On Mon, Jan 24, 2011 at 10:19 PM, Michael Tewner <tew...@gmail.com> wrote:
> 2011/1/24 Hetz Ben Hamo <het...@gmail.com> > >> Hi, >> >> I was wondering about the following scenario: >> >> I have 2 lines coming from 2 carriers, each line is 2 Gbit internet >> connection. They go to a router, and then there should be a firewall.. >> >> Here I have 2 choices: >> >> 1. Take a Cisco/Fortigate/Juniper/Whatever box, throw it in, configure it, >> and be done with it, while I need to pay some yearly license for updates. >> 2. Stick some serious Linux server that it will become the firewall. >> >> My question: based on whats available for Linux today (iptables, APF, BFD, >> you-name-it..) - could Linux be trusted as a very good firewall for data >> center (as an example)? (I know that Checkpoint is using Linux, but they >> wrote some additional closed source modules, and I haven't heard any >> alternatives of those modules in open source version) >> >> I have read articles with people swear that Linux box should suite it >> while other highly recommended the appliances.. >> >> Whats your opinion? >> Hetz >> >> >> _______________________________________________ >> Linux-il mailing list >> Linux-il@cs.huji.ac.il >> http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il >> >> > 1. If you ever plan on hitting 2 Gbit on a Cisco, you'll need some > heavy-duty firewalls ( > http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html ) > running you > $20,000 > 2. On the other hand, I don't know how much you're paying for 2 2Gbit > links, so "heavy-duty" firewalls might be just a drop in the bucket... > 3. I would recommend an appropriately scaled firewall appliance > 4. If you plan to go with Linux, make sure IPtables can actually handle > that much bandwidth. > > -Mike > Also - Many firewall appliances come with Active/Active and Active/Passive configurations. If you roll-your-own linux firewall, you'll need to mess with HSRP, VRRP, syncing configurations, syncing open connections, monitoring your connections, and a myriad of other things which a company who specializes in this sort of thing has already solved. -Mike
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
