I currently have two Windows 2003 Servers with ServePath. One server is being used as a regular HTTP/FTP server and the other is a Windows Media server (providing windows media audio/video streams.) These two computers are not being used for network authentication nor proxy or anything like that. Just web and media hosting and DNS.
I'm currently researching the best possible firewall solution for these servers. I've spent a lot of time reading all forums posts about this, but I couldn't make my mind yet. I've thought about a software firewall, which would be cheaper and easier to manage remotely, via Windows Remote Desktop. However, if hardware is the best choise (I know you guys love hardware firewalls), NetScreen-5GT firewall is an option (it's the only hardware-based solution available at the ServePath).
I personally don't have anything against hardware firewalls and I noticed that 9 in 10 people advise to use harware instead of software firewalls. I'd pay the extra money if that's the best choice.
However, I have one special concern, which is the reason for this post. The concern is about bandwidth and its relation with hardware firewall.
As I said, I'm using one of those servers for streaming media. Our plan is to have several hundred simultaneous users accessing 100 Kbps streams from that server. Using Microsoft Windows Media Load Simulator (a little software from Microsoft that allows stress testing of Windows Media Services) I was able to simulate 800 users without a glitch. This is great! The processor on the server never came above 10%! So, this means that my streaming server is ready for that amount of traffic. However, the bottleneck is on the network card: if I stream at 100 Kbps for 800 users, it means that I'm using 80 Mbps. I'm pretty close to the 100 Mpbs limit of the network card.
Now let's suppose I want to use NetScreen-5GT firewall in that server. According to its specifications, the maximmum throughput is 75 Mbps (which would mean only 750 instead of 800 users). That's not enough for meI need to use those 100 Mbps! Also, the protocols supported by NetScreen are HTTP, FTP, SMTP, POP, IMAP and DNS. In other words, protocols used for streaming such as MMS and RTSP are *not* supported. I suppose that is also a problem for me, since streaming is my key business.
That's why I ask for your advice now. Is hardware an option for my case or would a software firewall be better? If the software firewall is the way to go, which one should I use? Please remember that I'm administering the servers remotely. So I need a firewall that won't block my Remote Desktop when it is installed.
Also, please keep in mind that the only hardware firewall available at ServePath is NetScreen. So no Cisco, no 3COM, etc. NetScreen is my only option for hardware.
I count on your expertise and thank you in advance for your help.
In your environment, a hardware based solution is by far the best option. Software based solutions are going to take away valuable CPU and memory cycles and will bog your server down. The netsreen 5x series is only good for about 80 mb/s, but if they have the 10 series or higher, it will more than handle your needs. On that 100 mb/s port, 80 mb/s is going to be pushing it considering you have to keep QoS at a maximum. You'll start seeing collisions, CRCs, etc. which makes it unusable anyway. My suggestion is to go with the 5x series, get to 75 mb/s and hopefully by then you'll have money (maybe you do now) for additional servers, etc. and can spread things out a little.