nanog mailing list archives
Re: Firewall opinions wanted please
From: "Gregory Taylor" <greg () xwb com>
Date: Tue, 16 Mar 2004 17:01:22 -0600
PIX firewalls are great if you configure them correctly for the application. 40 or less servers may not require something as complex, however if the data you are protecting is super-critical, I think a PIX might be your best solution. Proxy firewalls (i.e. Linux, BSD or variant gateways) are good if you're into doing a internal IP network with a NAT access point. But remember dealing with proxies, there is no such thing as a 'TRUE' transparent proxy, and having to go through all of the complexities of port forwarding, packet mangling, etc. might be too much if you are simply trying to firewall your web servers and whatnot. As discussed in a previous thread, I spoke about transparent bridging used for packet filtering and mangling. On a small application, that might be a good idea, because you get all of the true internet access (i.e. legit IPs, no proxying etc.) with the same ability to filter TCP, ICMP, UDP, IGMP etc. traffic. Disadvantages to dealing with transparent bridging is that you run into the whole MAC address collision and excess over-head announcements being made from the bridge itself every time it sends a packet through. The best option I guess is to figure out how important it is for you to have a firewall, what is the reason you need one and how important the data is on your servers. That will help you decide the best choice for a firewall or proxy application. Greg ---------- Original Message ---------------------------------- From: Nicole <nmh () daemontech com> Date: Tue, 16 Mar 2004 14:27:16 -0800 (PST)
Hi I am looking for a good but reasonably priced firewall for a 40 or so server site. Some people swear by Pix, others swear at it a lot. Also I have heard good things about Netscreen. Or any others you would recommend for protecting servers on a busy network. Don't really need anything with VPN just the standard http, ftp, ssh, https, type traffic up to 100mb throughput. From what I have heard a proxy firewall would be best? Thanks in advance!! Nicole -- |\ __ /| (`\ | o_o |__ ) ) // \\ - nmh () daemontech com - Powered by FreeBSD - ------------------------------------------------------ " Daemons" will now be known as "spiritual guides" -Politically Correct UNIX Page
Current thread:
- Firewall opinions wanted please Nicole (Mar 16)
- RE: Firewall opinions wanted please - clarification Nicole (Mar 16)
- Re: [NANOG-LIST] RE: Firewall opinions wanted please - clarification Brent Van Dussen (Mar 16)
- Re: Firewall opinions wanted please - clarification Brandon Shiers (Mar 16)
- Re: Firewall opinions wanted please - clarification Alexei Roudnev (Mar 16)
- Re: Firewall opinions wanted please - clarification Richard Cox (Mar 16)
- Re: Firewall opinions wanted please Valdis . Kletnieks (Mar 16)
- Re: Firewall opinions wanted please Steven M. Bellovin (Mar 16)
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)
- <Possible follow-ups>
- Re: Firewall opinions wanted please Gregory Taylor (Mar 16)
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)
- Re: Firewall opinions wanted please bill (Mar 17)
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)
- Re: Firewall opinions wanted please Kevin Oberman (Mar 17)
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)
- Re: Firewall opinions wanted please bill (Mar 17)
- Re: Firewall opinions wanted please Alexei Roudnev (Mar 17)
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)
- Re: Firewall opinions wanted please Peter Galbavy (Mar 18)
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)
- RE: Firewall opinions wanted please - clarification Nicole (Mar 16)
- Message not available
- Re: Firewall opinions wanted please Rachael Treu (Mar 17)