<br><div class="gmail_quote">On Mon, Jan 24, 2011 at 10:19 PM, Michael Tewner <span dir="ltr"><<a href="mailto:tewner@gmail.com">tewner@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div class="gmail_quote">2011/1/24 Hetz Ben Hamo <span dir="ltr"><<a href="mailto:hetzbh@gmail.com" target="_blank">hetzbh@gmail.com</a>></span><br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div><div></div><div class="h5">
<div dir="rtl"><div dir="ltr">Hi,</div><div dir="ltr"><br></div><div dir="ltr">I was wondering about the following scenario: </div><div dir="ltr"><br></div><div dir="ltr">I have 2 lines coming from 2 carriers, each line is 2 Gbit internet connection. They go to a router, and then there should be a firewall..</div>
<div dir="ltr"><br></div><div dir="ltr">Here I have 2 choices:</div><div dir="ltr"><br></div><div dir="ltr">1. Take a Cisco/Fortigate/Juniper/Whatever box, throw it in, configure it, and be done with it, while I need to pay some yearly license for updates.</div>
<div dir="ltr">2. Stick some serious Linux server that it will become the firewall.</div><div dir="ltr"><br></div><div dir="ltr">My question: based on whats available for Linux today (iptables, APF, BFD, you-name-it..) - could Linux be trusted as a very good firewall for data center (as an example)? (I know that Checkpoint is using Linux, but they wrote some additional closed source modules, and I haven't heard any alternatives of those modules in open source version)</div>
<div dir="ltr"><br></div><div dir="ltr">I have read articles with people swear that Linux box should suite it while other highly recommended the appliances..</div><div dir="ltr"><br></div><div dir="ltr">Whats your opinion?</div>
<div dir="ltr">Hetz</div><div dir="ltr"><br></div>
</div>
<br></div></div>_______________________________________________<br>
Linux-il mailing list<br>
<a href="mailto:Linux-il@cs.huji.ac.il" target="_blank">Linux-il@cs.huji.ac.il</a><br>
<a href="http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il" target="_blank">http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il</a><br>
<br></blockquote></div><br><div>1. If you ever plan on hitting 2 Gbit on a Cisco, you'll need some heavy-duty firewalls ( <a href="http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html" target="_blank">http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html</a> ) running you > $20,000<br>
2. On the other hand, I don't know how much you're paying for 2 2Gbit links, so "heavy-duty" firewalls might be just a drop in the bucket...</div><div>3. I would recommend an appropriately scaled firewall appliance</div>
<div>4. If you plan to go with Linux, make sure IPtables can actually handle that much bandwidth. </div><div><br></div><div>-Mike</div>
</blockquote></div><div>Also - </div>Many firewall appliances come with Active/Active and Active/Passive configurations. If you roll-your-own linux firewall, you'll need to mess with HSRP, VRRP, syncing configurations, syncing open connections, monitoring your connections, and a myriad of other things which a company who specializes in this sort of thing has already solved. <br>
<div>-Mike</div>