Results 1 to 13 of 13
Thread: Firewall recommendation
-
06-14-2011, 09:36 PM #1Web Hosting Evangelist
- Join Date
- Jun 2001
- Posts
- 480
Firewall recommendation
Hi WHT
We recent got 100mbps incoming UDP flood attack. So, we are looking to put a firewall on our edge to avoid it happening again. What firewall would you recommend for 300-500mbps protection.
-
06-14-2011, 10:40 PM #2Web Hosting Master
- Join Date
- Oct 2002
- Location
- Vancouver, B.C.
- Posts
- 2,699
What's much more important than the bps is the pps (packets per second). Do you have any idea how many pps the attack was?
ASTUTE INTERNET: Advanced, customized, and scalable solutions with AS54527 Premium Performance and Canadian Optimized Network (Level3, Shaw, CogecoPeer1, GTT/Tinet),
AS63213 Cost Effective High Performance Network (Cogent, HE, GTT/Tinet)
Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami
-
06-15-2011, 12:09 AM #3Web Hosting Evangelist
- Join Date
- Jun 2001
- Posts
- 480
I could be wrong. I suspect it was around 10-20K pps.
-
06-16-2011, 03:26 PM #4Junior Guru Wannabe
- Join Date
- Jun 2009
- Posts
- 83
20k PPS is fairly substantial for a low-end firewall to shrug off. What's your budget?
-
06-16-2011, 04:41 PM #5Aspiring Evangelist
- Join Date
- Dec 2005
- Location
- NYC
- Posts
- 428
If thats it then a cisco asa 5520 or 5540 would be able to handle that.
Edge 1, LLC
http://www.edge1.net | 800.392.2349
Cisco SMARTnet & Licensing Specialists | Datacenter/Network Design & Management Consulting | Cisco New & Certified Refurb Equipment Sales
-
06-16-2011, 11:52 PM #6Web Hosting Master
- Join Date
- Aug 2009
- Location
- Orlando, FL
- Posts
- 1,063
Juniper SSG320
-=SKULLBOX.NET=-
-
06-17-2011, 12:21 PM #7WHT Addict
- Join Date
- Mar 2009
- Location
- Boise, Idaho USA
- Posts
- 109
+1 for the 5520
-
06-17-2011, 03:37 PM #8Web Hosting Evangelist
- Join Date
- Jun 2001
- Posts
- 480
Our budget is $3000-$5000. Any idea how much would a typical cisco asa 5520/Juniper SSG320 cost?
-
06-17-2011, 03:42 PM #9Aspiring Evangelist
- Join Date
- Dec 2005
- Location
- NYC
- Posts
- 428
Edge 1, LLC
http://www.edge1.net | 800.392.2349
Cisco SMARTnet & Licensing Specialists | Datacenter/Network Design & Management Consulting | Cisco New & Certified Refurb Equipment Sales
-
06-17-2011, 07:00 PM #10Web Hosting Master
- Join Date
- Jun 2001
- Location
- Denver, CO
- Posts
- 3,302
How large is your port speed? If it's only 100Mbps, it's likely the attack was much larger than what you were seeing due to the bottleneck. As such, it wouldn't make much sense to filter this traffic on your side of the port.
Jay Sudowski // Handy Networks LLC // Co-Founder & CTO
AS30475 - Level(3), HE, Telia, XO and Cogent. Noction optimized network.
Offering Dedicated Server and Colocation Hosting from our SSAE 16 SOC 2, Type 2 Certified Data Center.
Current specials here. Check them out.
-
06-17-2011, 08:30 PM #11Junior Guru
- Join Date
- Jan 2003
- Location
- Budapest, Hungary
- Posts
- 231
You could use some simple hardware (even Core2 based) with a good network card (Intel cards are the best) install FreeBSD or Linux and filter it by yourself, that will cost less and be more flexible till few millions of PPS (sometimes highly tweaked system can handle more than 1kk pps), after that you should look into more specific cpu packet handled systems like from cisco.
██ ServerAstra.com website / e-mail: info @ serverastra.com
██ HU/EU Co-Location / Managed and Unmanaged Cloud & Dedicated servers in Hungary with unmetered connections
-
06-17-2011, 09:37 PM #12Disabled
- Join Date
- Apr 2011
- Posts
- 709
I'd go with a juniper srx series before the ssg. The ssg is dead and the srx is their new hotness, are far more powerful and a great bang for your buck.
We swapped out our asa5510-sec-bun's for srx240h's and never looked back.
The ASA's are x86 based cpu turds. Seriously, look it up they're running celerons and p4's from 2006. With your budget you can do a lot better.
I can't believe spudster hasn't posted about the asa's being a cpu based turd..
-
06-17-2011, 11:28 PM #13Web Hosting Master
- Join Date
- Apr 2009
- Location
- Dallas/FortWorth TX
- Posts
- 1,703
Watchguard are good too, and within the budget XTM 510 would be around $3000 new where as Cisco ASA 5520 you would get it for around $5K refurb.
<<< Please see Forum Guidelines for signature setup. >>>
Similar Threads
-
Hardware Firewall recommendation
By dom3742 in forum Hosting Security and TechnologyReplies: 1Last Post: 06-15-2010, 11:13 PM -
Firewall recommendation for colocation
By MondeoST24 in forum Hosting Security and TechnologyReplies: 8Last Post: 06-05-2010, 05:26 PM -
Firewall Recommendation
By NodePlex in forum Colocation, Data Centers, IP Space and NetworksReplies: 8Last Post: 05-05-2008, 12:49 PM -
Firewall Recommendation for DDoS
By exedgeman in forum Hosting Security and TechnologyReplies: 1Last Post: 06-08-2006, 05:28 PM -
FireWall recommendation !!!
By oc3 in forum Hosting Security and TechnologyReplies: 6Last Post: 08-27-2002, 05:40 AM