tags:

views:

281

answers:

6
+2  Q: 

Firewall - Build or Buy

I have a Linux web server farm with about 5 web servers, web traffic is about 20Mbps.

We currently have a Barracuda 340 Load Balancer (keep away from this device - piece of crap!) that is acting as a firewall. I want to put in a dedicated firewall and I'd like to know what peoples opinions are on building versus buying a dedicated firewall.

Main requirements:

  • Dynamically block rouge traffic
  • Dynamically rate limit traffic
  • Block all ports except 80, 443
  • Limit port 22 to a set of IPs
  • High availability setup

Also if we go for the build route, how do we know what level traffic the system can handle.

Thanks in advance!

A: 

Don't know much about this field, but maybe an Astaro security gateway?

Rob Rolnick  2008-09-07 15:02:22
+6  A: 

As they say - "there are more than one way to skin a cat":

Build it yourself, running something like Linux or *BSD. The benefit of this, is that it makes it easy to do the dynamic part of your question, it's just a matter of a few well-placed shell/python/perl/whatever scripts. The drawback is that your ceiling traffic rate might not be what it would be on a purpose-built firewall device, although you should still be able to achieve data rates in the 300Mbit/sec range. (You start hitting PCI bus limitations at this point) This may be high enough to where it won't be a problem for you.

Buy a dedicated "firewall device" - Possible drawbacks of doing this, is that doing the "dynamic" part of what you're trying to accomplish is somewhat more difficult - depending on the device, this could be easy (Net::Telnet/Net::SSH come to mind), or not. If you are worried about peak traffic rates, you'll have to carefully check the manufacturer's specifications - several of these devices are prone to the same traffic limitations as "regular" PC's, in that they still run into the PCI bus bandwidth issue, etc. At that point, you might as well roll your own.

I guess you could read this more as a "pro's and con's" of doing either, if you want.

FWIW, we run dual FreeBSD firewalls at my place of employment, and regularly push 40+Mbit/sec with no noticeable load/issues.

Dominic Eidson  2008-09-07 15:14:55
A: 

Over the last 8 years we maintained a small development network with about 20 to 30 machines. We had one computer dedicated to be the firewall.

Actually, we never run into serious problems we are now replacing it with a dedicated router/firewall solution (though we haven't decided yet which). Reasons for that are: simplicity (the goal is the firewall, not to maintain the linux for running it as well), less space and less power consumption.

akr  2008-09-07 15:15:44
+1  A: 

Related to high availability: OpenBSD can be configured in a failover / HA way for firewalls. See this description. I've heard that they've done demos where such setups done as well (if not better) as high-end Cisco gear.

Cd-MaN  2008-09-07 16:34:12
+2  A: 

Definitely build. I help manage an ISP and we have two firewalls built. One is for fail over and for redundancy. We use a program called pfsense. I couldn't recommend this program more. It has a great web interface for configuring it and we actually run it off a compact flash card.

Dale Ragan  2008-09-07 16:45:12
Might give pfsense a go.. I like the look of it.
Ciaran  2008-09-16 21:57:31
A: 

Hi I would go for a dedicated firewall product in this scenario. I have used the Checkpoint firewall range of products for many years and I have always found them to be easy to setup and manage and they have great support. Using Checkpoint or one of their competitors is a fairly expensive option, especially if you're comparing it to open source software, so it depends on your budget.

I've also used Cisco's line of PIX and ASA firewalls. These are also good, but in my opinion are more difficult to manage

 2009-04-20 19:03:14

related questions

Is it possible to get the remote ip address in the Apache log file when behind a NAT firewall?
jboss 4.2.2 GA under windows server 2008 - possibly firewall related?
How secure is IP address filtering?
Client firewall blocks all ports but 80 and 443, need away to forward requets on port 443 to SSH or HTTPS
Is this a Windows XP firewall bug?
Microsoft Active Directory Port
Best way to redirect image requests to a different webserver?
Interesting issue with WCF wsHttpBinding through a Firewall
Is Port Redirection/Forwarding (i.e. 8443 -> 3389) for Windows Vista/Server 2008 possible with the built-in firewall?
ASP.NET application exhibits strange behaviour through firewall
Do you require deep packet inspection on a server-only firewall?
How to Configure SQL Server 2005 Replication through a firewall?
Open ports under Fedora Core 8 (for VMWare Server)
java.sql.Connection extension for SSH
How to create Windows firewall exception in Visual Basic 2005?
UDP and my computer?
Are your attempts to get Answers from Stackoverflow, Google etc. Hampered by your company's firewall
Programmatically add an application to Windows Firewall
Preventing Cisco PIX/ASA5520 from advertising ospf default route to zone
Trying to load files from github through a firewall is impossibly slow. Any suggestions for workarounds?
In Delphi, How do I get an enumerator from LocalPolicy.CurrentProfile.GloballyOpenPorts in the Firewall API
Configuring sendmail behind a firewall
WCF push to client through firewall?
How would I get started writing my own firewall?