Hello,
Now that the office firewall is running fine (uptime: 34 days, not a single problem since last month, cf. the "VDSL/Zyxel P2802 HWL not "strong" enough for a small company LAN?" thread), I'm now back, looking for a new kind of firewall :)
For a specific project with it's own rack @datacenter, I would need a device to "protect" about 10 web-servers:
- deny everything, and then - allow web traffic (80/443) from everywhere -> servers - allow administrative (sftp/ssh) traffic from specific IP's - ability to detect http-based "attacks/ddos" (like bad configured spidering) : if there are too many http requests from specific hosts -> throttle/deny access for some time. I guess it's something which should be implemented on application level, but who knows... ? - bandwidth: average: 5Mbit/s, peaks: 10-15Mbit/s - stable, reasonable price... (max 1-3kChf?) - rackmount
Under digitec.ch ( http://www.digitec.ch/ProdukteAuswahl2.aspx?knr=490 ) as a start there are 9 "Rackmount" FW's. But most of them are VPN-oriented, with IpSec-Tunnels, SSL-Tunnels, etc: mostly stuff which is expensive and that I really don't need.
Is there anything you can recommend in this case? It if was only me, I would take something there: http://pfsense.org/index.php?option=com_content&task=view&id=44&... and start with that. But the customer would also like to see some "non open-source"-based solutions... :>
Regards, Olivier
Check out the Juniper Firewalls. Ok Price. Rackmountkit available. Scaleable form Small (office) to Enterprize. We use Juniper(Netscreen) sience 12 Years.
-----Ursprüngliche Nachricht----- Von: swinog-bounces@lists.swinog.ch [mailto:swinog-bounces@lists.swinog.ch] Im Auftrag von Olivier Mueller Gesendet: Mittwoch, 18. Juni 2008 14:07 An: swinog@swinog.ch Betreff: [swinog] Firewall recommendation for a rack of webservers?
Hello,
Now that the office firewall is running fine (uptime: 34 days, not a single problem since last month, cf. the "VDSL/Zyxel P2802 HWL not "strong" enough for a small company LAN?" thread), I'm now back, looking for a new kind of firewall :)
For a specific project with it's own rack @datacenter, I would need a device to "protect" about 10 web-servers:
- deny everything, and then - allow web traffic (80/443) from everywhere -> servers - allow administrative (sftp/ssh) traffic from specific IP's - ability to detect http-based "attacks/ddos" (like bad configured spidering) : if there are too many http requests from specific hosts -> throttle/deny access for some time. I guess it's something which should be implemented on application level, but who knows... ? - bandwidth: average: 5Mbit/s, peaks: 10-15Mbit/s - stable, reasonable price... (max 1-3kChf?) - rackmount
Under digitec.ch ( http://www.digitec.ch/ProdukteAuswahl2.aspx?knr=490 ) as a start there are 9 "Rackmount" FW's. But most of them are VPN-oriented, with IpSec-Tunnels, SSL-Tunnels, etc: mostly stuff which is expensive and that I really don't need.
Is there anything you can recommend in this case? It if was only me, I would take something there: http://pfsense.org/index.php?option=com_content&task=view&id=44&... and start with that. But the customer would also like to see some "non open-source"-based solutions... :>
Regards, Olivier
_______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
___________________________________________________ Unsere kostenlose Fachveranstaltung zu den Themen: Prozessmanagement - Qualitätssicherung - Dokumentenmanagement
«Sind Ihre Unternehmensprozesse effektiv und trotzdem flexibel organisiert?»
- Donnerstag, 11.09.2008, im Hotel Schweizerhof in Luzern oder - Dienstag, 16.09.2008, im Radisson SAS Hotel in St. Gallen
Mehr Infos und das Anmeldeformular finden Sie auf: www.online.ch/veranstaltungen ___________________________________________________
Olivier Mueller schrieb:
Hello,
Now that the office firewall is running fine (uptime: 34 days, not a single problem since last month, cf. the "VDSL/Zyxel P2802 HWL not "strong" enough for a small company LAN?" thread), I'm now back, looking for a new kind of firewall :)
Is there anything you can recommend in this case? It if was only me, I would take something there: http://pfsense.org/index.php?option=com_content&task=view&id=44&... and start with that. But the customer would also like to see some "non open-source"-based solutions... :>
I'd go for a Netscreen model - but which model also depends on the number of sessions you expect. If people are "brand-addicted", they should at least expect to the price.
cheers, Rainer
Rainer Duffner wrote:
http://pfsense.org/index.php?option=com_content&task=view&id=44&... and start with that. But the customer would also like to see some "non open-source"-based solutions... :>
I'd go for a Netscreen model -
The funny thing about this: Netscreen and pfSense are both xBSD-based ;-). Nokia is BSD-Based... Checkpoint (SPLAT) is Linux-based... In this case You will be forced to deploy M$-ISA ;-)
kind regards, Beat
Beat Siegenthaler schrieb:
Rainer Duffner wrote:
http://pfsense.org/index.php?option=com_content&task=view&id=44&...
and start with that. But the customer would also like to see some "non open-source"-based solutions... :>
I'd go for a Netscreen model -
The funny thing about this: Netscreen and pfSense are both xBSD-based ;-). Nokia is BSD-Based... Checkpoint (SPLAT) is Linux-based... In this case You will be forced to deploy M$-ISA ;-)
I thought only the Juniper router stuff was FreeBSD-based (they recently donated a MIPS reference implementation). AFAIK, Nokia moved to Linux, too, some time ago. But previously, they could give you Checkpoint on BSD. In a way.
pfSense is FreeBSD6 ;-)
Rainer
On Wed, 2008-06-18 at 15:38 +0200, Rainer Duffner wrote:
pfSense is FreeBSD6 ;-)
and the next one will be FreeBSD 7 based, yes :)
Thanks you all for the feedbacks on the list and by mail, I'll now have fun visiting all your suggestions / urls trying to select the "perfect" device.
Merci & salutations, Olivier
Beat Siegenthaler wrote:
In this case You will be forced to deploy M$-ISA ;-)
Please... He's talking about firewalls... :-)
Oliver, I have pfSense in use and you can also have commercial support from them. It's stable and you can run inline-snort with autoblacklist or simple log. I guess for your purpose it's not a bad solutions.
If you want to impress your customers go for Secure Computing Sidewinder G2... ...but get a sponsor before !
Daniele
Can always go for Watchguard @ that price/performance point.
watchguard.com
-------------------------------------------------- From: "Rainer Duffner" rainer@ultra-secure.de Sent: Wednesday, June 18, 2008 3:38 PM To: swinog@swinog.ch Subject: Re: [swinog] Firewall recommendation for a rack of webservers?
Beat Siegenthaler schrieb:
Rainer Duffner wrote:
http://pfsense.org/index.php?option=com_content&task=view&id=44&... and start with that. But the customer would also like to see some "non open-source"-based solutions... :>
I'd go for a Netscreen model -
The funny thing about this: Netscreen and pfSense are both xBSD-based ;-). Nokia is BSD-Based... Checkpoint (SPLAT) is Linux-based... In this case You will be forced to deploy M$-ISA ;-)
I thought only the Juniper router stuff was FreeBSD-based (they recently donated a MIPS reference implementation). AFAIK, Nokia moved to Linux, too, some time ago. But previously, they could give you Checkpoint on BSD. In a way.
pfSense is FreeBSD6 ;-)
Rainer _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Looking at your specs, I personally would chose OpenBSD (http://openbsd.org) and commodity i386 or amd64 rack servers (check the hardware compatibility list to avoid nasty surprises).
Besides a stateful packet filter "pf" functionality, OpenBSD comes with many tools to cluster those servers, such as "pfsync", CARP (VRRP replacement), rapid spanning tree (STP), NIC trunking/teaming, etc. Also a powerful layer-7 reverse proxy/load-balancer/SSL accelerator "relayd" is readily integrated. You may also want to run RIP, OSPF or BGP daemons if some support for dynamic routing should be required.
In an enterprise security application, I have implemented a large two-stage clustered firewall & Internet services gateway using exclusively OpenBSD on SunFire X4100M2 rack servers. The outer cluster pair is an "invisible" filtering bridge, the inner cluster pair is operating as a filtering router which also includes the reverse proxy, resilient OpenVPN SSL gateways, and other critical infrastructure services such as NTP, DHCP, named, etc.
I am also aware of similar OpenBSD setups in very large commercial Web / e-commerce server farms.
At home, I run nearly the identical setup on small embedded i386 machines from PCEngines.ch at leass than 40 Watt total power consumption. Such a setup is also ideal for pre-production tests in the lab, before implementing changes on the "heavy irons".
Prior to that, I had extensive exposure to CheckPoint clusters on Solaris, as well as to Linux/iptables based systems, such as Astaro. In my opinion, OpenBSD beats them all hands down, at least in my setups, in terms of security, stability, life-cycle, innovation, scalability, and price-performance ratio.
Unless you want/need graphical user interfaces for administration. Then my second choice would be m0n0wall or pfSense, both based on FreeBSD.
Regards, Rolf
Sounds like a lot of hard work, Rolf! BSD may be free but as you probably know, - the ongoing support costs are often the larger proportion of any network deployment. Not to mention that the base OS will probably require hardening too...expertise like that would quickly dwarf his budget unless it's available in-house.
For up to 3000CHF, probably best to buy off-the-shelf. And focus on TCP/IP and not the underlying OS. IMHO!
On 18/06/2008 19:02, "Rolf Sommerhalder" rolf.sommerhalder@alumni.ethz.ch wrote:
Looking at your specs, I personally would chose OpenBSD (http://openbsd.org) and commodity i386 or amd64 rack servers (check the hardware compatibility list to avoid nasty surprises).
Besides a stateful packet filter "pf" functionality, OpenBSD comes with many tools to cluster those servers, such as "pfsync", CARP (VRRP replacement), rapid spanning tree (STP), NIC trunking/teaming, etc. Also a powerful layer-7 reverse proxy/load-balancer/SSL accelerator "relayd" is readily integrated. You may also want to run RIP, OSPF or BGP daemons if some support for dynamic routing should be required.
In an enterprise security application, I have implemented a large two-stage clustered firewall & Internet services gateway using exclusively OpenBSD on SunFire X4100M2 rack servers. The outer cluster pair is an "invisible" filtering bridge, the inner cluster pair is operating as a filtering router which also includes the reverse proxy, resilient OpenVPN SSL gateways, and other critical infrastructure services such as NTP, DHCP, named, etc.
I am also aware of similar OpenBSD setups in very large commercial Web / e-commerce server farms.
At home, I run nearly the identical setup on small embedded i386 machines from PCEngines.ch at leass than 40 Watt total power consumption. Such a setup is also ideal for pre-production tests in the lab, before implementing changes on the "heavy irons".
Prior to that, I had extensive exposure to CheckPoint clusters on Solaris, as well as to Linux/iptables based systems, such as Astaro. In my opinion, OpenBSD beats them all hands down, at least in my setups, in terms of security, stability, life-cycle, innovation, scalability, and price-performance ratio.
Unless you want/need graphical user interfaces for administration. Then my second choice would be m0n0wall or pfSense, both based on FreeBSD.
Regards, Rolf _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Chris Gravell wrote:
Sounds like a lot of hard work, Rolf!
Yes, but it's fun as well as, as you can really learn and understand how the stuff really works. Support provided by developers and the community over mailing lists is quite amazing.
BSD may be free but as you probably know, - the ongoing support costs are often the larger proportion
I did not say 'open == free'. Contributing back to the project is lso quite rewarding, and be it only in the form of qualified bug reports or testing upcoming releases,
Just in case the OP's customer has asked specifically about non-open source solutions because of concerns regarding (the lack of) commercial support, in Switzerland http://www.startek.ch supports the products from http://vantronix.de which are OpenBSD based.
Not to mention that the base OS will probably require hardening too...
Not really, as OpenBSD default install is already hardened as per its "secure by default" policy, unlike most other OS.
expertise like that would quickly dwarf his budget unless it's available in-house. For up to 3000CHF, probably best to buy off-the-shelf. And focus on TCP/IP and not the underlying OS. IMHO!
The OP stated that he needs to protect about 10 Web servers. If this means 10 physical and not virtual servers, then I have some doubts about the price point of 1..3 kCHF being an adequate investment for the protection of these servers. Also the bandwidth estimations look pretty moderate.
Therefore, I assumed that a clustered setup distributed over two datacenters (or two separate racks, at least) might be better, both for resiliance and scalability. Also reverse proxy functionality will facilitate operations (load balancing, Web server maintenance without affecting service availability, etc).
Just in case the OP's customer has asked specifically about non-open source solutions because of concerns regarding (the lack of) commercial support, in Switzerland http://www.startek.ch supports the commercial products from http://www.vantronix.de which are all based on OpenBSD.
Finally, the OP might want to look into managed security services provided by providers (MSSP) like http://www.open.ch in Switzerland, as an attractive alternative to having to evaluate, install and maintain security hardware & software products and to care about their life-cycle management.
I've worked with all different kinds of Firewalls - Raptor Eagle (now Symantec), ipfilter/iptables/ipchains/pf etc., Watchguard, Checkpoint, PIX/ASA among them. One thing that I have learned: The most important feature of a firewall is not it's filtering ability - every single firewall nowadays can filter based on whatever state/content/fancy feature you name. It's the logging, that makes the difference. If your firewall log sucks - or better - if the Firewall Log Display sucks, you won't read logs. And that's bad.
This may seem like a minor point for Linux/BSD people used to read all kinds of cryptic log formats - for Firewall Administrators in large companies it is a major issue. I personally like the Checkpoint Logviewer (they call it 'tracker') most of all. YMMV.
Cheers, Viktor
Rolf Sommerhalder wrote:
Chris Gravell wrote:
Sounds like a lot of hard work, Rolf!
Yes, but it's fun as well as, as you can really learn and understand how the stuff really works. Support provided by developers and the community over mailing lists is quite amazing.
etc...
Sounds like a lot of hard work, Rolf!
Yes, but it's fun as well as, as you can really learn and understand how the stuff really works. Support provided by developers and the community over mailing lists is quite amazing.
Having fun with test equipment is just fine, doing the same with production is another matter. And firewalls are really not elements of your network you should start playing with: they are too important for your operation and security and it's too easy to break the config without even noticing.
If you want to go down the Linux/BSD way, I suggest you have a look at Smoothwall or IPCop (free) or Astaro (paid). We're using Astaro in a number of locations here and it offered very good value for money while still being easy to manage.
Regards, Stephane
hi everybody, hi Oliver
I would suggest an OpenBSD or OpenBSD-based firewall too. We're using OpenBSD Firewalls (Routing, NAT, "Loadsharing", SSL-VPN, etc) for our own Web- and Mailhosting platform and for a customer similar to Olivers description of the project.
Yesterday i switched our Web- and Mailhosting Systems from a commercial firewall solution (http://www.phion.com/index_en.php) to our new OpenBSD high available firewall.
I agree with Chris its a lot of work but i also fully agree with Rolf. Its important to understand what your doing and why things are working how they are working... :-) Ok this maybe sounds a bit freaky but if you have the time its always good to know this things.
I built 2-3 similar firewall solutions with OpenBSD before. Its only copying some configuration files and change the things according to your needs.
If you want you can get the whole config stuff from me... contact me off-list if you're interested. Buy some cheep 1HE Pentium / Xeon Servers or a Alix / WRAP board (www.pcengines.ch)
Greets Marco
Rolf Sommerhalder wrote:
Chris Gravell wrote:
Sounds like a lot of hard work, Rolf!
Yes, but it's fun as well as, as you can really learn and understand how the stuff really works. Support provided by developers and the community over mailing lists is quite amazing.
BSD may be free but as you probably know, - the ongoing support costs are often the larger proportion
I did not say 'open == free'. Contributing back to the project is lso quite rewarding, and be it only in the form of qualified bug reports or testing upcoming releases,
Just in case the OP's customer has asked specifically about non-open source solutions because of concerns regarding (the lack of) commercial support, in Switzerland http://www.startek.ch supports the products from http://vantronix.de which are OpenBSD based.
Not to mention that the base OS will probably require hardening too...
Not really, as OpenBSD default install is already hardened as per its "secure by default" policy, unlike most other OS.
expertise like that would quickly dwarf his budget unless it's available in-house. For up to 3000CHF, probably best to buy off-the-shelf. And focus on TCP/IP and not the underlying OS. IMHO!
The OP stated that he needs to protect about 10 Web servers. If this means 10 physical and not virtual servers, then I have some doubts about the price point of 1..3 kCHF being an adequate investment for the protection of these servers. Also the bandwidth estimations look pretty moderate.
Therefore, I assumed that a clustered setup distributed over two datacenters (or two separate racks, at least) might be better, both for resiliance and scalability. Also reverse proxy functionality will facilitate operations (load balancing, Web server maintenance without affecting service availability, etc).
Just in case the OP's customer has asked specifically about non-open source solutions because of concerns regarding (the lack of) commercial support, in Switzerland http://www.startek.ch supports the commercial products from http://www.vantronix.de which are all based on OpenBSD.
Finally, the OP might want to look into managed security services provided by providers (MSSP) like http://www.open.ch in Switzerland, as an attractive alternative to having to evaluate, install and maintain security hardware & software products and to care about their life-cycle management. _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
:: I would suggest an OpenBSD or OpenBSD-based firewall too. We're using
BTW, recent hackathons brought significant improvements not to mention related work from reyk@ about relayd. So as monitoring and load balancing role, it is great design.
And beware, you could just love pf and start being addicted ;-)
--
Thats the point. I must admit that I'm addicted to pf and the simplicity of OpenBSD as a firewall / router :-)
I'm using relayd now for "loadsharing" / "loadbalancing" of my webservers. Its a great tool and the performance of OpenBSD 4.4 and pf is incredible.
But use OpenBSD 4.4 (-current) with caution. Its not really stable at the moment, maybe do to the recent hackathlon :-). The snap from Wednesday is ok, the one from Monday has a big ARP replay bug...
Keep in mind, with OpenBSD you get a full router and firewall operating system out of the base system (PF, carp, relayd, pfsync, ifstated, ospfd, bgpd, etc.). And you don't need expensive hardware. My firewall "cluster" does 8000 stateful connections average at the same time with only 1 GB RAM on a Pentium 3.2 GHz machine. With Intel Gigabit NICs you can do over 300Mbit/s stateful firewalling on cheap hardware...
and maybe we should talk about the term "firewall". my idea of a firewall is routing, nat and stateful filtering.
I don't like commercial "firewall" products which are nothing more than a lot of opensource software packet onto cheap hardware, branded and sold under a "good" name... yeah of course they did "os hardening". OpenBSD and Linux are "hard" enough for most requirements...
As i said before if you need help for openbsd firewalls feel free to contact me off-list.
wish you a nice weekend Marco
julien mabillard wrote:
:: I would suggest an OpenBSD or OpenBSD-based firewall too. We're using
BTW, recent hackathons brought significant improvements not to mention related work from reyk@ about relayd. So as monitoring and load balancing role, it is great design.
And beware, you could just love pf and start being addicted ;-)
-- _______________________________________________ swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
Hello!
On Wed, June 18, 2008 2:06 pm, Olivier Mueller wrote:
Is there anything you can recommend in this case? It if was only me, I would take something there: http://pfsense.org/index.php?option=com_content&task=view&id=44&... and start with that. But the customer would also like to see some "non open-source"-based solutions... :>
I would go with pfSense, but a Zyxel Zywall could also be an option if it should be a "commercial solution". Reasonable price, many features, rackmount kit available and very good support.
Regards,
Manuel
pfSense HAS commercial support ! It is provided by BSD Perimeter and Centipede Networks Take a look at www.pfsense.org under "support".
Open-source and unsupported are two different words.
Daniele
Manuel Krummenacher wrote:
Hello!
On Wed, June 18, 2008 2:06 pm, Olivier Mueller wrote:
Is there anything you can recommend in this case? It if was only me, I would take something there: http://pfsense.org/index.php?option=com_content&task=view&id=44&... and start with that. But the customer would also like to see some "non open-source"-based solutions... :>
I would go with pfSense, but a Zyxel Zywall could also be an option if it should be a "commercial solution". Reasonable price, many features, rackmount kit available and very good support.
Regards,
Manuel
swinog mailing list swinog@lists.swinog.ch http://lists.swinog.ch/cgi-bin/mailman/listinfo/swinog
-
Beat Siegenthaler -
Chris Gravell -
Daniele Guazzoni -
julien mabillard -
Manuel Krummenacher -
Marco Fretz -
Michele Capobianco -
Olivier Mueller -
Rainer Duffner -
Rolf Sommerhalder -
Stephane Grobety -
Viktor Steinmann