Results 1 to 26 of 26
  1. #1
    Join Date
    Jul 2011
    Posts
    222

    Which firewall is good for packet monitor / IPS ?

    Which is the best choose for deploy a firewall in data center ?
    It can check the packet in and out for any attacking issue.
    And monitor the traffic type/.

  2. #2
    Join Date
    Jan 2006
    Posts
    46
    You could consider Palo Alto Firewall.
    http://www.paloaltonetworks.com/

  3. #3
    Join Date
    Jun 2009
    Location
    Stockholm
    Posts
    136
    I'm going to take a plunge here and recommend a bsd-based appliance on a decent server with good nics and CPU and pf + snort for packet inspection and firewalling. There is tons of howtos out there, google is your friend. ;-) this can even be done with proper redundancy via "carp", I think pfSense does exactly this and is open source and "free" except the hardware.

    In my experience Linux or BSD open source firewalls outperforms hardware firewalls massively and at a fraction of the price. For example a 100k Clavister dual-node cluster can handle about 100mbps of traffic while we are running two sun fire x4100s with pfSense with battle-proven and workin redundancy which even share the established flows between the nodes that pushes about 644mbps as we speak. This setup was about 4k.

    //T
    Last edited by rnts; 03-20-2012 at 04:35 AM.

  4. #4
    Join Date
    Jul 2009
    Location
    The backplane
    Posts
    1,783
    I'm not sure how anyone can make any recommendations without some basic info like what kind of of PPS the op needs to be able to process. A software solution could be a complete disaster in any number of scenarios.

  5. #5
    Join Date
    Jul 2009
    Location
    UK
    Posts
    1,308
    Fortinet do some very good firewalls ( Essentially a netscreen but with more features )
    They have great IPS / IDS and reporting tools.

    They also do VM appliance versions if you dont want to use rackspace!
    Live Chat Support Software for your Business website - IMsupporting.com

  6. #6
    Join Date
    Jun 2009
    Location
    Stockholm
    Posts
    136
    Quote Originally Posted by [CTI] Todd View Post
    I'm not sure how anyone can make any recommendations without some basic info like what kind of of PPS the op needs to be able to process. A software solution could be a complete disaster in any number of scenarios.
    True, but if you are representing a company that needs millions of 64-byte pod or multi-10G speeds I doubt you go to WHT to ask which firewall would fit his environment. If anyone is representing a company that has the cash for the 1m+ firewall systems I also doubt you come to WHT for advice, especially if the poster omits information such as expected flows, pps, mbps, sessions per second etc etc.

    A software based firewall (done properly) will outperform any budget hardware firewall.

    Oh, and I'm not bashing either the posters of WHT or th forum itself, it's an amazing source of information and have (had) a great feeling/community.

    //T

  7. #7
    Join Date
    Jul 2009
    Location
    The backplane
    Posts
    1,783
    Quote Originally Posted by rnts View Post
    True, but if you are representing a company that needs millions of 64-byte pod or multi-10G speeds I doubt you go to WHT to ask which firewall would fit his environment.
    Line rate gigabit is around 1.5Mpps. Just doing pure routing, much less packet inspection and processing, will destroy all but the most powerful x86 platforms. Did you notice the OP's sig? Certainly that leaves open a possibility of significant amounts of bandwidth in an environment that might well face DDoS attacks.

    Software platforms surely have their place, but I would not feel comfortable making recommendations without knowing what the technical requirements are. Might even be a fit here, but the bottom line is we have not been provided with any actionable information yet.

  8. #8
    Join Date
    Jun 2009
    Location
    Stockholm
    Posts
    136
    Quote Originally Posted by [CTI] Todd View Post
    Line rate gigabit is around 1.5Mpps. Just doing pure routing, much less packet inspection and processing, will destroy all but the most powerful x86 platforms. Did you notice the OP's sig? Certainly that leaves open a possibility of significant amounts of bandwidth in an environment that might well face DDoS attacks.

    Software platforms surely have their place, but I would not feel comfortable making recommendations without knowing what the technical requirements are. Might even be a fit here, but the bottom line is we have not been provided with any actionable information yet.
    Well, I did not see his signature since I'm in the mobile version of the page. You are right in that we have no substantial information to do any real recommendations. My point was that investigate software based firewalls such as pfSense and try it out before resorting to overpriced hardware appliances. My long term agenda is to get the hardware firewall manufacturers to set their pricing to a level based on their actual performance instead of their brand.

    Another hidden agenda of mine is that I absolutely loathe Clavister and their retarded GUI and cli and performance for their absolutely ridiculous price. :-)

    TL;DR always start with open source/software before engaging hardware appliance firewall suppliers.

    //T

  9. #9
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    +1 for Palo Alto firewalls. I'm going to agree with CTI Todd that software based solutions aren't meant for the data center. Everytime we get into this debate, the PFsense fanboys show up and start claiming it's hands down that best solution for everything.

    There are hardware firewall for a reason... think about it.

  10. #10
    Join Date
    Jul 2011
    Posts
    222
    I cannot found the cost of Palo Alto firewalls.
    How much is it ?

  11. #11
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    Not cheap, this will give you a good idea:

    http://www.ebay.com/itm/Palo-Alto-Ne...item519e06648e

  12. #12
    Join Date
    Jun 2009
    Location
    Stockholm
    Posts
    136
    Quote Originally Posted by skullbox View Post
    +1 for Palo Alto firewalls. I'm going to agree with CTI Todd that software based solutions aren't meant for the data center. Everytime we get into this debate, the PFsense fanboys show up and start claiming it's hands down that best solution for everything.
    I'm deff not a "pfSense fanboy" but on the other hand I do think software based firewalls has it's place in data centers. It all depends on your application, as I said, one of my customers runs a successful high-traffic/usage business (online backups) on a pfSense-cluster firewalls that pushes 600-800 Mbps constantly (for the last two years) with no problems at all. Another customer of mine runs a Clavister-cluster (SG3200) which is absolutely dreadful and falls over at ~ 300 Mbps normal web traffic.

    Quote Originally Posted by skullbox View Post
    There are hardware firewall for a reason... think about it.
    Yes there is a reason, for someone to make money. There is people that want to do a "better solution" than others, but they are few. I could smack together a pfSense, bsd/pf/carp/snort or linux/iptables/ip6tables solution and put it on a Supermicro/micro-server box w/ the ports on the front and sell it as an appliance for 1000% the price of the components, and frankly, that is what 75% of the "hardware firewall" companies do. Few actually create/program ASICs to do hardware-firewalling.

    To the OP though; you might want to look at Juniper SSG or SRX solutions as well, they are quite competent as hardware firewalls. I've also used Cisco ASA's in a couple of installations and they are "OK" at best. :-)

    //T
    QuickVZ - Enterprise VPS Hosting, High-End Dedicated Servers & Co-location Services
    http://www.quickvz.com

  13. #13
    Join Date
    Jul 2009
    Location
    UK
    Posts
    1,308
    Dont go near the Juniper SSG platform.
    Its about to be end of sale and support.

    As mentioned before, Fortinet are a good alternative to Juniper ( Fortinet was created by the guys who founded netscreen who juniper then bought for the SSG range. )
    Live Chat Support Software for your Business website - IMsupporting.com

  14. #14
    Join Date
    Jun 2009
    Location
    Stockholm
    Posts
    136
    Ah yeah, I forgot they're ending the SSG-platform. I believe that all the security features from the SSG-platform is integrated into the SRX-platform together with JunOS. That's what they are saying at least and to be fair, the security sections for JunOS (I run it on a couple of SRX240H, SRX210H and J2320) is quite good.

    //T
    QuickVZ - Enterprise VPS Hosting, High-End Dedicated Servers & Co-location Services
    http://www.quickvz.com

  15. #15
    Join Date
    May 2005
    Location
    London, United Kingdom
    Posts
    388
    "For example a €100k Clavister dual-node cluster can handle about 100mbps of traffic"

    Someone got ripped off then No one pays that amount for a firewall cluster that can only handle a small amount of traffic.

    Am currently looking in this area too.

    Looking at Astaro at the moment. They do hardware applicances and software, so you could buy your own hardware and size it to your needs.

    I had a look at Cyberroam the other week too. There are some decent packing capturing tools on that.

    No idea about the performance of these platforms, am looking to migrate away from Juniper SSG myself.

  16. #16
    Join Date
    Jul 2009
    Location
    The backplane
    Posts
    1,783
    Quote Originally Posted by jpwjpw View Post
    Looking at Astaro at the moment.
    We have a couple of customers who use Astaro firewalls, from what I've seen, they're pretty slick.

  17. #17
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    Quote Originally Posted by lynxus View Post
    Dont go near the Juniper SSG platform.
    Its about to be end of sale and support.

    As mentioned before, Fortinet are a good alternative to Juniper ( Fortinet was created by the guys who founded netscreen who juniper then bought for the SSG range. )
    The SSG line will be supported for a while longer. I want to say until 2015 but not sure. As for the SRX, well I want to love them, but haven't played with them yet. A lot of people are saying they are much better than they were when first launched.

    I've only used the Fortinet a few times and hated it. Although, it was a VERY VERY old model and I have heard decent things about them from others.

    I'm not big on the ASA. I think the Juniper SSGs are better for a few different reasons. Let us know when you end up choosing.

  18. #18
    Join Date
    Jul 2009
    Location
    UK
    Posts
    1,308
    Quote Originally Posted by skullbox View Post

    I've only used the Fortinet a few times and hated it. Although, it was a VERY VERY old model and I have heard decent things about them from others.
    Yeah I have a feeling that the FortiOS has matured quite a lot since.

    They seem to do everything an SSG would do + more now.

    Even though SSG's are supported for a little while longer I still would suggest you dont go there.

    As for the SRX platform, we did use them when they came out initially. With crashing and just damn bad interface and the CLI being buggy we left them as quick as we took em on.. Went back to SSG and now onto Fortigates.
    Live Chat Support Software for your Business website - IMsupporting.com

  19. #19
    Join Date
    Jun 2006
    Location
    NYC
    Posts
    1,446
    I didn't read the entire thread so I may be repeating but you're kind of talking about 2 different systems.

    You mentioned a firewall and also an IPS.

    You really shouldn't use a firewall at the edge of your network if this is what you mean unless you only have a couple servers.

    Even the Juniper SSG's/SRX's and older NS 5200/5400 have limitations in connections so any small DDoS would still overload even the high-end ones (>300Mbps/100-200k PPS). However, from our experience (our customer's mostly) - they do hold up much better than similar ASR's. (And I am a huge fan of Juniper yet we have NS5200's in a closet... We simply don't deploy hardware firewall appliances any longer - they end up being bottlenecks)

    My recommendation would be to go with BSD + pf + CARP (or pfSense which I have no personal experience but seems to be exactly BSD/PF with a simple interface) and you could easily run a SNORT system alongside.

    That's the cheapest configuration if it's under 1-2Gbps of traffic.

    Honestly, in that configuration you would come out much cheaper and likely get 2-3x the performance vs commercial firewalls trying to do the same.

    However: If you simply have to go commercial then Juniper is the best route - I wouldn't consider Cisco, imho.
    Last edited by FiberPeer; 03-24-2012 at 02:32 PM.
    FiberPeer.Com | | REAL DDoS Protection | Cloud Hosting | VPS | Dedicated Servers | High Bandwidth Hosting | 1Gbps-10Gbps Unmetered
    FiberPeer DDoS Mitigation | ethProxy Upgraded! | 14-Years Experience | Emergency 24/7 Support
    Visit us @ www.fiberpeer.com

  20. #20
    check pfsense, you need some time to configure it but it is a great appliance for free

  21. #21
    Join Date
    Oct 2003
    Location
    Hanoi
    Posts
    4,306
    I wonder if anyone has experience with Hacom product? They provide pfSense appliances and appear in recommended vendors on pfSense website.

    Thanks.

  22. #22
    Join Date
    May 2009
    Location
    Vaduz/LI
    Posts
    2,771
    Line rate gigabit is around 1.5Mpps. Just doing pure routing, much less packet inspection and processing, will destroy all but the most powerful x86 platforms.
    No, simply.... no.
    Vyatta runs on x86/x64 and does 10G interfaces at full line speed easily _without_ hardware routing.

  23. #23
    Join Date
    Jul 2009
    Location
    The backplane
    Posts
    1,783
    Quote Originally Posted by Zhang View Post
    No, simply.... no.
    Vyatta runs on x86/x64 and does 10G interfaces at full line speed easily _without_ hardware routing.
    10G @ 64 byte packets?? That's a ****load of interrupts . . .
    Last edited by Microlinux; 06-06-2012 at 06:15 PM.

  24. #24
    Join Date
    Jul 2006
    Location
    Lake Zurich, IL
    Posts
    282
    Quote Originally Posted by [CTI] Todd View Post
    10G @ 64 byte packets?? That's a ****load of interrupts . . .
    The last I knew, Vyatta could forward 3Mpps. Maybe this has improved? And I think this was under the best of circumstances. 10Gbps connections can theoretically forward around 20Mpps. Of course, this is very uncommon except under attack conditions.

    Most software routers (OpenBSD/pf and pfSense) will forward roughly 500Kpps under the best of circumstances on great hardware, without large routing tables and without IPS/IDS and many firewall rules while maintaining state. We use them often at the edge of customer environments. If >500Kpps is expected to a single IP, we would recommend hardware, but this isn't typical. Hardware can be used to forward to many software routers/firewalls behind it based on IP addresses/ranges, which works well to distribute the load.

    Eric
    Genesis Hosting Solutions, LLC
    http://www.genesishosting.com/
    Instant VMware vSphere Cloud Environments
    Unlimited virtual machines within your purchased resources!

  25. #25
    Join Date
    Jul 2006
    Location
    Lake Zurich, IL
    Posts
    282
    I just saw this:
    http://www.vyatta.com/news-events/pr...-vyatta-vplane

    Would be interested in knowing if anyone has used it.

    Eric
    Genesis Hosting Solutions, LLC
    http://www.genesishosting.com/
    Instant VMware vSphere Cloud Environments
    Unlimited virtual machines within your purchased resources!

  26. #26
    Join Date
    Jul 2009
    Location
    The backplane
    Posts
    1,783
    Quote Originally Posted by erickmiller View Post
    The last I knew, Vyatta could forward 3Mpps.
    That sounds plausible. But, 10G @ small packets, no way.

Similar Threads

  1. Packet-filtering software firewall for Windows Server 2008
    By ejhay0101 in forum Hosting Security and Technology
    Replies: 4
    Last Post: 05-12-2012, 03:06 PM
  2. Packet loss on cPanel IPs
    By gigist in forum Dedicated Server
    Replies: 5
    Last Post: 01-05-2012, 03:17 PM
  3. High Packet loss on Additional IPs Only
    By Lenihan in forum Dedicated Server
    Replies: 2
    Last Post: 10-05-2010, 07:34 PM
  4. Packet Loss due to firewall?
    By fatabbot in forum Hosting Security and Technology
    Replies: 3
    Last Post: 09-16-2009, 01:28 AM
  5. Packet filtering vs Firewall
    By SloppyJ in forum Hosting Security and Technology
    Replies: 2
    Last Post: 01-27-2003, 12:50 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •