By Noopy in forum Dedicated ServerReplies: 5Last Post: 01-05-2012, 03:17 PM -
High Packet loss on Additional IPs Only
By Lenihan in forum Dedicated ServerReplies: 2Last Post: 10-05-2010, 07:34 PM -
Packet Loss due to firewall?
By fatabbot in forum Hosting Security and TechnologyReplies: 3Last Post: 09-16-2009, 01:28 AM -
Packet filtering vs Firewall
By SloppyJ in forum Hosting Security and TechnologyReplies: 2Last Post: 01-27-2003, 12:50 PM