Results 1 to 30 of 30
  1. #1
    Join Date
    Mar 2004
    Posts
    68

    Firewall advice for 1-3 servers

    We are looking for a good firewall appliance to purchase as we are moving from dedicated to colo. We will only be using one server (webserver running WHM/cpanel) initially, but may add another in a few months (either a backup server or another webserver plus a backup server).

    Since we're going colo, we've decided not to go the pfsense/etc route since we don't want to buy more U-space just for that machine.

    We'd like to keep it under $600, but we're flexible. We also prefer a decent GUI (we're not network guys), and maybe even auto-updates from the vendor. IDS/IPS is also a feature we'd like to see.

    We are considering Juniper's Netscreen line, the Cisco ATA 55xx series, and even Sonicwall - but we want to get some advice from the experts first. Thanks for your input.

  2. #2
    Join Date
    Apr 2007
    Posts
    3,513
    I would recommend the Netscreens for a setup like yours. they are a decent price and do the job well.
    - Buying up websites, side-projects and companies - PM Me! -

  3. #3
    Join Date
    Jan 2009
    Posts
    3,876
    I'd avoid Sonicwall due to "I hate them reasons." I always end up with ones that don't like to reboot properly and freak out all the time. TZ170's and TZ190's mostly. That being said, I will throw my hat in with something like a Cisco ASA 5505 as a good firewall. You can pick those up brand new from $400-$600 from various vendors. PC Mall, PC Nation, PC Connection, CDW and Newegg if you want it fast and easy. No experience with Juniper, but there is no shortage of good things I hear about them.

  4. #4
    I would recommend SmoothWall. You can place it on hardware of your choice and add options as you need them. They have optional spam/virus filtering if you decide to turn it on later.

    Smoothwall is an open source product that has both free and pay versions. The pay versions are excellent. I have used them for around 7 years now and neverhad any issues. If you need more info, I would be happy to tell you anything you want to know.

    www.smoothwall.net - pay version
    www.smoothwall.org - free version
    Jerel Byrd
    HostingTulsa.com

  5. #5
    Join Date
    Sep 2009
    Location
    Stockholm
    Posts
    43

  6. #6
    Join Date
    Jun 2009
    Location
    Washington
    Posts
    374
    Quote Originally Posted by portlane View Post
    A linux box with IPTables? =)
    Just beautiful!!
    ABSF
    Arrogant Bastard Server Farm
    Built from scratch Data Center serving
    100 year-old Metaphysical Library

  7. #7
    Join Date
    Mar 2004
    Posts
    68
    Thanks for the responses so far - I'm surprised at the general lack of options in this space though. I expected to have several different options for this decision, but it appears to be coming down to either an ASA5505 or a Netscreen.

    Thanks for the other suggestions too, and for other applications we're all over freeware alternatives - just not for this project.

    Which Netscreen would be most comparable in both price & features to the ASA5505?

  8. #8
    Join Date
    Mar 2004
    Posts
    68
    Ok, another question... It looks like the Netscreens are EOL - which of Juniper's other product lines would you folks recommend? SRX? SSG? This just got a bit more confusing...

    And that GUI is still very important to us.
    Last edited by IIIBradIII; 11-19-2009 at 10:41 AM.

  9. #9
    I would recommend the Juniper SSG5 firewall. We have about 25 in use and they are great for a few servers all the way up to a full rack. We have had almost zero issues with them and you can find them online for a good price sometimes. I hope this helps.

  10. #10
    Join Date
    Mar 2004
    Posts
    68
    So what I'm hearing so far is that the Cisco is great, but difficult to work with unless you know Cisco IOS well. I've worked with IOS on 2950 switches over the years, but nothing deep and certainly nothing having to do with routing (maybe in our application routing wouldn't even be required though?). I'm not sure we could manage it correctly.

    The SonicWalls seem to be on our knowledge level, but are not as reliable as Cisco or Juniper. Reliability is more important to us than a nice GUI, so that almost takes them out of the running IMO.

    How simple are the Junipers to manage? And is the SRX line just the newer version of the legacy SSG?

  11. #11
    Join Date
    Mar 2007
    Posts
    402
    There is a very lengthy thread 3 down from you right now that goes over the exact same question. There are some good replies in there:

    http://www.webhostingtalk.com/showthread.php?t=900051
    iCall Carrier Services - Carrier-grade VoIP services from a licensed CLEC - http://carriers.icall.com
    Domestic termination and origination, toll-free origination, A-Z International termination, dedicated servers, and colocation in our wholly-owned datacenter
    Real-time ordering via our control panel or XML-based API with over 20,000 numbers in stock

  12. #12
    Join Date
    Mar 2004
    Posts
    68
    Another question... Are the services (IPS/DI/AV/etc) useful at all for a colo setup like we are planning? Or are those additional services only useful for remote office deployments like these devices seems to be built for?

  13. #13
    Join Date
    Feb 2004
    Posts
    634
    Quote Originally Posted by IIIBradIII View Post
    Thanks for the responses so far - I'm surprised at the general lack of options in this space though. I expected to have several different options for this decision, but it appears to be coming down to either an ASA5505 or a Netscreen.
    I think you'll find that in the web hosting world, security is largely derived from networking vendors' products, hence Cisco and Juniper dominate. Based on what I've read here, some have also recommended Astaro and Fortinet products, so you might want to check them out. Outside of the hosting world, in the so-called "enterprise data center" security market, you'll find a lot more variety of products--SecureComputing/McAfee, Checkpoint, CrossBeam, IBM/ISS, Palo Alto Networks, etc. These are generally for securing much larger networks that don't push as much traffic, and aren't typically used much in the hosting world.

  14. #14
    Hi!

    +1 for Linux box with iptables.

    I mean, there is nothing an appliance do that you can't do with a Linux firewall (at least as far as I know, if somebody knows, tell me!). As a matter of fact, there are some boxes that actually runs Linux internally.

    I have been able to:

    + Load balance several Internet Links.
    + Configure BGP.
    + Configure VLANs: some time in the past, we was even able to replace a Core router with a Linux box, the core died, and it would take months to get a replacement, so.... in the end, the Linux box stayed there for around 1 year.
    + Do policy routing.
    + Normal NAT (SNAT, DNAT).
    + Other stuff that I can't remember now.

    All of that, only a basic Linux firewall, if you add other software, there a lot more that you can do.

    I hope this helps,

    Ildefonso Camargo

  15. #15
    Join Date
    Jun 2009
    Location
    Washington
    Posts
    374
    Quote Originally Posted by soulhunter View Post
    Hi!

    +1 for Linux box with iptables.

    I mean, there is nothing an appliance do that you can't do with a Linux firewall (at least as far as I know, if somebody knows, tell me!). As a matter of fact, there are some boxes that actually runs Linux internally.

    I have been able to:

    + Load balance several Internet Links.
    + Configure BGP.
    + Configure VLANs: some time in the past, we was even able to replace a Core router with a Linux box, the core died, and it would take months to get a replacement, so.... in the end, the Linux box stayed there for around 1 year.
    + Do policy routing.
    + Normal NAT (SNAT, DNAT).
    + Other stuff that I can't remember now.

    All of that, only a basic Linux firewall, if you add other software, there a lot more that you can do.

    I hope this helps,

    Ildefonso Camargo
    It surely does!
    ABSF
    Arrogant Bastard Server Farm
    Built from scratch Data Center serving
    100 year-old Metaphysical Library

  16. #16
    Join Date
    Mar 2004
    Posts
    68
    Thanks guys, but we're not considering a linux box because we don't want to pay for the extra U space for it.

  17. #17
    I'd go with a used Sonicwall Pro series; we use the Pro 2040 and it works just fine for what we need. It's simple to use and we haven't had any real issues with it.

  18. #18
    Quote Originally Posted by IIIBradIII View Post
    Thanks guys, but we're not considering a linux box because we don't want to pay for the extra U space for it.
    ok, this drove my attention: you don't need to pay an extra rack unit for a firewall appliance? (just curious, I have never paid collocation).

  19. #19
    Join Date
    Mar 2004
    Posts
    68
    Not if we can get one small enough - so far the ASA5505 and maybe one of the smaller Junipers are small enough to fit in the rack behind the server.

  20. #20
    Ok... my curiosity grows.... http://www.cisco.com/en/US/docs/secu...html#wp1035111 <--- ok, rack mount, no problem this far... but.. behind the server.... (this is getting a little off-topic, but is interesting for me), how? (maybe I'm missing something in the rack structure).

  21. #21
    Join Date
    Mar 2004
    Posts
    68
    Dimensions 7.9" x 6.9" x 1.8"

    Not to mention the power consumption on a small appliance like this is considerably less than if we stuck a dedicated 1U machine in there as a fw.
    Last edited by IIIBradIII; 11-22-2009 at 01:05 AM.

  22. #22
    Join Date
    Jun 2009
    Location
    Washington
    Posts
    374

    Cool

    Yep, it is a 'strap on', where it does not matter if it hangs out on the back end cause there is no back panel/door to squish it?

    Or maybe some 'speciality built short server'?

    Hey, I have some really large 7U servers and I am sure you could fit that asa 5505 'inside' the server, but you need be adaptive to suspend it so it does not touch anything and then maybe drill a hole or two the wire it up nice.

    <smiles>
    ABSF
    Arrogant Bastard Server Farm
    Built from scratch Data Center serving
    100 year-old Metaphysical Library

  23. #23
    Join Date
    Sep 2004
    Location
    Beaverton, OR
    Posts
    261
    Quote Originally Posted by IIIBradIII View Post
    So what I'm hearing so far is that the Cisco is great, but difficult to work with unless you know Cisco IOS well. I've worked with IOS on 2950 switches over the years, but nothing deep and certainly nothing having to do with routing (maybe in our application routing wouldn't even be required though?). I'm not sure we could manage it correctly.

    The SonicWalls seem to be on our knowledge level, but are not as reliable as Cisco or Juniper. Reliability is more important to us than a nice GUI, so that almost takes them out of the running IMO.

    How simple are the Junipers to manage? And is the SRX line just the newer version of the legacy SSG?
    Just a little perspective here, I've never dealt with CISCO hardware myself until very recently. A couple months ago I switched our office network to use a CISCO ASA 5505. I had a contractor do the initial configuration (VPN, VOIP QOS, dual-wan routing w/failover, etc). After the appliance was deployed I took over the maintenance and have been using the ASDM GUI.

    It didn't take too long to get the hang of it and I'm regularly modifying routing, firewall and VPN settings. It's definitely more complicated than any firewall/router I've dealt with but it's "learnable". One of the issues I keep running into is the fact that most of the knowledgeable CISCO folks don't use the GUI and I tend to have to a) figure it out on my own or b) drop into the IOS CLI. Also, from what I gather, the GUI used to be limited in what it could do but as far as I can tell the later versions handle everything that you need.

    That said I love this little guy, it's got more features than I know what to do with and has been extremely stable for us. I know this is not the same as a server environment but I figured it may be of some use.

    Regards,
    Jerret

  24. #24
    Hi!

    I see the point, in the DC that I have installed systems (CANTV), the people there wouldn't let use put a "box hanging" behind the server, they were very direct: rack mount devices *only*..... inside the server: I think there shouldn't be any problem.

    Now, if talking about small devices:

    http://www.mini-itx.com/store/?c=40

    or

    http://www.pcengines.ch/ ----> http://www.pcengines.ch/alix2d13.htm

    Along with a box, like this: http://www.pcengines.ch/case1c2.htm

    The advantage of the pcengines hardware is: low power (very low power), and DC power supply (~12V, and that's all).

    Anyway, just wanted to share these "little toys" with you all.

    Sincerely,

    Ildefonso Camargo

  25. #25
    Join Date
    Mar 2004
    Posts
    68

    Thumbs up

    Quote Originally Posted by RelativeDesign-Jerret View Post
    Just a little perspective here, I've never dealt with CISCO hardware myself until very recently. A couple months ago I switched our office network to use a CISCO ASA 5505. I had a contractor do the initial configuration (VPN, VOIP QOS, dual-wan routing w/failover, etc). After the appliance was deployed I took over the maintenance and have been using the ASDM GUI.

    It didn't take too long to get the hang of it and I'm regularly modifying routing, firewall and VPN settings. It's definitely more complicated than any firewall/router I've dealt with but it's "learnable". One of the issues I keep running into is the fact that most of the knowledgeable CISCO folks don't use the GUI and I tend to have to a) figure it out on my own or b) drop into the IOS CLI. Also, from what I gather, the GUI used to be limited in what it could do but as far as I can tell the later versions handle everything that you need.

    That said I love this little guy, it's got more features than I know what to do with and has been extremely stable for us. I know this is not the same as a server environment but I figured it may be of some use.

    Regards,
    Jerret
    Thanks Jerret - that is helpful info from someone in what looks like a similar situation to ours. We'll take another look at the 5505.

    Question: how much does Cisco charge for updates?
    Last edited by IIIBradIII; 11-23-2009 at 10:03 AM.

  26. #26
    Join Date
    Nov 2009
    Location
    Latvia, Riga
    Posts
    8
    Quote Originally Posted by IIIBradIII View Post
    We are looking for a good firewall appliance to purchase as we are moving from dedicated to colo. We will only be using one server (webserver running WHM/cpanel) initially, but may add another in a few months (either a backup server or another webserver plus a backup server).

    Since we're going colo, we've decided not to go the pfsense/etc route since we don't want to buy more U-space just for that machine.

    We'd like to keep it under $600, but we're flexible. We also prefer a decent GUI (we're not network guys), and maybe even auto-updates from the vendor. IDS/IPS is also a feature we'd like to see.

    We are considering Juniper's Netscreen line, the Cisco ATA 55xx series, and even Sonicwall - but we want to get some advice from the experts first. Thanks for your input.
    Suppper experience with juniper 5, 25, 140 models.
    No problems in many years.

  27. #27
    Join Date
    Feb 2004
    Posts
    634
    Quote Originally Posted by IIIBradIII View Post
    Thanks Jerret - that is helpful info from someone in what looks like a similar situation to ours. We'll take another look at the 5505.

    Question: how much does Cisco charge for updates?
    You need an active SmartNet maintenance contract from Cisco, which they bind to your account in their TAC system. So if you just want updates, you'll need to get the cheapest support contract, which is generally 8-5 NBD. As a general rule of thumb, those maintenance packages are around 20% of the device MSRP, give or take. So for a 5505, I'd guess it's in the $80 - $100 range per year.

  28. #28
    Join Date
    Mar 2004
    Posts
    68
    Thanks for that.

  29. #29
    Join Date
    Nov 2009
    Location
    Montreal
    Posts
    70
    I would recommend the ASA5505! easy to configure, lots of how-to ,flexible, fast.
    Personnaly I would stay away from the netscreen.

    I saw you were to run cPanel, whatch out to use your firewall is transparent mode, as now cPanel bans server when running in nat , or multiple server behind a firewall.

    "It was once semi-possible to run cPanel behind a NAT firewall, however the system has changed somewhat so that if you use more than one server behind the NAT (more than one appears from behind the same public IP), the license server will lock the public IP out to prevent abuse. There are other technical problems such as virtual hosting with apache and domain->ip mapping, dns and so on that prevent us from supporting this method."
    "

  30. #30
    Join Date
    Mar 2004
    Posts
    68
    Thanks - good info.

Similar Threads

  1. Firewall Advice
    By urzevel in forum Colocation and Data Centers
    Replies: 3
    Last Post: 11-14-2009, 08:44 PM
  2. Firewall Advice - Looking at Juniper
    By marsupillami in forum Colocation and Data Centers
    Replies: 21
    Last Post: 10-11-2009, 06:03 AM
  3. Hardware Firewall Advice?
    By blueskimonkey in forum Running a Web Hosting Business
    Replies: 20
    Last Post: 01-02-2009, 06:33 AM
  4. Hardware Firewall Advice?
    By dcpaq2 in forum Hosting Security and Technology
    Replies: 12
    Last Post: 06-17-2005, 11:30 AM
  5. Firewall advice?
    By aliston in forum Hosting Security and Technology
    Replies: 17
    Last Post: 12-02-2003, 09:18 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •