Howdy,
I am looking for something a little unique in a bit of a tough situation with some sticky requirements. First off, my requirements are a little weird and I can't bend them a whole lot due to stipulations being put on me. I am in need a firewall appliance which can be run on VMware vSphere, with IPSEC support for multiple Phase 2 negotiations within a single Phase 1. I am also in need of something that can support VLAN interfaces on the LAN side, and ideally something with multi zoning so I can keep LAN side networks separate from each without ridiculous firewall rules. Meaning build a zone for "Customer network 1" and it displays separately (ease of management and firewall config hopefully). I need a minimum of 10 "zones" on LAN side (/29 or /30), and NAT support for LAN to WAN (to dedicate all outbound connections to a single IP from a specific zone), ideally something extremely scalable (100-200 zones). And here is the super fun part! I need something that is going to be web managed primarily as minions will be doing most of the day to day maintenance, or very simple CLI config. Willing to pay for something if need be, but looking for something that can easily handly 50-100mbit of throughput.
For those of you who responded quickly and usefully, do you have any experience with the CheckPoint/Juniper/Fortinet in an environment with multiple protected subnets running on VMware? Simple enough for a NOC monkey to make changes to without breaking assuming he has half a brain and a process in front of him to follow?
I do. Your NOC Monkey reference is your biggest hurdle. What you are asking for is a bit beyond "traditional" so finding something with a pretty interface for a monkey may be tough. CheckPoint will require a fat client. If that is an issue....
I just moved most of my network over to Juniper SRX firewalls. They
are pretty easy, but having a half-brained NOC guy make firewall
changes is a bad idea either way.
I just moved most of my network over to Juniper SRX firewalls. They
are pretty easy, but having a half-brained NOC guy make firewall
changes is a bad idea either way.
You can run pfsense in a VM, and the GUI is rather easy. VLANs are
configured as separate interfaces. So once you configure which VLANs are
which, your NOC monkey can simply go to the firewall and edit each VLANs
separate firewall rules. The multiple Phase 2 in a single Phase 1 was
added to version 1.3, which never was released as a stable as all
development went to version 2.0. So you will have to run 2.0RC3, but
hear me out.
I've been using 2.0 on production networks and use quite a few of the
features since November of last year, at which time it was still a
snapshot release. I have consistently been updating a VM, a few home
built machines, and our embedded devices in remote offices nearly every
week since then. It has never broken anything, ever. I only put it into
production once the bugs became minimal enough that they wouldn't bother
me. Currently there is only one bug not addressed, and it isn't hard to
avoid. http://redmine.pfsense.org/projects/pfsense/issues?query_id=10
Normally I would agree with you as far as separate instances, however this will be in a situation where we pay ridiculous amounts for cpu and memory, so a single instance is what we are shooting for (remember those ridiculous requirements). I am planning to do some further testing with vyatta and pfsense. Thanks you all for the on list and off list responses!
They don't have a VM yet - coming soon - but you may take a look at Palo Alto Networks. Having just a regular stateful firewall is not a good idea anymore...
Peter Nowak
Normally I would agree with you as far as separate instances, however this will be in a situation where we pay ridiculous amounts for cpu and memory, so a single instance is what we are shooting for (remember those ridiculous requirements). I am planning to do some further testing with vyatta and pfsense. Thanks you all for the on list and off list responses!
From: Sargun Dhillon [mailto:sargun@sargun.me]
Sent: Thursday, June 30, 2011 9:56 PM
To: George Bonser
Cc: Blake T. Pfankuch; NANOG (nanog@nanog.org)
Subject: Re: Firewall Appliance Suggestions
From: "George Bonser" <gbonser@seven.com>
To: "Blake T. Pfankuch" <blake@pfankuch.me>, "NANOG (nanog@nanog.org)"
<nanog@nanog.org>
Sent: Thursday, June 30, 2011 11:30:53 AM
Subject: RE: Firewall Appliance Suggestions
Willing to pay for something if need be, but looking for something
that can easily handly 50-100mbit of throughput.
Any Ideas?
Thanks!
Blake Pfankuch
I might also look at Vyatta. They have appliances or you can run the
software on your own hardware.
I would not go with Vyatta if you're doing anything complex. The number of random bugs I've hit with their software are numerous. In the right hands, it's a powerful tool. And it seems to fit your solution really well.
If I were in your shoes, I would install two instances that would handle the "edge" of the cluster, and then an instance per customer (lightweight, they sell a VMWare image). Then use dynamic routing to direct traffic to the customer (assign each customer their own ASN, and peer with their instance). So, worse case scenario, the NOC monkey only breaks one customer's gear.
--
Sargun Dhillon
VoIP (US): +1-925-235-1105
Peter Nowak
Manager, Technical Services
Bat Blue Corporation | Integrity . Privacy . Availability
p. 212.461.3322 x3020 | f. 212.584.9999 | w. www.batblue.com
Bat Blue's AS: 25885 | BGP Policy | Peering Policy
Bat Blue's Legal Notice
Receive Bat Blue's DSB Intelligence Report
Bat Blue is proud to be the Official WiFi Provider for ESPN's X-Games