tags:

views:

281

answers:

6

I have a Linux web server farm with about 5 web servers, web traffic is about 20Mbps.

We currently have a Barracuda 340 Load Balancer (keep away from this device - piece of crap!) that is acting as a firewall. I want to put in a dedicated firewall and I'd like to know what peoples opinions are on building versus buying a dedicated firewall.

Main requirements:

  • Dynamically block rouge traffic
  • Dynamically rate limit traffic
  • Block all ports except 80, 443
  • Limit port 22 to a set of IPs
  • High availability setup

Also if we go for the build route, how do we know what level traffic the system can handle.

Thanks in advance!

A: 

Don't know much about this field, but maybe an Astaro security gateway?

Rob Rolnick
+6  A: 

As they say - "there are more than one way to skin a cat":

Build it yourself, running something like Linux or *BSD. The benefit of this, is that it makes it easy to do the dynamic part of your question, it's just a matter of a few well-placed shell/python/perl/whatever scripts. The drawback is that your ceiling traffic rate might not be what it would be on a purpose-built firewall device, although you should still be able to achieve data rates in the 300Mbit/sec range. (You start hitting PCI bus limitations at this point) This may be high enough to where it won't be a problem for you.

Buy a dedicated "firewall device" - Possible drawbacks of doing this, is that doing the "dynamic" part of what you're trying to accomplish is somewhat more difficult - depending on the device, this could be easy (Net::Telnet/Net::SSH come to mind), or not. If you are worried about peak traffic rates, you'll have to carefully check the manufacturer's specifications - several of these devices are prone to the same traffic limitations as "regular" PC's, in that they still run into the PCI bus bandwidth issue, etc. At that point, you might as well roll your own.

I guess you could read this more as a "pro's and con's" of doing either, if you want.

FWIW, we run dual FreeBSD firewalls at my place of employment, and regularly push 40+Mbit/sec with no noticeable load/issues.

Dominic Eidson
A: 

Over the last 8 years we maintained a small development network with about 20 to 30 machines. We had one computer dedicated to be the firewall.

Actually, we never run into serious problems we are now replacing it with a dedicated router/firewall solution (though we haven't decided yet which). Reasons for that are: simplicity (the goal is the firewall, not to maintain the linux for running it as well), less space and less power consumption.

akr
+1  A: 

Related to high availability: OpenBSD can be configured in a failover / HA way for firewalls. See this description. I've heard that they've done demos where such setups done as well (if not better) as high-end Cisco gear.

Cd-MaN
+2  A: 

Definitely build. I help manage an ISP and we have two firewalls built. One is for fail over and for redundancy. We use a program called pfsense. I couldn't recommend this program more. It has a great web interface for configuring it and we actually run it off a compact flash card.

Dale Ragan
Might give pfsense a go.. I like the look of it.
Ciaran
A: 

Hi I would go for a dedicated firewall product in this scenario. I have used the Checkpoint firewall range of products for many years and I have always found them to be easy to setup and manage and they have great support. Using Checkpoint or one of their competitors is a fairly expensive option, especially if you're comparing it to open source software, so it depends on your budget.

I've also used Cisco's line of PIX and ASA firewalls. These are also good, but in my opinion are more difficult to manage

related questions