Results 1 to 25 of 25
  1. #1

    Firewall: 2000 sessions enough?

    Hi

    I have a 1/3 rack in a datacenter and planing at the moment to put about 5 servers (probably Dell 750) in it. Later more... Now I'm searching a firewall, it looks like, that the NetScreen 5GT is a nice one, but I'm not sure if 2000 sessions are enough.

    Actually, how many sessions do I need per server, when I plan to have about 500 accounts on it which are not so active? Per Server I use at the moment about 70GB Traffic per month.

    Which Firewall can you recomend? I found a lot of postings here, but actually it doesn't help, when someon just write that the NetScreen is a great box, I should know which one I really need.

    Thanks
    Mike

  2. #2
    Join Date
    Apr 2004
    Location
    OHIO
    Posts
    58
    sessions != bandwidth.. It depends on how many new connections per second are created and how many of those connections stay active (sessions).

  3. #3
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    Bandwidth is still a decent indication about how many sessions might be generated. I would say you'd be safe on that, but personally would want something a bit higher up just to be extra safe.

  4. #4
    Hi DeathNova

    Thanks for the answer. So which firewall would you recomend? You are right, we don't want to buy another firewall just when the next server commes in.

    So how can I find out, how many connections I have per second?


    Thanks
    Mike

  5. #5
    Join Date
    Jun 2000
    Location
    Washington, USA
    Posts
    5,991
    2000 session probably won't be enough.

    I'd look into something like the Cisco PIX 506e.

  6. #6
    Join Date
    Jul 2001
    Location
    St. Louis
    Posts
    379
    The NetScreen 5GT is a very nice little unit. It will work for a large percentage of cases. The cost is very reasonable and it is much easier to use than the PIX.

    BW and sessions are not the same, however they usually go hand in hand. If your traffic usage is low (less than 300GB) I would give it a whirl. I would pick up a used one and if you find you are getting close to the limit, you can always upgrade.
    Brad @ Xiolink
    XIOLINK. Your data...always within reach.ģ
    http://www.xiolink.com
    1-877-4-XIOLINK [+01 314 621 5500]

  7. #7
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    Originally posted by CoolMike
    Hi DeathNova

    Thanks for the answer. So which firewall would you recomend? You are right, we don't want to buy another firewall just when the next server commes in.

    So how can I find out, how many connections I have per second?


    Thanks
    Mike
    It really depends, what kind of budget are you looking at? NetScreen is highly regarded, and there are a couple others you may wish to consider. If you want to talk off forum, drop me a PM with your IM contact(s) and i'll let you all about my various "picks" for firewall solutions Some of them are completely free while others are quite expensive.

  8. #8
    Why dont we just discuss them here???
    "The only difference between a poor person and a rich person is what they do in their spare time."
    "If youth is wasted on the young, then retirement is wasted on the old"

  9. #9

    Firewall

    Based on your need you are describing, you may even look into a UNIX based solution such as IPFW. They are great for stateful packet filters and other third party solutions provide features such as basic IDS.

  10. #10
    Hi

    After a lot of reading about firewalls, I'm now even more confused then before. Actually, I found out, that a Layer 2 firewall would be enough for my need. But I don't know which Firewall is able to run in this mode.

    The netscreen can do this, but then it's not possible anymore to configure it over the webgui.

    JTY, do you know, how many sessions I can have with the Cisco PIX 506e? I did not find any information about that...

    Thanks
    Michael

  11. #11
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    The Astaro Security Linux v5 will run Layer 2.

  12. #12
    Hi DeathNova

    I did ask thins question also th astaro forums and there the Administrator told me, that it doesn't support Layer 2 bridging:

    http://www.astaro.org/showflat.php?C...&fpart=1#44023

    Michael

  13. #13
    coolmike,

    Cisco PIX 506e can handle a maximum of 25,000 concurrent sessions, that's pretty enough for a DDoS.

  14. #14
    nowisph, thanks, in this case that's probably exactly what we need.

    Thanks
    Michael

  15. #15
    Join Date
    Aug 2002
    Location
    Seattle
    Posts
    5,512
    CoolMike:

    It does not support "transparent bridging" which is something slightly diffrent and a bit antiquated. Check out this article http://www.networknewz.com/networkne...dBridging.html .

    Let me know if thats something you feel you need and i'll stand corrected

    Here is the datasheet on that Cisco: http://www.cisco.com/en/US/products/...080091b13.html

    Proprietary platforms running on Celeron 300's and 32MB RAM aren't exactally my bowl of rice, but I suppose it works for some folks. (BTW: That datasheet says nothing about bridging or Layer 2 anything. Does anyone with experience with the device want to chime in?)

    Best regards.
    Last edited by ddosguru; 06-02-2004 at 04:56 AM.

  16. #16
    I would recommend a Netscreen 25 for five servers.
    Netscreen 5 is too small for your case.
    Network Guru

    Cisco Redhat Microsoft Certified
    CCIE - - RHSE - - MCSE

  17. #17
    Join Date
    Apr 2001
    Location
    St. Louis, MO
    Posts
    2,508
    I would shoot for the 5 GT/XT, as long as you stay under 2K concurrent connections. We have many, many, many of them running and are rock solid.
    Mike @ Xiolink.com
    http://www.xiolink.com 1-877-4-XIOLINK
    Advanced Managed Microsoft Hosting
    "Your data... always within reach"

  18. #18
    Join Date
    May 2002
    Location
    Minneapolis
    Posts
    339
    The netscreen GT/XT is limited to only 32 ip addresses for your network. You may want to look into a Netscreen 10/100/25/50
    Dot Simple LLC
    aim: johna11en | yah: johna11en | msn: [email protected] | e-mail

  19. #19
    Join Date
    Jan 2004
    Location
    /home/dislexik
    Posts
    820
    Erm, ok 2000 sessions, 5 servers, 500 accounts per server = 2500 sessions needed just to allow all accounts to have one session?

    I know that may be the wrong way of thinking but I thought it would be a good light to understanding about sessions, sessions is a connection to the "network" in this case from the initial connection to when the connection is broke (The browser request a different page from a different site dropping the current connection with one of your servers)

    I would say a higher session firewall would be needed?

    Regards

    DislexiK
    "You donít learn to hack, you hack to learn"

  20. #20
    Join Date
    Apr 2001
    Location
    St. Louis, MO
    Posts
    2,508
    The 5XT/GT can have unlimited number of IPs behind it (or just 10) depends on the model.

    That would be 500 concurrent connections per second. Yes, you open a browser window and it would use about 3-5 connections and they are closed as soon as the page loads.
    Mike @ Xiolink.com
    http://www.xiolink.com 1-877-4-XIOLINK
    Advanced Managed Microsoft Hosting
    "Your data... always within reach"

  21. #21
    Join Date
    Sep 2001
    Location
    New York, NY
    Posts
    159

    Good Scaleable Hardware Unit - For say...30 to 60Mbps with 100 servers Max

    Okie...since there is lot of discussions about the firewall and the sessions part, what would be a ideal firewall that can handle say...30 to 60Mbps of traffic with around 100 servers all together?

    I like Netscreen but I also want to have some failover facility to handle the traffic between both and to pick up if one fails.

    Reason is that I asking for this is that I want to get something in place in one or two months as the start point for that target size without having to disrupt the entire network by replacing the firewall when we reach small capacity. I am thinking of big so that it suits for growth period itself.

  22. #22
    buy bigger netscreens and load balance between two units. 25000 sessions can be disabled from just one box with spoofed syns depending on the implementation.

    p
    * Rusko Enterprises LLC - Upgrade to 100% uptime today!
    * Premium NYC collocation and custom dedicated servers
    call 1-877-MY-RUSKO or paul [at] rusko.us

    dedicated servers, collocation, load balanced and high availability clusters

  23. #23
    Join Date
    Apr 2001
    Location
    St. Louis, MO
    Posts
    2,508
    Netscreen is pretty good at blocking SYN attacks and they would not count against the sessions.
    Mike @ Xiolink.com
    http://www.xiolink.com 1-877-4-XIOLINK
    Advanced Managed Microsoft Hosting
    "Your data... always within reach"

  24. #24
    how about 2001 full handshakes from one box or a few hundred boxes in a botnet? the latter is the kind of attack i see most frequently lately.

    paul
    * Rusko Enterprises LLC - Upgrade to 100% uptime today!
    * Premium NYC collocation and custom dedicated servers
    call 1-877-MY-RUSKO or paul [at] rusko.us

    dedicated servers, collocation, load balanced and high availability clusters

  25. #25
    Join Date
    Apr 2001
    Location
    St. Louis, MO
    Posts
    2,508
    There are thresholds that can be set, it works very well. We have several customers who have moved from Watchguard and SnapGear to Netscreen because of SYN attacks, neither helped but Netscreen did.
    Mike @ Xiolink.com
    http://www.xiolink.com 1-877-4-XIOLINK
    Advanced Managed Microsoft Hosting
    "Your data... always within reach"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •