nanog mailing list archives

Re: Firewall opinions wanted please

From: "Gregory Taylor" <greg () xwb com>
Date: Tue, 16 Mar 2004 17:01:22 -0600


PIX firewalls are great if you configure them correctly for the application.  40 or less servers may not require 
something as complex, however if the data you are protecting is super-critical, I think a PIX might be your best 
solution.

Proxy firewalls (i.e. Linux, BSD or variant gateways) are good if you're into doing a internal IP network with a NAT 
access point.  But remember dealing with proxies, there is no such thing as a 'TRUE' transparent proxy, and having to 
go through all of the complexities of port forwarding, packet mangling, etc. might be too much if you are simply trying 
to firewall your web servers and whatnot.

As discussed in a previous thread, I spoke about transparent bridging used for packet filtering and mangling.  On a 
small application, that might be a good idea, because you get all of the true internet access (i.e. legit IPs, no 
proxying etc.) with the same ability to filter TCP, ICMP, UDP, IGMP etc. traffic.

Disadvantages to dealing with transparent bridging is that you run into the whole MAC address collision and excess 
over-head announcements being made from the bridge itself every time it sends a packet through.

The best option I guess is to figure out how important it is for you to have a firewall, what is the reason you need 
one and how important the data is on your servers.  That will help you decide the best choice for a firewall or proxy 
application.

Greg

---------- Original Message ----------------------------------
From: Nicole <nmh () daemontech com>
Date:  Tue, 16 Mar 2004 14:27:16 -0800 (PST)




Hi
I am looking for a good but reasonably priced firewall for a 40 or so server
site. Some people swear by Pix, others swear at it a lot. Also I have heard
good things about Netscreen. Or any others you would recommend for protecting
servers on a busy network. Don't really need anything with VPN just the
standard http, ftp, ssh, https, type traffic up to 100mb throughput.
From what I have heard a proxy firewall would be best? 



Thanks in advance!!


 Nicole





--
                    |\ __ /|   (`\            
                    | o_o  |__  ) )           
                   //      \\                 
 -  nmh () daemontech com  -  Powered by FreeBSD  -
------------------------------------------------------
" Daemons" will now be known as "spiritual guides"
        -Politically Correct UNIX Page

Current thread:

Firewall opinions wanted please Nicole (Mar 16)
- RE: Firewall opinions wanted please - clarification Nicole (Mar 16)
  - Re: [NANOG-LIST] RE: Firewall opinions wanted please - clarification Brent Van Dussen (Mar 16)
  - Re: Firewall opinions wanted please - clarification Brandon Shiers (Mar 16)
    - Re: Firewall opinions wanted please - clarification Alexei Roudnev (Mar 16)
    - Re: Firewall opinions wanted please - clarification Richard Cox (Mar 16)
- Re: Firewall opinions wanted please Valdis . Kletnieks (Mar 16)
  - Re: Firewall opinions wanted please Steven M. Bellovin (Mar 16)
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)
- <Possible follow-ups>
- Re: Firewall opinions wanted please Gregory Taylor (Mar 16)
  - Re: Firewall opinions wanted please Rachael Treu (Mar 17)
    - Re: Firewall opinions wanted please bill (Mar 17)
    - Re: Firewall opinions wanted please Rachael Treu (Mar 17)
    - Re: Firewall opinions wanted please Kevin Oberman (Mar 17)
    - Re: Firewall opinions wanted please Rachael Treu (Mar 17)
    - Re: Firewall opinions wanted please bill (Mar 17)
    - Re: Firewall opinions wanted please Alexei Roudnev (Mar 17)
    - Re: Firewall opinions wanted please Rachael Treu (Mar 17)
    - Re: Firewall opinions wanted please Peter Galbavy (Mar 18)
    - Message not available
    - Re: Firewall opinions wanted please Rachael Treu (Mar 17)

(Thread continues...)