Results 1 to 19 of 19
  1. #1

    Softlayer, Cisco Guard and ded. Firewall

    Hi all,

    I'd like to ask to you all your opinion on this situation.

    I was interested to Softlayer's offer for a Cisco 1000Mbps dedicated firewall, thinking that a 199$ cost is cheaper than other providers one.
    I need an external firewall to filter some malicious traffic reaching my server, and free the cpu from the work of filtering it using iptables. SO i decided to talk with Softlayer sales (2 times).
    Now, the point is this: the softlayer sales agents, when you ask about firewalls, continue to say that firewall is NOT for traffic filtering or protection, and for that there is already a Cisco guard offered by default. Unofrtunately, i've seen many Softlayer servers used for the same purpose i am planning to use it (an audio-video chat service) and i can assure you i have seen them reacting to syn floods just like totally not-protected servers. So that famous cisco guard is not very good configured, at least. Now, on other provider sites (for example Aplus.net) they offer a Cisco firewall "defending against DDOS attacks" and they even specify all the attacks it will defend to.
    My questions are:
    1) who is right? Do cisco firewall protect or not?
    2) Why should I spend $199 for a softlayer firewall?
    3) Why Cisco guard seems not to work at all? (and please do not reply me "we are not ddos specialists" i've heard this story hundreds of times, there is a big difference between being protected against "no too big attacks" and not being protected at all -and, i repeat, servers from softlayer network seem to suffer attacks just like there is no protection-)
    As far as, i've found the kind of protection i am searching for only on the GOGRID servers, even on STAMINUS protection is not enoygh for me. Unfortunately GOGRID prices ($ .50/GB) are no acceptable for me. Funny enough, the Servepath dedicated servers, same company of gogrid, are not protected at all! (and i'd like to be explained this also.)


    thanks all and sorry for long post

  2. #2
    Depends what sort of attack is hitting you, as the Cisco firewall might be completely useless in most cases, whereas a Cisco Guard might mitigate it. If the attack is extremely large you're going to get null routed while the service provider works with their upstream providers to stop it (1gbps attacks).

    Try not to put too much trust into what hosts advertise they can defend against and what people call a "firewall", as some tend to bend the meaning to make it look like you spend an extra monthly fee and you're free from attacks.
    478east
    High Bandwidth Servers
    Custom Hosting Solutions

  3. #3
    Join Date
    Jan 2005
    Location
    Scotland, UK
    Posts
    2,549
    It will depend on the type of attack but a $199 firewall isn't going to filter any half decent attack and no provider is essentially going to pay to absorb the attack for you. There are ddos protected providers suited exactly for this type of thing but as I said they are not going to pay to continually absorb the attack for you and will simply pass the costs along to you.
    Server Management - AdminGeekZ.com
    Infrastructure Management, Web Application Performance, mySQL DBA. System Automation.
    WordPress/Magento Performance, Apache to Nginx Conversion, Varnish Implimentation, DDoS Protection, Custom Nginx Modules
    Check our wordpress varnish plugin. Contact us for quote: [email protected]

  4. #4
    I don't think you know what you are talking about.

    1. The Cisco Guard is specifically designed to protect networks against DDoS and other malicious attacks. If it did not work then Cisco would have been called out long ago and large providers such as SoftLayer would not be using this equipment.

    2. SoftLayer runs one of the most stable and higher performance networks in the world. I think they know a little more about protecting a newtwork than the average joe. Maybe the servers you see having a problem are being null routed due to the size of the attacks? Most providers tend to do this to protect themselves.

    The best thing to do would be to figure out why you are being attacked at such a high rate and then quit doing whatever that thing is. Most of the time people with problems of that size are making someone mad by hosting warez sites, religious/political slander, or some type of illegal pornography.

  5. #5
    Remains the fact than GOGRID cloud servers are protected against almoust every attack i've seen, Softlayer servers are not. And gogrid even does not advertise this thing.
    Ps.: i am not a gogrid employee, in fact i think they're too expensive.

  6. #6
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    I believe the Cisco Guards are ony deployed on request for times you are under attack; create a ticket with softlayer to check this.

  7. #7
    Join Date
    Oct 2002
    Location
    Vancouver, B.C.
    Posts
    2,656
    Quote Originally Posted by styson77 View Post
    I don't think you know what you are talking about.

    1. The Cisco Guard is specifically designed to protect networks against DDoS and other malicious attacks. If it did not work then Cisco would have been called out long ago and large providers such as SoftLayer would not be using this equipment.
    Cisco Guard is hardly the end-all and be-all of ddos mitigation. It does effectively defend against some attacks, but other products do a better job in the same or other areas. In any event, Softlayer is not specialized for DDoS mitigation, and there are other providers using different technologies that do a better job.

    2. SoftLayer runs one of the most stable and higher performance networks in the world. I think they know a little more about protecting a newtwork than the average joe. Maybe the servers you see having a problem are being null routed due to the size of the attacks? Most providers tend to do this to protect themselves.

    The best thing to do would be to figure out why you are being attacked at such a high rate and then quit doing whatever that thing is. Most of the time people with problems of that size are making someone mad by hosting warez sites, religious/political slander, or some type of illegal pornography.
    Softlayer's network performance reflects their upstreams more than their own actual efforts, as they don't really have a fleshed out backbone. They may know a little more than the average joe about DDoS protection, but they know, or at least offer far less than some other providers, about proper DDoS mitigation.

    There are many companies who offer legitimate products or services who are attacked nonetheless, and they are not to blame for the attacks launched against them. In these instances, Softlayer may not be the best option. Just because you may not suffer from these same problems does not mean they do not exist.


    To the op:

    1) Firewalls are only effective against more simplistic attacks. Many attacks are much more difficult to filter, particularly when they target legitimate services or protocols. In these instances, deep packet inspection and behavioural analysis is required, which requires ddos mitigation devices and not just firewalls.

    2) Firewalls are meant for policy control, not ddos mitigation. If you would like to enforce a policy, without that enforcement ever affecting your server's performance, then a separate firewall may be a good option.

    3) Cisco Guard is highly dependent on netflows, which do not provide a lot of granularity and are for the most part limited to the transport layer and below. Some attacks can't be detected effectively without examining the application layer.
    ASTUTE HOSTING: Advanced, customized, and scalable solutions with AS54527 Premium Canadian Optimized Network (Level3, PEER1, Shaw, Tinet)
    MicroServers.io: Enterprise Dedicated Hardware with IPMI at VPS-like Prices using AS63213 Affordable Bandwidth (Cogent, HE, Tinet)
    Dedicated Hosting, Colo, Bandwidth, and Fiber out of Vancouver, Seattle, LA, Toronto, NYC, and Miami

  8. #8
    Join Date
    Aug 2002
    Location
    Atlanta, GA
    Posts
    1,114
    Any system, Cisco, TopLayer, TippingPointe, are good units but NONE of them stop everything that is out there. Also, these are not set and forget devices, they need to be tweaked from time to time and adapted to new threats.
    SiteSouth
    Atlanta, GA and Las Vegas, NV. Colocation

  9. #9
    If i could filter packets with specific SOURCE (not destination) ports, it would be enough for me, as the packets all come from the same source ports.

  10. #10
    Join Date
    Sep 2007
    Location
    Toronto, Canada
    Posts
    260
    Quote Originally Posted by 040Hosting View Post
    I believe the Cisco Guards are ony deployed on request for times you are under attack; create a ticket with softlayer to check this.
    This was how this tool was deployed when we were a SL customer. When we needed this protection a simple support ticket gave us 48 hours of protection. If the attack was still going after that, which it never was, then we would have to do something else.

  11. #11
    What is the speed of deploying protection after ticket?
    Why they do not deploy it by default?

    It is the same if i take a 10TB.com server or it would take days to deploy?

  12. #12
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    I am not sure why you ask; but SL is always VERY fast with their tickets and implementations as its almost all fully automated.

    10TB is using SL facilities as far as i know; i dont know how they would handle this.

  13. #13
    Well, this changes totally the situation. Probably the servers i have seen under attack did not know they had to open a ticket. Unfortunately the speed of implementing the cisco gard is crucial for my "business"

  14. #14
    Join Date
    May 2006
    Location
    EU & USA
    Posts
    3,684
    Quote Originally Posted by Winstar View Post
    Well, this changes totally the situation. Probably the servers i have seen under attack did not know they had to open a ticket. Unfortunately the speed of implementing the cisco gard is crucial for my "business"
    I am not sure about why you say Unfortunately; did you ask them how fast this happens in a ticket already ? Without asking SL and ask them about this you will never be sure.

    You can keep asking here; but really your best information you get from SL itself.

  15. #15
    Join Date
    Sep 2007
    Location
    Toronto, Canada
    Posts
    260
    Once I created a ticket stating a DOS was underway against a specific IP on our server they (SL) put our server's traffic through CiscoGuard pretty well right away. Service was always prompt and they were ready to help. Also being on their IRC channel helped a lot to inform specific people whom I know and are very good at getting things done in a hurry.

  16. #16
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    16,087
    Quote Originally Posted by cristibighea View Post
    If the attack is extremely large you're going to get null routed while the service provider works with their upstream providers to stop it (1gbps attacks).
    We actually received a 2.5gbps+ DDoS attack yesterday and Cisco Guard kicked in automatically and brought the attack to it's knees. Our server that was being attacked only saw about 2 minutes of downtime before all services came back online and then within 5 minutes you couldn't even tell we were under attack.

    This was the message that we got automatically from SoftLayer:
    Quote Originally Posted by SoftLayer
    This ticket was automatically generated by the Softlayer Network Protection System. Due to the large amount of traffic targeted to your IP address (our IP here), SoftLayer has automatically injected the IP address into our Cisco Guard Protection system. This system diverts traffic destined to the IP address (our IP here) through hardware devices that will try to identify and block the specific packets and flows responsible for the attack while allowing legitimate transactions to pass. The injection of (our IP here) will remain in place until this attack subsides and then be automatically removed once traffic levels reach a normal level.

    Details of the event follow:

    Exceeded Bits In: 2.5 G (Threshold: 500 M)
    Exceeded Packets In: 310 k (Threshold: 125 k)
    Exceeded Flows In: 310 k (Threshold: 125 k)
    Another provider was hit by this same individual later that day and it brought down their entire facility with a 4gbps attack as they did not have the ability to mitigate the attack locally and had to wait on their upstream providers to block the attack.

    Quote Originally Posted by 040Hosting View Post
    I believe the Cisco Guards are ony deployed on request for times you are under attack; create a ticket with softlayer to check this.
    This is true, if you want CiscoGuard permanently I believe it starts at $2,000 per month but it could be more.

    Quote Originally Posted by Winstar View Post
    What is the speed of deploying protection after ticket?
    Why they do not deploy it by default?

    It is the same if i take a 10TB.com server or it would take days to deploy?
    I can only assume that there are not enough CiscoGuard units to filter *all* traffic in and out of the DataCenter as for not having it on all servers at all times. I believe you can get a refurbished Cisco Guard unit in the $20,000 range and new is quite a bit more expensive.

    If you really do need permanent DDoS protection (real protection) it's not going to be cheap for 24/7 filtering.

    Softlayer is an amazing facility with fantastic sales and support.
    Michael Denney - MDDHosting LLC
    New shared plans for 2016! Check them out!
    Highly Available Shared, Premium, Reseller, and VPS
    http://www.mddhosting.com/

  17. #17
    From time to time i receive DDOS attacks to my server, those attacks are mostly SYN_FLOODS. I've been few years on the TP, and now i'm almost 6 months on SL and they both use CiscoGuard, from my experience their filtering capability is same, it doesn't help me much. SL is little quicker (sometimes few hours faster) than TP (they got too much department bouncing).

    So after protection is triggered, I end up cutting connections manually because most of the time CiscoGuard doesn't help much. I don't know what is Gigenet using but I would really would like to see how they mitigate DDOS attacks.

  18. #18
    Join Date
    Dec 2007
    Location
    Indiana, USA
    Posts
    16,087
    Quote Originally Posted by Bono_ View Post
    From time to time i receive DDOS attacks to my server, those attacks are mostly SYN_FLOODS. I've been few years on the TP, and now i'm almost 6 months on SL and they both use CiscoGuard, from my experience their filtering capability is same, it doesn't help me much. SL is little quicker (sometimes few hours faster) than TP (they got too much department bouncing).

    So after protection is triggered, I end up cutting connections manually because most of the time CiscoGuard doesn't help much. I don't know what is Gigenet using but I would really would like to see how they mitigate DDOS attacks.
    In my experience it depends on the type of attack, how many sources there are, and how closely the attack looks like legitimate traffic.
    Michael Denney - MDDHosting LLC
    New shared plans for 2016! Check them out!
    Highly Available Shared, Premium, Reseller, and VPS
    http://www.mddhosting.com/

  19. #19
    Join Date
    Feb 2008
    Location
    Miami FL
    Posts
    375
    From my personal experience with SL servers, Cisco guard do nothing (or very little) to help in case of SYN-Flood or Http GET/POST attack. But it does pretty well to mitigate bandwidth attack like large UDP/TCP packets.

Similar Threads

  1. Cisco Guard experience
    By tulix in forum Hosting Security and Technology
    Replies: 26
    Last Post: 05-04-2009, 12:24 PM
  2. SoftLayer cisco guard?
    By justify in forum Colocation and Data Centers
    Replies: 8
    Last Post: 02-10-2009, 02:35 PM
  3. softlayer DDOS guard.
    By 086nets in forum Dedicated Server
    Replies: 4
    Last Post: 09-12-2007, 03:36 PM
  4. Does Cisco work Firewall de SoftLayer?
    By indag79 in forum Hosting Security and Technology
    Replies: 1
    Last Post: 03-15-2007, 10:53 AM
  5. Cisco Guard VS TopLayer IPS
    By DuBz in forum Colocation and Data Centers
    Replies: 5
    Last Post: 01-09-2006, 01:37 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •