Chris Gravell wrote:
Sounds like a lot of hard work, Rolf!
Yes, but it's fun as well as, as you can really learn and understand how the stuff really works. Support provided by developers and the community over mailing lists is quite amazing.
BSD may be free but as you probably know, - the ongoing support costs are often the larger proportion
I did not say 'open == free'. Contributing back to the project is lso quite rewarding, and be it only in the form of qualified bug reports or testing upcoming releases,
Just in case the OP's customer has asked specifically about non-open source solutions because of concerns regarding (the lack of) commercial support, in Switzerland http://www.startek.ch supports the products from http://vantronix.de which are OpenBSD based.
Not to mention that the base OS will probably require hardening too...
Not really, as OpenBSD default install is already hardened as per its "secure by default" policy, unlike most other OS.
expertise like that would quickly dwarf his budget unless it's available in-house. For up to 3000CHF, probably best to buy off-the-shelf. And focus on TCP/IP and not the underlying OS. IMHO!
The OP stated that he needs to protect about 10 Web servers. If this means 10 physical and not virtual servers, then I have some doubts about the price point of 1..3 kCHF being an adequate investment for the protection of these servers. Also the bandwidth estimations look pretty moderate.
Therefore, I assumed that a clustered setup distributed over two datacenters (or two separate racks, at least) might be better, both for resiliance and scalability. Also reverse proxy functionality will facilitate operations (load balancing, Web server maintenance without affecting service availability, etc).
Just in case the OP's customer has asked specifically about non-open source solutions because of concerns regarding (the lack of) commercial support, in Switzerland http://www.startek.ch supports the commercial products from http://www.vantronix.de which are all based on OpenBSD.
Finally, the OP might want to look into managed security services provided by providers (MSSP) like http://www.open.ch in Switzerland, as an attractive alternative to having to evaluate, install and maintain security hardware & software products and to care about their life-cycle management.