Go Back   Data Center, Colocation, Cloud Computing, Storage, Dedicated Servers Forums > General DataCenter Discussion Forum > Discuss about Datacenter Software/Hardware Related Issues.

Reply

 

Thread Tools
  #1  
Old 06-24-2006, 10:33 PM
Zitibake Zitibake is offline
Senior Member
 
Join Date: Dec 2005
Posts: 113
Default Best firewall & VPN terminaton for datacenter?

Can anyone comment on their experiences with the different firewalls and VPN termination gear? I'm interested in both what a typical colocated environment would need for its own cabinet, and what a datacenter operator might offer for a shared environment (that is, multiple customers share a single HA-firewall pair, and a single VPN termination point, which could be on a different box or HA-pair).

What strengths/weaknesses do you find for the major brands? Netscreen, Nokia/Checkpoint, PIX, Watchguard, etc.
Reply With Quote
  #2  
Old 09-05-2006, 06:53 PM
Egihosting.com
Guest
 
Posts: n/a
Default

What is your requirement? I think each product has its +'s and -'s. Also whats your budget and how much BW/sessions do you need to support?
Reply With Quote
  #3  
Old 10-03-2006, 04:39 AM
Zitibake Zitibake is offline
Senior Member
 
Join Date: Dec 2005
Posts: 113
Default

The requirements for the shared firewall are:
-stability
-high availability
-scalability (separate rules for hundreds of customers)

VPN concentration currently requires:
-dozens of simultaneous L2TP/PPTP clients (using OS built-in Dial-up VPN networking), auth via RADIUS; preferably each L2TP/PPTP client could be associated with a VLAN to access (via RADIUS), but filter or access-list per user may work also.

I'm looking at Altiga/Cisco VPN concentrator to terminate PPTP sessions; or maybe just use a PIX.
Reply With Quote
  #4  
Old 11-12-2006, 01:46 PM
SiteSouth SiteSouth is offline
Senior Member
 
Join Date: Oct 2004
Location: Atlanta, GA
Posts: 132
Send a message via AIM to SiteSouth
Default

We've used the Ciscos, Watchguards, Netscreens and the Sonicwalls. From our experience the SonicWalls are th easiest to manage and provide the best bank for the buck.
__________________
http://www.global-enterprise.com -
- colocation and dedicated servers -

Atlanta, GA and Las Vegas, NV
Reply With Quote
  #5  
Old 11-19-2006, 07:54 PM
Zitibake Zitibake is offline
Senior Member
 
Join Date: Dec 2005
Posts: 113
Default

Interesting about SonicWalls. I've used Netscreen, Watchguard, and a little PIX. I'll have to revisit the SonicWalls.

The Watchguards are inexpensive, but that doesn't help as much in a shared H/A firewall installation. If you have hundreds of customers behind a firewall pair, then cost per customer is watered-down quite a bit. Cost for any kind of unavailability (or, in the case of Watchguard, inability to apply a config change without reboot) goes way up.

Netscreens support recursive named objects (e.g. customer1-remote includes customer-1-branchA, customer-1-branchB and customer-1-branchC; each of those branches is an object naming a set of network numbers). With lots of customers, each with their own policies, that is handy. Watchguards only allow named objects to refer to a list of network numbers.

Watchguards support policy-based VPNs with separate traffic filters: I can define a IPSec tunnel from an object on my end (say, a list of /24 networks) to an object on the far-end; then use filters to limit traffic to just some IPs, and to just some TCP ports. With Netscreen, if I want to filter traffic within the tunnel, then I seem to need to use routed VPNs, not policy-based VPNs. But policy-based VPNs are the norm, so to use route-based, I have to explain to customers how to configure their end.

The CLI interface of the Netscreens and PIXes is easier to use when you have a long list of policies and tunnels. When the Watchguard GUI display is many screens long, it becomes awkward to view only the parts you need to edit.

The Watchguard GUI doesn't promote revision control: engineers file their maintenance plan with a textual description of what they intend to change (e.g. "configure new policy FOO to do blah blah"). With PIX and Netscreen, engineers can file a complete list of proposed commands they will execute, for review and comment, before their maintenance window occurs.

Watchguard's config file is really a database dump, making context-diff difficult. With PIX and Netscreen, it is easier to get automated reports of config changes.

Marketability is also a feature: enterprise customers ask what kind of firewall you use; they seem most-comfortable if you answer PIX or Netscreen or Checkpoint. But those customers tend not to use a shared firewall or VPN concentrator, so for the shared firewall, stability and scalability are still most important.

Watchguards support IPSec/PPTP tunnels with RADIUS authentication; but to limit what services/devices the remote clients can access, a filter for each user must be defined on the firewall, making RADIUS pointless. Netscreen doesn't support OS-native PPTP clients (e.g. Windows DUN, Mac OS X dialup VPN) in all the required configurations. It sounds like Altiga (Cisco VPN Concentrator 30xx) has the only product that can terminate those VPNs with RADIUS-assigned access lists.

It looks like Cisco is supporting larger numbers of VPN clients in the regular PIX firewalls, while Cisco is not introducing new models of the VPN Concentrator, so perhaps a PIX is best for the role of IPSec PPTP/L2TP VPN concentrator. SSL concentrators are coming along in features, and everybody is selling those, so maybe the era of IPSec PPTP/L2TP tunnels is ending.
Reply With Quote
  #6  
Old 11-30-2008, 12:21 AM
attagirl attagirl is offline
Senior Member
 
Join Date: Oct 2008
Posts: 117
Default

I read this information and found that it would be very useful for all of us. So I thought it would be good to bring it back out so that those people who do not read the older threads can comment themselves on this.
Reply With Quote
  #7  
Old 01-31-2009, 04:38 PM
vlada vlada is offline
Junior Member
 
Join Date: Jan 2009
Posts: 2
Default

I think that everything depends on your budget and on your demands to the shared firewall. You must consider all cons and pros and then make the decision.
Reply With Quote
  #8  
Old 02-01-2009, 09:09 PM
PhantomNOC PhantomNOC is offline
Junior Member
 
Join Date: Jan 2009
Posts: 13
Default

As far as SonicWalls go, stay away. I have set some up for customers, and they leave a good bit to be desired. Netscreens are good. Cisco ASA5505/5510 firewalls are probably the best for the money. If you are open to *NIX based firewalls, check out Astaro (Astaro Internet Security - All-in-One Unified Threat Management Solutions for Complete Network, Web and Mail Security Protecting Against Hackers, Spyware, Phishing, Viruses, Worms and Spam). They have appliances as well as downloadable wares. Customers that have been sold Astaro firewalls, have loved them.
__________________
PhantomNOC - Intelligent. Reliable. Who's Running Your Server?
Server Monitoring, Security, and Full Administration - Linux, Unix, Windows, Control Panels
Phantom Networks LLC - http://www.phantomnoc.com - 888.443.1523
Reply With Quote
  #9  
Old 02-02-2009, 10:13 AM
Schumie Schumie is offline
Senior Member
 
Join Date: Dec 2008
Location: Thatcham, UK
Posts: 160
Send a message via MSN to Schumie
Default

For me, the biggest thing is supportability - what does your staff already know/ have training in. When it comes to the purchase cost, if you also have to re-train your staff then this obviously makes a huge difference. Also, if your teams aren't working with them daily it could create a whole world of support issues!
Reply With Quote
  #10  
Old 02-23-2009, 08:55 PM
solokron solokron is offline
Junior Member
 
Join Date: Dec 2008
Posts: 23
Question

Firebox Watchdog's look good but wow, $2000 - $3290 a year for the "Unitifed threat Management" license. That seems quite a bit. Are there more affordable / bang for your buck options available for a shared hosting provider?
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:38 AM.

Member Area



Data Center Industry Daily News


Cloud and Dedicated Hosting


Sponsors Managed Servers Sponsored by DedicatedNOW.
Powered by vBulletin® Version 3.8.9
Copyright ©2000 - 2024, vBulletin Solutions, Inc.