RE: Firewall Appliance Suggestions
Normally I would agree with you as far as separate instances, however this will be in a situation where we pay ridiculous amounts for cpu and memory, so a single instance is what we are shooting for (remember those ridiculous requirements). I am planning to do some further testing with vyatta and pfsense. Thanks you all for the on list and off list responses! -----Original Message----- From: Sargun Dhillon [mailto:sargun@sargun.me] Sent: Thursday, June 30, 2011 9:56 PM To: George Bonser Cc: Blake T. Pfankuch; NANOG (nanog@nanog.org) Subject: Re: Firewall Appliance Suggestions ----- Original Message -----
From: "George Bonser" <gbonser@seven.com> To: "Blake T. Pfankuch" <blake@pfankuch.me>, "NANOG (nanog@nanog.org)" <nanog@nanog.org> Sent: Thursday, June 30, 2011 11:30:53 AM Subject: RE: Firewall Appliance Suggestions
Willing to pay for something if need be, but looking for something that can easily handly 50-100mbit of throughput.
Any Ideas?
Thanks!
Blake Pfankuch
I might also look at Vyatta. They have appliances or you can run the software on your own hardware.
I would not go with Vyatta if you're doing anything complex. The number of random bugs I've hit with their software are numerous. In the right hands, it's a powerful tool. And it seems to fit your solution really well. If I were in your shoes, I would install two instances that would handle the "edge" of the cluster, and then an instance per customer (lightweight, they sell a VMWare image). Then use dynamic routing to direct traffic to the customer (assign each customer their own ASN, and peer with their instance). So, worse case scenario, the NOC monkey only breaks one customer's gear. -- Sargun Dhillon VoIP (US): +1-925-235-1105
They don't have a VM yet - coming soon - but you may take a look at Palo Alto Networks. Having just a regular stateful firewall is not a good idea anymore... Peter Nowak On Jul 1, 2011, at 12:35 AM, Blake T. Pfankuch wrote:
Normally I would agree with you as far as separate instances, however this will be in a situation where we pay ridiculous amounts for cpu and memory, so a single instance is what we are shooting for (remember those ridiculous requirements). I am planning to do some further testing with vyatta and pfsense. Thanks you all for the on list and off list responses!
-----Original Message----- From: Sargun Dhillon [mailto:sargun@sargun.me] Sent: Thursday, June 30, 2011 9:56 PM To: George Bonser Cc: Blake T. Pfankuch; NANOG (nanog@nanog.org) Subject: Re: Firewall Appliance Suggestions
----- Original Message -----
From: "George Bonser" <gbonser@seven.com> To: "Blake T. Pfankuch" <blake@pfankuch.me>, "NANOG (nanog@nanog.org)" <nanog@nanog.org> Sent: Thursday, June 30, 2011 11:30:53 AM Subject: RE: Firewall Appliance Suggestions
Willing to pay for something if need be, but looking for something that can easily handly 50-100mbit of throughput.
Any Ideas?
Thanks!
Blake Pfankuch
I might also look at Vyatta. They have appliances or you can run the software on your own hardware.
I would not go with Vyatta if you're doing anything complex. The number of random bugs I've hit with their software are numerous. In the right hands, it's a powerful tool. And it seems to fit your solution really well.
If I were in your shoes, I would install two instances that would handle the "edge" of the cluster, and then an instance per customer (lightweight, they sell a VMWare image). Then use dynamic routing to direct traffic to the customer (assign each customer their own ASN, and peer with their instance). So, worse case scenario, the NOC monkey only breaks one customer's gear.
-- Sargun Dhillon VoIP (US): +1-925-235-1105
Peter Nowak Manager, Technical Services Bat Blue Corporation | Integrity . Privacy . Availability p. 212.461.3322 x3020 | f. 212.584.9999 | w. www.batblue.com Bat Blue's AS: 25885 | BGP Policy | Peering Policy Bat Blue's Legal Notice Receive Bat Blue's DSB Intelligence Report Bat Blue is proud to be the Official WiFi Provider for ESPN's X-Games
participants (2)
-
Blake T. Pfankuch
-
Peter Nowak