Web Hosting Talk : Web Hosting Main Forums : Dedicated Server : Softlayer, Cisco Guard and ded. Firewall

[Winstar]

Hi all,

I'd like to ask to you all your opinion on this situation.

I was interested to Softlayer's offer for a Cisco 1000Mbps dedicated firewall, thinking that a 199$ cost is cheaper than other providers one.
I need an external firewall to filter some malicious traffic reaching my server, and free the cpu from the work of filtering it using iptables. SO i decided to talk with Softlayer sales (2 times).
Now, the point is this: the softlayer sales agents, when you ask about firewalls, continue to say that firewall is NOT for traffic filtering or protection, and for that there is already a Cisco guard offered by default. Unofrtunately, i've seen many Softlayer servers used for the same purpose i am planning to use it (an audio-video chat service) and i can assure you i have seen them reacting to syn floods just like totally not-protected servers. So that famous cisco guard is not very good configured, at least. Now, on other provider sites (for example Aplus.net) they offer a Cisco firewall "defending against DDOS attacks" and they even specify all the attacks it will defend to.
My questions are:
1) who is right? Do cisco firewall protect or not?
2) Why should I spend $199 for a softlayer firewall?
3) Why Cisco guard seems not to work at all? (and please do not reply me "we are not ddos specialists" i've heard this story hundreds of times, there is a big difference between being protected against "no too big attacks" and not being protected at all -and, i repeat, servers from softlayer network seem to suffer attacks just like there is no protection-)
As far as, i've found the kind of protection i am searching for only on the GOGRID servers, even on STAMINUS protection is not enoygh for me. Unfortunately GOGRID prices ($ .50/GB) are no acceptable for me. Funny enough, the Servepath dedicated servers, same company of gogrid, are not protected at all! (and i'd like to be explained this also.)


thanks all and sorry for long post

[cristibighea]

Depends what sort of attack is hitting you, as the Cisco firewall might be completely useless in most cases, whereas a Cisco Guard might mitigate it. If the attack is extremely large you're going to get null routed while the service provider works with their upstream providers to stop it (1gbps attacks).

Try not to put too much trust into what hosts advertise they can defend against and what people call a "firewall", as some tend to bend the meaning to make it look like you spend an extra monthly fee and you're free from attacks.

[Scott.Mc]

It will depend on the type of attack but a $199 firewall isn't going to filter any half decent attack and no provider is essentially going to pay to absorb the attack for you. There are ddos protected providers suited exactly for this type of thing but as I said they are not going to pay to continually absorb the attack for you and will simply pass the costs along to you.

[styson77]

I don't think you know what you are talking about.

1. The Cisco Guard is specifically designed to protect networks against DDoS and other malicious attacks. If it did not work then Cisco would have been called out long ago and large providers such as SoftLayer would not be using this equipment.

2. SoftLayer runs one of the most stable and higher performance networks in the world. I think they know a little more about protecting a newtwork than the average joe. Maybe the servers you see having a problem are being null routed due to the size of the attacks? Most providers tend to do this to protect themselves.

The best thing to do would be to figure out why you are being attacked at such a high rate and then quit doing whatever that thing is. Most of the time people with problems of that size are making someone mad by hosting warez sites, religious/political slander, or some type of illegal pornography.

[Winstar]

Remains the fact than GOGRID cloud servers are protected against almoust every attack i've seen, Softlayer servers are not. And gogrid even does not advertise this thing.
Ps.: i am not a gogrid employee, in fact i think they're too expensive.

[040Hosting]

I believe the Cisco Guards are ony deployed on request for times you are under attack; create a ticket with softlayer to check this.

[hhw]

Quote:

Originally Posted by styson77

I don't think you know what you are talking about.

1. The Cisco Guard is specifically designed to protect networks against DDoS and other malicious attacks. If it did not work then Cisco would have been called out long ago and large providers such as SoftLayer would not be using this equipment.

Cisco Guard is hardly the end-all and be-all of ddos mitigation. It does effectively defend against some attacks, but other products do a better job in the same or other areas. In any event, Softlayer is not specialized for DDoS mitigation, and there are other providers using different technologies that do a better job.

Quote:

2. SoftLayer runs one of the most stable and higher performance networks in the world. I think they know a little more about protecting a newtwork than the average joe. Maybe the servers you see having a problem are being null routed due to the size of the attacks? Most providers tend to do this to protect themselves.

The best thing to do would be to figure out why you are being attacked at such a high rate and then quit doing whatever that thing is. Most of the time people with problems of that size are making someone mad by hosting warez sites, religious/political slander, or some type of illegal pornography.

Softlayer's network performance reflects their upstreams more than their own actual efforts, as they don't really have a fleshed out backbone. They may know a little more than the average joe about DDoS protection, but they know, or at least offer far less than some other providers, about proper DDoS mitigation.

There are many companies who offer legitimate products or services who are attacked nonetheless, and they are not to blame for the attacks launched against them. In these instances, Softlayer may not be the best option. Just because you may not suffer from these same problems does not mean they do not exist.


To the op:

1) Firewalls are only effective against more simplistic attacks. Many attacks are much more difficult to filter, particularly when they target legitimate services or protocols. In these instances, deep packet inspection and behavioural analysis is required, which requires ddos mitigation devices and not just firewalls.

2) Firewalls are meant for policy control, not ddos mitigation. If you would like to enforce a policy, without that enforcement ever affecting your server's performance, then a separate firewall may be a good option.

3) Cisco Guard is highly dependent on netflows, which do not provide a lot of granularity and are for the most part limited to the transport layer and below. Some attacks can't be detected effectively without examining the application layer.

[mgphoto]

Any system, Cisco, TopLayer, TippingPointe, are good units but NONE of them stop everything that is out there. Also, these are not set and forget devices, they need to be tweaked from time to time and adapted to new threats.

[Winstar]

If i could filter packets with specific SOURCE (not destination) ports, it would be enough for me, as the packets all come from the same source ports.

[Creed3020]

Quote:

Originally Posted by 040Hosting

I believe the Cisco Guards are ony deployed on request for times you are under attack; create a ticket with softlayer to check this.

This was how this tool was deployed when we were a SL customer. When we needed this protection a simple support ticket gave us 48 hours of protection. If the attack was still going after that, which it never was, then we would have to do something else.

[Winstar]

What is the speed of deploying protection after ticket?
Why they do not deploy it by default?

It is the same if i take a 10TB.com server or it would take days to deploy?

[040Hosting]

I am not sure why you ask; but SL is always VERY fast with their tickets and implementations as its almost all fully automated.

10TB is using SL facilities as far as i know; i dont know how they would handle this.

[Winstar]

Well, this changes totally the situation. Probably the servers i have seen under attack did not know they had to open a ticket. Unfortunately the speed of implementing the cisco gard is crucial for my "business"

[040Hosting]

Quote:

Originally Posted by Winstar

Well, this changes totally the situation. Probably the servers i have seen under attack did not know they had to open a ticket. Unfortunately the speed of implementing the cisco gard is crucial for my "business"

I am not sure about why you say Unfortunately; did you ask them how fast this happens in a ticket already ? Without asking SL and ask them about this you will never be sure.

You can keep asking here; but really your best information you get from SL itself.

[Creed3020]

Once I created a ticket stating a DOS was underway against a specific IP on our server they (SL) put our server's traffic through CiscoGuard pretty well right away. Service was always prompt and they were ready to help. Also being on their IRC channel helped a lot to inform specific people whom I know and are very good at getting things done in a hurry.