Announcement

Collapse
No announcement yet.

Firewall/Router recommendations

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Firewall/Router recommendations

    Hi all,

    We're upgrading from a 1/4 rack to a full rack in the next month. We've been using the data centre's shared firewall service and whilst it's been perfect, I think it's time to look at alternatives.

    We're looking at the Juniper SRX240H2. Has anyone got any experience of these?

    Are they pretty robust? We've got a /24 we'd be pushing to it and then re-distributing to services in the racks. We want a nice simple interface that isn't going to eat up time to configure.

    Requirements from it are pretty basic:
    Allow traffic from ALL to certain IPs
    Deny traffic from ALL to certain IPs
    Allow certain IPs to Certain IPs
    Deny certain IPs to Certain IPs/All

    Maybe a bit of monitoring, DoS protection, etc.

    Any other recommendations if you don't think this device is right for us? We push around 10mbps on 95th Percentile I believe. This will be going up as we put in more kit obviously.

  • #2
    We've used the SRX240's in the past and they do a good job.

    I am very impressed by the Ubiquiti EdgeMax products at the moment. They're certainly a very cost effective solution and more than capable of handling your traffic. On paper it seems even the cheapest EdgeMax (Lite) can out perform the SRX240s. EdgeMAX | Ubiquiti Networks, Inc.
    Adam Cooke
    aTech Media - UK Ruby on Rails development specialists
    Sirportly - the hosting platform for developers, by developers
    Dial 9 - complete VoIP solution for small businesses and freelancers.

    Company Registration Number: 5523199 VAT Registration Number: GB 868 861 560 All views expressed in my posts are my own and not those of aTech Media Limited.

    Comment


    • #3
      We've got a number of SRX's including 240s but we only really use them for access networks (eg customer connections)... in front of servers we'll choose fortinet (only models with ASICs in) every time.

      Cheers - Mark
      ••• Mark Castle •••

      Comment


      • #4
        Originally posted by stugster View Post
        Hi all,

        We're upgrading from a 1/4 rack to a full rack in the next month. We've been using the data centre's shared firewall service and whilst it's been perfect, I think it's time to look at alternatives.

        We're looking at the Juniper SRX240H2. Has anyone got any experience of these?

        Are they pretty robust? We've got a /24 we'd be pushing to it and then re-distributing to services in the racks. We want a nice simple interface that isn't going to eat up time to configure.

        Requirements from it are pretty basic:
        Allow traffic from ALL to certain IPs
        Deny traffic from ALL to certain IPs
        Allow certain IPs to Certain IPs
        Deny certain IPs to Certain IPs/All

        Maybe a bit of monitoring, DoS protection, etc.

        Any other recommendations if you don't think this device is right for us? We push around 10mbps on 95th Percentile I believe. This will be going up as we put in more kit obviously.
        We've used the SRX240H (the original "high memory" model, before Juniper doubled the RAM recently) quite a lot and it's OK.

        The chassis clustering leaves a lot to be desired, although it's getting better.

        The UTM features are pretty poor compared to the competitors.

        The web based management interface is clunky and slow.

        Command line management is great thanks to JUNOS, although committing configs can take an age.

        I've had horrible memory related stability problems with JUNOS 12.1 releases on the SRX100H and SRX240H models and had to go back to 11.4 in order to stop the units crashing and rebooting every 1-2 weeks when the control plane runs out of RAM.

        These units weren't running anything complicated (basic firewall, no UTM, the ocassional site-to-site VPN tunnel with other SRX units) but would reliably run out of RAM and crash. The same units are only showing ~65% usage with the same config in 11.4.

        Personally, I prefer Fortinet FortiGates, but the SRX will do the job.
        GoDaddy are abusing WHC with shill advertising

        Comment


        • #5
          +1 for Fortinet Fortigate.
          Ben Durkin | Technical Director | Chilli Mint Labs Ltd | chillimintlabs.com
          ASP.NET Development | ASP.NET Hosting | Email Marketing | Web Design Lancashire
          Lancashire Digital Technology Centre, Bancroft Road, Burnley, BB10 2TP
          Company Reg: 06751324 Vat No: GB944712025

          Comment


          • #6
            What model of Fortinet FortiGate would be good for a cabinet of a /24 which just really requires basic DENY/Allow rules?

            Also: has anyone played/seen the Firebrick boxes? Thoughts on those?
            Last edited by stugster; 13th January 2014, 03:12 PM.

            Comment


            • #7
              We use a pair of these for a similar requirement:

              Connected UTM (Unified Threat Management) Appliances for Small Businesses | Fortinet
              Ben Durkin | Technical Director | Chilli Mint Labs Ltd | chillimintlabs.com
              ASP.NET Development | ASP.NET Hosting | Email Marketing | Web Design Lancashire
              Lancashire Digital Technology Centre, Bancroft Road, Burnley, BB10 2TP
              Company Reg: 06751324 Vat No: GB944712025

              Comment


              • #8
                Originally posted by stugster View Post
                What model of Fortinet FortiGate would be good for a cabinet of a /24 which just really requires basic DENY/Allow rules?

                Also: has anyone played/seen the Firebrick boxes? Thoughts on those?
                A really useful Fortinet document when looking at what model suits your requirements is: http://www.fortinet.com/sites/defaul...uct_Matrix.pdf

                We've got several FortiGate 110C deployed in our racks serving multiple customers. Probably a bit overkill for what you need by the sounds of it.
                GoDaddy are abusing WHC with shill advertising

                Comment


                • #9
                  x86 unless you have a compelling reason not to.

                  You could set up a pFsense box for near nothing (just be re-purposing an additional machine, or pair of), even with basic Intel Pro adaptors (igb), and it will easily run at 1Gbps line rate with 64byte packets. Then put the difference towards consultancy from the pFsense guys - and get them to properly configure and manage the kit for you.

                  Hardware firewalls are overpriced, easily outgrown - and useless when you do outgrow them.
                  Benjamin Lessani

                  sonassi| Magento Hosting | High Performance. Expert Support
                  Sonassi Limited registered in Manchester No. 07715859. Registered office: 1st Floor, 14 Exchange Quay, Salford Quays, M5 3EQ. VAT number GB 101 263 474. Phone: 0161 870 2414.

                  StackExchangeTwitter

                  Comment


                  • #10
                    Originally posted by Ben-Sonassi View Post
                    x86 unless you have a compelling reason not to.

                    You could set up a pFsense box for near nothing (just be re-purposing an additional machine, or pair of), even with basic Intel Pro adaptors (igb), and it will easily run at 1Gbps line rate with 64byte packets. Then put the difference towards consultancy from the pFsense guys - and get them to properly configure and manage the kit for you.

                    Hardware firewalls are overpriced, easily outgrown - and useless when you do outgrow them.

                    +1

                    Unless you have a need for very high security (You'll know because you'll be running IDS and paying a monthly fee for real time protection updates) then you can buy an Atom (or a pair of them) and install pfsense as suggested.

                    It'll provide 95% of the features you want for 1/10th of the price and it'll scale much better, they're not hard to configure or you can find someone to do it for you.

                    pfsense is based on FreeBSD same as Juniper and IoS so it's a very mature product
                    Gary Coates - ServerHouse Ltd
                    Established Colocation provider, Running Two Tier II & Two III data centres from two diverse sites in Hampshire. Bespoke complex managed hosting, 24x7 IT and resilient business connectivity from 100Mbs
                    Tel: 01329 800911 - www.serverhouse.co.uk

                    Comment


                    • #11
                      Originally posted by serverhouse View Post
                      pfsense is based on FreeBSD same as Juniper and IoS so it's a very mature product
                      I presume you're referring to Apple iOS rather than Cisco IOS, but the link to FreeBSD is a bit more stretched than it is with JUNOS where the core operating system is directly derived from the FreeBSD codebase.

                      iOS is based on OS X, which has Darwin at the heart of it. Darwin uses a Kernel called XNU which is the Mach 3 microkernel with some bits originally derived from the BSD kernel bolted into it in order to provide features such as some of the networking and filesystem stacks.

                      XNU is something like 20 years old now, so the code will have diverged a bit in the mean time, although I believe that code still flows both ways between Apple and FreeBSD.

                      That's not to say that FreeBSD isn't a rock stable, tried, tested and very mature operating system however
                      GoDaddy are abusing WHC with shill advertising

                      Comment


                      • #12
                        Originally posted by AdamC View Post
                        We've used the SRX240's in the past and they do a good job.

                        I am very impressed by the Ubiquiti EdgeMax products at the moment. They're certainly a very cost effective solution and more than capable of handling your traffic. On paper it seems even the cheapest EdgeMax (Lite) can out perform the SRX240s. EdgeMAX | Ubiquiti Networks, Inc.
                        On paper is the key point as you said, I picked up a couple of those and they're not the best honestly. If you're looking for something for lite usage, which is low on power and doesn't have much PPS flowing through it's good. Also, never use the webUI, always use the Vyatta GUI. Mitrotik are probably the best value ones, I've got one of the 48 Core, 16GB RAM ones, awesome stuff so far.

                        Comment


                        • #13
                          Originally posted by Humza View Post
                          Mitrotik are probably the best value ones, I've got one of the 48 Core, 16GB RAM ones, awesome stuff so far.
                          I like Mikrotik for some scenarios, but isn't the firewall on the cloudcore router bound to one tilera cpu?
                          Mike Hollowell - Arrowhead Systems Ltd
                          Stoke-On-Trent, Staffordshire ISP
                          Tel: 01782 747044 theinternet.org.uk arrowheadsys.co.uk
                          RIPE LIR: uk.silicons | Registrar & Member of Nominet, IPSTAG TIOUK | Company reg: 02694760 | VAT reg: GB 867 0098 03

                          Comment


                          • #14
                            Originally posted by Humza View Post
                            Mitrotik are probably the best value ones, I've got one of the 48 Core, 16GB RAM ones, awesome stuff so far.
                            I thought that the CCR range maxed out at 36 cores?

                            Something to bear in mind is that as soon as you put any firewall rules in place or turn connection tracking on (required for statefull packet matching on the firewall) the router drops out of "fast path" mode and performance tumbles.

                            It's sill a very impressive box though, particularly for the price.
                            GoDaddy are abusing WHC with shill advertising

                            Comment

                            Working...
                            X