hosted by liquidweb


Go Back   Web Hosting Talk : Web Hosting Main Forums : Colocation and Data Centers : Which firewall is good for packet monitor / IPS ?
Reply

Forum Jump

Which firewall is good for packet monitor / IPS ?

Reply Post New Thread In Colocation and Data Centers Subscription
 
Send news tip View All Posts Thread Tools Search this Thread Display Modes
  #16  
Old 03-22-2012, 02:03 PM
Microlinux Microlinux is offline
Token Ring
 
Join Date: Jul 2009
Location: The backplane
Posts: 1,672
Quote:
Originally Posted by jpwjpw View Post
Looking at Astaro at the moment.
We have a couple of customers who use Astaro firewalls, from what I've seen, they're pretty slick.

Sponsored Links
  #17  
Old 03-23-2012, 03:15 PM
skullbox skullbox is offline
Web Hosting Master
 
Join Date: Aug 2009
Location: Orlando, FL
Posts: 1,057
Quote:
Originally Posted by lynxus View Post
Dont go near the Juniper SSG platform.
Its about to be end of sale and support.

As mentioned before, Fortinet are a good alternative to Juniper ( Fortinet was created by the guys who founded netscreen who juniper then bought for the SSG range. )
The SSG line will be supported for a while longer. I want to say until 2015 but not sure. As for the SRX, well I want to love them, but haven't played with them yet. A lot of people are saying they are much better than they were when first launched.

I've only used the Fortinet a few times and hated it. Although, it was a VERY VERY old model and I have heard decent things about them from others.

I'm not big on the ASA. I think the Juniper SSGs are better for a few different reasons. Let us know when you end up choosing.

__________________
-=SKULLBOX.NET=-

  #18  
Old 03-23-2012, 03:43 PM
lynxus lynxus is offline
Lord of live chats
 
Join Date: Jul 2009
Location: UK
Posts: 1,282
Quote:
Originally Posted by skullbox View Post

I've only used the Fortinet a few times and hated it. Although, it was a VERY VERY old model and I have heard decent things about them from others.
Yeah I have a feeling that the FortiOS has matured quite a lot since.

They seem to do everything an SSG would do + more now.

Even though SSG's are supported for a little while longer I still would suggest you dont go there.

As for the SRX platform, we did use them when they came out initially. With crashing and just damn bad interface and the CLI being buggy we left them as quick as we took em on.. Went back to SSG and now onto Fortigates.

__________________
<< Please review signature guidelines >>

Sponsored Links
  #19  
Old 03-24-2012, 02:28 PM
FiberPeer FiberPeer is offline
Web Hosting Master
 
Join Date: Jun 2006
Location: NYC
Posts: 1,408
I didn't read the entire thread so I may be repeating but you're kind of talking about 2 different systems.

You mentioned a firewall and also an IPS.

You really shouldn't use a firewall at the edge of your network if this is what you mean unless you only have a couple servers.

Even the Juniper SSG's/SRX's and older NS 5200/5400 have limitations in connections so any small DDoS would still overload even the high-end ones (>300Mbps/100-200k PPS). However, from our experience (our customer's mostly) - they do hold up much better than similar ASR's. (And I am a huge fan of Juniper yet we have NS5200's in a closet... We simply don't deploy hardware firewall appliances any longer - they end up being bottlenecks)

My recommendation would be to go with BSD + pf + CARP (or pfSense which I have no personal experience but seems to be exactly BSD/PF with a simple interface) and you could easily run a SNORT system alongside.

That's the cheapest configuration if it's under 1-2Gbps of traffic.

Honestly, in that configuration you would come out much cheaper and likely get 2-3x the performance vs commercial firewalls trying to do the same.

However: If you simply have to go commercial then Juniper is the best route - I wouldn't consider Cisco, imho.


Last edited by FiberPeer; 03-24-2012 at 02:32 PM.
  #20  
Old 03-24-2012, 04:27 PM
ckaraca ckaraca is offline
Newbie
 
Join Date: Feb 2012
Posts: 18
check pfsense, you need some time to configure it but it is a great appliance for free

  #21  
Old 06-05-2012, 05:36 AM
gate2vn gate2vn is offline
Temporarily Suspended
 
Join Date: Oct 2003
Location: Hanoi
Posts: 4,306
I wonder if anyone has experience with Hacom product? They provide pfSense appliances and appear in recommended vendors on pfSense website.

Thanks.

  #22  
Old 06-05-2012, 05:48 AM
TheLie TheLie is offline
Now renamed!
 
Join Date: May 2009
Location: Vaduz/LI
Posts: 2,397
Quote:
Line rate gigabit is around 1.5Mpps. Just doing pure routing, much less packet inspection and processing, will destroy all but the most powerful x86 platforms.
No, simply.... no.
Vyatta runs on x86/x64 and does 10G interfaces at full line speed easily _without_ hardware routing.

  #23  
Old 06-06-2012, 06:10 PM
Microlinux Microlinux is offline
Token Ring
 
Join Date: Jul 2009
Location: The backplane
Posts: 1,672
Quote:
Originally Posted by Zhang View Post
No, simply.... no.
Vyatta runs on x86/x64 and does 10G interfaces at full line speed easily _without_ hardware routing.
10G @ 64 byte packets?? That's a ****load of interrupts . . .


Last edited by Microlinux; 06-06-2012 at 06:15 PM.
  #24  
Old 06-07-2012, 02:08 AM
erickmiller erickmiller is offline
Corporate Member
 
Join Date: Jul 2006
Location: Lake Zurich, IL
Posts: 281
Quote:
Originally Posted by [CTI] Todd View Post
10G @ 64 byte packets?? That's a ****load of interrupts . . .
The last I knew, Vyatta could forward 3Mpps. Maybe this has improved? And I think this was under the best of circumstances. 10Gbps connections can theoretically forward around 20Mpps. Of course, this is very uncommon except under attack conditions.

Most software routers (OpenBSD/pf and pfSense) will forward roughly 500Kpps under the best of circumstances on great hardware, without large routing tables and without IPS/IDS and many firewall rules while maintaining state. We use them often at the edge of customer environments. If >500Kpps is expected to a single IP, we would recommend hardware, but this isn't typical. Hardware can be used to forward to many software routers/firewalls behind it based on IP addresses/ranges, which works well to distribute the load.

Eric

__________________
Genesis Hosting Solutions, LLC
http://www.genesishosting.com/
Instant VMware vSphere Cloud Environments
Unlimited virtual machines within your purchased resources!

  #25  
Old 06-07-2012, 02:20 AM
erickmiller erickmiller is offline
Corporate Member
 
Join Date: Jul 2006
Location: Lake Zurich, IL
Posts: 281
I just saw this:
http://www.vyatta.com/news-events/pr...-vyatta-vplane

Would be interested in knowing if anyone has used it.

Eric

__________________
Genesis Hosting Solutions, LLC
http://www.genesishosting.com/
Instant VMware vSphere Cloud Environments
Unlimited virtual machines within your purchased resources!

  #26  
Old 06-07-2012, 11:04 AM
Microlinux Microlinux is offline
Token Ring
 
Join Date: Jul 2009
Location: The backplane
Posts: 1,672
Quote:
Originally Posted by erickmiller View Post
The last I knew, Vyatta could forward 3Mpps.
That sounds plausible. But, 10G @ small packets, no way.

Reply

Similar Threads
Thread Thread Starter Forum Replies Last Post
Packet-filtering software firewall for Windows Server 2008 ejhay0101 Hosting Security and Technology 4 05-12-2012 03:06 PM
Packet loss on cPanel IPs gigist Dedicated Server 5 01-05-2012 03:17 PM
High Packet loss on Additional IPs Only Lenihan Dedicated Server 2 10-05-2010 07:34 PM
Packet Loss due to firewall? fatabbot Hosting Security and Technology 3 09-16-2009 01:28 AM
Packet filtering vs Firewall SloppyJ Hosting Security and Technology 2 01-27-2003 12:50 PM

Related posts from TheWhir.com
Title Type Date Posted
CA Technologies Launches Free Monitoring Tool Web Hosting News 2013-10-10 14:27:42
GoGrid Adds New Firewall Services to Cloud SDN Architecture Web Hosting News 2013-04-11 10:50:21
SiteLock Launches Mobile App for Users to Scan, Fix Website Vulnerabilities Web Hosting News 2013-04-04 13:08:21
WHD.global 2013: SiteLock Adds Web Application Firewall and CDN to Security Portfolio Web Hosting News 2013-03-19 13:48:01
Web Optimization Provider Yottaa Launches Version 2.0, Adds Patented QuickTune Technology Web Hosting News 2012-09-17 15:18:17


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes
Postbit Selector

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Forum Jump
Login:
Log in with your username and password
Username:
Password:



Forgot Password?
Advertisement:
Web Hosting News:



 

X

Welcome to WebHostingTalk.com

Create your username to jump into the discussion!

WebHostingTalk.com is the largest, most influentual web hosting community on the Internet. Join us by filling in the form below.


(4 digit year)

Already a member?