Linux firewall vs appliance
Michael Tewner
tewner at gmail.com
Tue Jan 25 08:01:15 IST 2011
On Tue, Jan 25, 2011 at 12:46 AM, Hetz Ben Hamo <hetzbh at gmail.com> wrote:
> Hi Michael,
>
> 1. If you ever plan on hitting 2 Gbit on a Cisco, you'll need some
>> heavy-duty firewalls (
>> http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html )
>> running you > $20,000
>>
>
> 4 Gbit, not 2 :)
>
Sorry - Assumed those were 2 links for failover.
>
>
>> 2. On the other hand, I don't know how much you're paying for 2 2Gbit
>> links, so "heavy-duty" firewalls might be just a drop in the bucket...
>>
>
> $20k a drop in a bucket? how much you really think the cost of 2X2Gbit
> cost? not that much ;)
>
2X2Gbit _reliable_ symmetric bandwidth from a Tier IV datacenter? That would
cover the $20k within 2-3 months - at least in my experience. I would sooner
get the datacenter to give me 2 separate IP downlinks , each with the
required bandwidth, from their routing mesh (covering the same IP space) and
have them manage the failover for me (at least on the uplink side. Some
switching magic required here, again, by the dacenter). You'll end up with
the redundancy of the datacenter (who probably have multiple carriers
through opposite ends of the building) and paying for just one link instead
of two. Again, don't reinvent the wheel.
>
>
>> 3. I would recommend an appropriately scaled firewall appliance
>>
>
> There used to be a time where you could buy a firewall, do some updated
> periodically and be done with it. Today it's more about contracts. You buy
> the boxes, you pay a contractor to do the job for you (if you don't know how
> to do this), and then there's this yearly update service which costs you an
> arm and a leg and if something goes wrong with the vendor, you're left with
> an expensive brick. See my post here <http://benhamo.org/wp/?p=2256> for
> example.
>
I work mostly with Cisco - It's pretty intuitive and upgrades are pretty
painless. While Cisco might not be as reliable (as far as "vendor" support)
as Linux, I have faith that Cisco will be around for at least the life of my
firewalls. Yes, again, you would want support contracts for the Cisco's,
but:
1. You might want to get RedHat/your-favorite-distribution support for
software stability of such a critical piece of your network
2. You would definitely need hardware support anyway on your Linux servers
4. If you plan to go with Linux, make sure IPtables can actually handle that
>> much bandwidth.
>>
>
> I will check that. I'll also check pfsense.
>
>
As we're already talking about closed-source Cisco FW's in this thread,
please don't lynch me for suggesting:
Solaris 11.
<evangelism>
1. Especially the new "flows" feature which will dedicate kernel resource to
specific "flows" - http://blogs.sun.com/JeffV/entry/virtual_networks
2. IPFilter was added in Solaris 10, and expanded in Solaris 11:
http://www.homepage.montana.edu/~unixuser/031705/create_solaris_ipf.html
3. Solaris comes with a built-in L3/L4 load balancer, should you need it:
http://www.oracle.com/technetwork/articles/servers-storage-admin/solaris11enetwork-186212.pdf
4. And finally, on the correct hardware - 10Gbit interfaces support
_controlled the CPU itself_.
</evangelism>
> >Also -
> >Many firewall appliances come with Active/Active and Active/Passive
> configurations. If you roll-your-own linux firewall, you'll need to mess
> with
> >HSRP, VRRP, syncing configurations, syncing open connections, monitoring
> your connections, and a myriad of other things which a company
> >who specializes in this sort of thing has already solved.
>
> True, but when the cisco/other boxed solution costs $20K, it might be a
> better idea to look for alternatives, maybe a distribution which has this or
> a solution that is based on Linux and has this solution covered. 2 HP G6
> servers with dual Xeon costs about $6k which can handle this traffic easily,
> and if I add a contractor+solution costs, I could go about $10k, that 50%
> from Cisco offer..
>
Correct - The Open-Source solution is generally going to be less expensive.
But unless you get enterprise support (which you did not include in your
estimate), YOU will be providing the enterprise support. Make sure that
assuring 99.999% uptime to your customers is something you are able to
provide (if required/possible) and work out how much of *your* resources
will be taken up writing all those failover scripts, testing them Ad Nauseum
on your identical LAB environment, etc.
I'm not saying not to go with Linux - just offering alternatives. Good luck!
>
Hetz
>
> -Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.cs.huji.ac.il/pipermail/linux-il/attachments/20110125/39d0e586/attachment.html>
More information about the Linux-il
mailing list