Page 2 of 2 FirstFirst 12
Results 16 to 26 of 26
  1. #16
    Join Date
    Jul 2009
    Location
    The backplane
    Posts
    1,737
    Quote Originally Posted by jpwjpw View Post
    Looking at Astaro at the moment.
    We have a couple of customers who use Astaro firewalls, from what I've seen, they're pretty slick.

  2. #17
    Join Date
    Aug 2009
    Location
    Orlando, FL
    Posts
    1,063
    Quote Originally Posted by lynxus View Post
    Dont go near the Juniper SSG platform.
    Its about to be end of sale and support.

    As mentioned before, Fortinet are a good alternative to Juniper ( Fortinet was created by the guys who founded netscreen who juniper then bought for the SSG range. )
    The SSG line will be supported for a while longer. I want to say until 2015 but not sure. As for the SRX, well I want to love them, but haven't played with them yet. A lot of people are saying they are much better than they were when first launched.

    I've only used the Fortinet a few times and hated it. Although, it was a VERY VERY old model and I have heard decent things about them from others.

    I'm not big on the ASA. I think the Juniper SSGs are better for a few different reasons. Let us know when you end up choosing.

  3. #18
    Join Date
    Jul 2009
    Location
    UK
    Posts
    1,305
    Quote Originally Posted by skullbox View Post

    I've only used the Fortinet a few times and hated it. Although, it was a VERY VERY old model and I have heard decent things about them from others.
    Yeah I have a feeling that the FortiOS has matured quite a lot since.

    They seem to do everything an SSG would do + more now.

    Even though SSG's are supported for a little while longer I still would suggest you dont go there.

    As for the SRX platform, we did use them when they came out initially. With crashing and just damn bad interface and the CLI being buggy we left them as quick as we took em on.. Went back to SSG and now onto Fortigates.
    Live Chat Support Software for your Business website - IMsupporting.com

  4. #19
    Join Date
    Jun 2006
    Location
    NYC
    Posts
    1,408
    I didn't read the entire thread so I may be repeating but you're kind of talking about 2 different systems.

    You mentioned a firewall and also an IPS.

    You really shouldn't use a firewall at the edge of your network if this is what you mean unless you only have a couple servers.

    Even the Juniper SSG's/SRX's and older NS 5200/5400 have limitations in connections so any small DDoS would still overload even the high-end ones (>300Mbps/100-200k PPS). However, from our experience (our customer's mostly) - they do hold up much better than similar ASR's. (And I am a huge fan of Juniper yet we have NS5200's in a closet... We simply don't deploy hardware firewall appliances any longer - they end up being bottlenecks)

    My recommendation would be to go with BSD + pf + CARP (or pfSense which I have no personal experience but seems to be exactly BSD/PF with a simple interface) and you could easily run a SNORT system alongside.

    That's the cheapest configuration if it's under 1-2Gbps of traffic.

    Honestly, in that configuration you would come out much cheaper and likely get 2-3x the performance vs commercial firewalls trying to do the same.

    However: If you simply have to go commercial then Juniper is the best route - I wouldn't consider Cisco, imho.
    Last edited by FiberPeer; 03-24-2012 at 02:32 PM.

  5. #20
    check pfsense, you need some time to configure it but it is a great appliance for free

  6. #21
    Join Date
    Oct 2003
    Location
    Hanoi
    Posts
    4,306
    I wonder if anyone has experience with Hacom product? They provide pfSense appliances and appear in recommended vendors on pfSense website.

    Thanks.

  7. #22
    Join Date
    May 2009
    Location
    Vaduz/LI
    Posts
    2,486
    Line rate gigabit is around 1.5Mpps. Just doing pure routing, much less packet inspection and processing, will destroy all but the most powerful x86 platforms.
    No, simply.... no.
    Vyatta runs on x86/x64 and does 10G interfaces at full line speed easily _without_ hardware routing.

  8. #23
    Join Date
    Jul 2009
    Location
    The backplane
    Posts
    1,737
    Quote Originally Posted by Zhang View Post
    No, simply.... no.
    Vyatta runs on x86/x64 and does 10G interfaces at full line speed easily _without_ hardware routing.
    10G @ 64 byte packets?? That's a ****load of interrupts . . .
    Last edited by Microlinux; 06-06-2012 at 06:15 PM.

  9. #24
    Join Date
    Jul 2006
    Location
    Lake Zurich, IL
    Posts
    281
    Quote Originally Posted by [CTI] Todd View Post
    10G @ 64 byte packets?? That's a ****load of interrupts . . .
    The last I knew, Vyatta could forward 3Mpps. Maybe this has improved? And I think this was under the best of circumstances. 10Gbps connections can theoretically forward around 20Mpps. Of course, this is very uncommon except under attack conditions.

    Most software routers (OpenBSD/pf and pfSense) will forward roughly 500Kpps under the best of circumstances on great hardware, without large routing tables and without IPS/IDS and many firewall rules while maintaining state. We use them often at the edge of customer environments. If >500Kpps is expected to a single IP, we would recommend hardware, but this isn't typical. Hardware can be used to forward to many software routers/firewalls behind it based on IP addresses/ranges, which works well to distribute the load.

    Eric
    Genesis Hosting Solutions, LLC
    http://www.genesishosting.com/
    Instant VMware vSphere Cloud Environments
    Unlimited virtual machines within your purchased resources!

  10. #25
    Join Date
    Jul 2006
    Location
    Lake Zurich, IL
    Posts
    281
    I just saw this:
    http://www.vyatta.com/news-events/pr...-vyatta-vplane

    Would be interested in knowing if anyone has used it.

    Eric
    Genesis Hosting Solutions, LLC
    http://www.genesishosting.com/
    Instant VMware vSphere Cloud Environments
    Unlimited virtual machines within your purchased resources!

  11. #26
    Join Date
    Jul 2009
    Location
    The backplane
    Posts
    1,737
    Quote Originally Posted by erickmiller View Post
    The last I knew, Vyatta could forward 3Mpps.
    That sounds plausible. But, 10G @ small packets, no way.

Page 2 of 2 FirstFirst 12

Similar Threads

  1. Packet-filtering software firewall for Windows Server 2008
    By ejhay0101 in forum Hosting Security and Technology
    Replies: 4
    Last Post: 05-12-2012, 03:06 PM
  2. Packet loss on cPanel IPs
    By gigist in forum Dedicated Server
    Replies: 5
    Last Post: 01-05-2012, 03:17 PM
  3. High Packet loss on Additional IPs Only
    By Lenihan in forum Dedicated Server
    Replies: 2
    Last Post: 10-05-2010, 07:34 PM
  4. Packet Loss due to firewall?
    By fatabbot in forum Hosting Security and Technology
    Replies: 3
    Last Post: 09-16-2009, 01:28 AM
  5. Packet filtering vs Firewall
    By SloppyJ in forum Hosting Security and Technology
    Replies: 2
    Last Post: 01-27-2003, 12:50 PM

Related Posts from theWHIR.com

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •