Date: Fri, 05 Sep 2003 16:30:49 -0400 From: Mike Tancsa <mike@sentex.net> To: Redmond Militante <r-militante@northwestern.edu>, freebsd-questions@freebsd.org Subject: Re: ipfilter vs. firewall appliance Message-ID: <5.2.0.9.0.20030905161721.025a9498@209.112.4.2> In-Reply-To: <20030905200318.GJ65035@darkpossum>
next in thread | previous in thread | raw e-mail | index | archive | help
Well, if you can, crack open a "hardware" firewall like a Cisco PIX. You will recognize a LOT of what is in there and you will be very surprised. I have hardware in quotes because the only real differentiator is that PCs have hard drives for storage, these unit dont. Yes, some will have special ASICs for packet forwarding and some will have crypto accelerators.... But if you are talking about under 100Mb/s of throughput your server below can do that and it doesnt need ASICs for forwarding, and if you need some sort of crypto acceleration, you can add one for about $75 to offload much of the crypto calcs. However, thats only useful if you plan to terminate a whack of IPSEC sessions, or use something that does a lot of crypto calcs. (see www.soekris.com) If you take a look around via google on the ipfilter list there are some very large sites using boxes with less power than whats below. The main things that the "hardware" units give you is better software interface and when you look at something like Checkpoint, better tweaked proxy modules (in some cases) and better fall over features. Another big thing these units offer is the potential for formal support. Some organizations do not have the time nor experience to look through and participate on mailing lists. So your organization's concerns below are certainly valid. Ongoing support / care and feeding issues of your firewall (be that FreeBSD or off the shelf appliance) are a critical component in the decision making process. ---Mike At 03:03 PM 05/09/2003 -0500, Redmond Militante wrote: >hi > >i have an ipfilter/ipnat box, that i'm using to protect an apache webserver. >the machine is 4.7-RELEASE-p3 FreeBSD 4.7-RELEASE-p3 #1: Mon Aug 11 >18:27:06 CDT >2003. the machine is a dell optiplex gx260 Intel(R) Pentium(R) 4 CPU 2.40GHz >512 mb of ram. it's been doing a fine job. > >i'd like to get extra nics for this machine and stick additional servers, >such as our win2k domain controllers, and a mysql box, possibly more, >behind the firewall/nat. > >i wanted to ask - for a firewall/nat that would potentially be protecting >multiple production machines, is ipfilter's performance comparable to >production firewall appliances and software such as netscreen and symantec >firewall? > >i'm the only unix person where i work, and sometimes it's hard to get >projects green lighted when a) i'm the only one on staff who knows the >technology and b) it probably seems hard to believe to windows admins that >a little pentium3 box with 2 nic cards and hand written firewall rules can >do the same thing as an appliance that some companies are charging tens of >thousands of dollars for. > >i'd like to be able to present a case to my employers - that the >ipfilter/ipnat box that i set up would be able to provide the performance >of commercial firewall solutions, and was wondering if anyone knows of any >benchmarks/reviews/etc. that i can cite. > >any comments welcome > >thanks as always >redmond > >-- >FreeBSD 5.1-RELEASE-p2 FreeBSD 5.1-RELEASE-p2 #0: Thu Aug 28 12:42:04 CDT 2003 > 2:45PM up 8 days, 1:42, 1 user, load averages: 0.73, 0.23, 0.13 > >"You should, without hesitation, pound your typewriter into a >plowshare, your paper into fertilizer, and enter agriculture." > -- Business Professor, University of Georgia >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?5.2.0.9.0.20030905161721.025a9498>