On Tue, Jan 25, 2011 at 12:46 AM, Hetz Ben Hamo <het...@gmail.com> wrote:
> Hi Michael, > > 1. If you ever plan on hitting 2 Gbit on a Cisco, you'll need some >> heavy-duty firewalls ( >> http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html ) >> running you > $20,000 >> > > 4 Gbit, not 2 :) > Sorry - Assumed those were 2 links for failover. > > >> 2. On the other hand, I don't know how much you're paying for 2 2Gbit >> links, so "heavy-duty" firewalls might be just a drop in the bucket... >> > > $20k a drop in a bucket? how much you really think the cost of 2X2Gbit > cost? not that much ;) > 2X2Gbit _reliable_ symmetric bandwidth from a Tier IV datacenter? That would cover the $20k within 2-3 months - at least in my experience. I would sooner get the datacenter to give me 2 separate IP downlinks , each with the required bandwidth, from their routing mesh (covering the same IP space) and have them manage the failover for me (at least on the uplink side. Some switching magic required here, again, by the dacenter). You'll end up with the redundancy of the datacenter (who probably have multiple carriers through opposite ends of the building) and paying for just one link instead of two. Again, don't reinvent the wheel. > > >> 3. I would recommend an appropriately scaled firewall appliance >> > > There used to be a time where you could buy a firewall, do some updated > periodically and be done with it. Today it's more about contracts. You buy > the boxes, you pay a contractor to do the job for you (if you don't know how > to do this), and then there's this yearly update service which costs you an > arm and a leg and if something goes wrong with the vendor, you're left with > an expensive brick. See my post here <http://benhamo.org/wp/?p=2256> for > example. > I work mostly with Cisco - It's pretty intuitive and upgrades are pretty painless. While Cisco might not be as reliable (as far as "vendor" support) as Linux, I have faith that Cisco will be around for at least the life of my firewalls. Yes, again, you would want support contracts for the Cisco's, but: 1. You might want to get RedHat/your-favorite-distribution support for software stability of such a critical piece of your network 2. You would definitely need hardware support anyway on your Linux servers 4. If you plan to go with Linux, make sure IPtables can actually handle that >> much bandwidth. >> > > I will check that. I'll also check pfsense. > > As we're already talking about closed-source Cisco FW's in this thread, please don't lynch me for suggesting: Solaris 11. <evangelism> 1. Especially the new "flows" feature which will dedicate kernel resource to specific "flows" - http://blogs.sun.com/JeffV/entry/virtual_networks 2. IPFilter was added in Solaris 10, and expanded in Solaris 11: http://www.homepage.montana.edu/~unixuser/031705/create_solaris_ipf.html 3. Solaris comes with a built-in L3/L4 load balancer, should you need it: http://www.oracle.com/technetwork/articles/servers-storage-admin/solaris11enetwork-186212.pdf 4. And finally, on the correct hardware - 10Gbit interfaces support _controlled the CPU itself_. </evangelism> > >Also - > >Many firewall appliances come with Active/Active and Active/Passive > configurations. If you roll-your-own linux firewall, you'll need to mess > with > >HSRP, VRRP, syncing configurations, syncing open connections, monitoring > your connections, and a myriad of other things which a company > >who specializes in this sort of thing has already solved. > > True, but when the cisco/other boxed solution costs $20K, it might be a > better idea to look for alternatives, maybe a distribution which has this or > a solution that is based on Linux and has this solution covered. 2 HP G6 > servers with dual Xeon costs about $6k which can handle this traffic easily, > and if I add a contractor+solution costs, I could go about $10k, that 50% > from Cisco offer.. > Correct - The Open-Source solution is generally going to be less expensive. But unless you get enterprise support (which you did not include in your estimate), YOU will be providing the enterprise support. Make sure that assuring 99.999% uptime to your customers is something you are able to provide (if required/possible) and work out how much of *your* resources will be taken up writing all those failover scripts, testing them Ad Nauseum on your identical LAB environment, etc. I'm not saying not to go with Linux - just offering alternatives. Good luck! > Hetz > > -Mike
_______________________________________________ Linux-il mailing list Linux-il@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il
