Webserver firewall advice

huppy · 7 Jan 2009 at 11:49

I'm just about to colocate a single webserver and I'm looking for some advice on the firewall to buy.

I've got my eyes on these:

Juniper Netscreen SSG 140
or
Cisco ASA5510

They're a similar price range and featureset, I just can't pick. I'm tending towards the juniper.... but I'm still open to the cisco and others aswell.

As background its a single webserver hosting 6 or 7 relatively low-bandwidth websites and an email server. I have a feeling these firewalls might be overkill for the traffic as it is, but I'm planning to buy a second webserver in the coming months along with dedicated email and database servers for sites that are in the process of getting readied and copied. I'm looking for a bit of future proofing with the firewall for when things do grow.

Any advice would be warmly received.

atomiser · 7 Jan 2009 at 12:09

i'm a huge fan of the netscreen firewalls, but that's largely because i work with them day in day out and i haven't (yet) got much experience with the cisco firewalls - though thats something i'm working on.

netscreen kit is a doddle to work with, comes with a really decent concepts and examples guide, and can be managed through either a webui, cli, or proper management server (nsm) if you so wish.

hope this helps, and if you have any more specific questions about the netscreen stuff then drop me a line!

huppy · 7 Jan 2009 at 12:39

Cheers atomiser, that's good to hear. In particular the fact that its easy to work with - I've not had much experience with firewalls.

Have you used the SSG 140 itself? One thing I'm still not sure about is all the features it has - I always thought a firewall was just a firewall. This one VPNs, Antiviruses, Antispywares, Anti-keylogs, Anti-spams, URL filters, ISDN's, T1's, E1's.. the list seems to go on.

I'm not sure if I need to pay for all those features - in particular the VPN, ISDN, T1, E1 connectivity (unless I'm mis-interpreting the specs). Have you got any thoughts on this?

Seaniboy · 7 Jan 2009 at 12:50

Can highly recommend the Cisco 5510, great firewall. Also if you not to handy around IOS then the ASDM has quite a nice look and feel to it over the previous pix PDM.

I would probably say though the 5510 is over kill for a few webservers. Why not look at the 5505

#Chri5# · 7 Jan 2009 at 12:53

What sort of money are you looking at for the SSG or ASA?

You could look at something like the SonicWall NSA 2400 which starts around £1300+VAT

atomiser · 7 Jan 2009 at 12:53

yeah i've got a pair of ssg 140's in a high-availability environment. i've worked with the baby 5's right up to the isg 2000's.

this is one of the things i like about the netscreen's - you get most of the functionality built-in, and the configuration between the different devices is very similar with most of the differences being down to the individual interface configuration on the box itself - for example on the baby 5's you have trust and untrust interfaces (or work and home, dependant upon the port mode) and on the ns25/50's you have ethernet1,2,3 etc, and on the isg's you have a more slot/interface type arrangement.

you get the vpn support built-in, the only differences between the boxes are the amount of tunnel interfaces supported, the crypto supported, and the throughput. oh, and things like ospf limitations come into place if you are doing stuff like hub and spoke vpn's with dynamic routing. off the top of my head all the utm (unified threat management) type stuff is done on a subscription basis, so if you want/need it you can subscribe but if you dont then you dont have to!

all the different connectivity methods are supported via expansion cards in the back of the ssg's, again - if you need it you can buy interfaces, if you dont then you dont have to!

i'm guessing, since this sounds like it's a datacentre environment that your just going to need straight ethernet, which is built right in, so you should probably be good to go - assuming you already have routers/switches in place to handle the internet connectivity side of things and the local side of things for the protected networks.

if you have any other questions or decide to go the juniper route and need any help with the configuration then give me a shout.

atomiser · 7 Jan 2009 at 13:04

#Chri5# said:
What sort of money are you looking at for the SSG or ASA?

You could look at something like the SonicWall NSA 2400 which starts around £1300+VAT

not sure we even paid that for ours, cant remember of the top of my head though. not worked with the sonicwall stuff in the past, but i'm a netscreen fanboy so i'll always recommend them!

huppy · 7 Jan 2009 at 13:09

The ones I've been looking at have been around about the £1500 mark - the cisco is slightly cheaper. Cheers Chris for that SonicWall - I haven't heard of them before but I'll check that out too.

Atomiser all that info's great, it sounds like I can't really go wrong with a Juniper. I may well take you up on that configuration help offer if I do go Juniper and I hit any stumbling blocks.

Seaniboy · 7 Jan 2009 at 13:22

You can pick up a ASA 5505 for less that £300 which includes an 8 port switch.

#Chri5# · 7 Jan 2009 at 13:26

NP. I'm opposite to Atomiser - never used NetScreen but have done loads with SonicWall.

The NSA 2400 is the current entry level rackmount (1U) but if you don't need it to rack, you could look at the NSA 240 which comes in around £700 but still offers a good bang/buck factor.

atomiser · 7 Jan 2009 at 13:52

there are a couple of versions of the ssg 140's, a baseline and an advanced. the main differences are the amount of memory in the boxes which has an effect on the number of sessions it can handle, which dynamic routing protocols it can support and the number of instances/routes it can handle, the types of high-availability supported, blah blah blah. for £1500 i would suspect you are being flogged the advanced model. you may not need the advanced feature set, so you might get away with a baseline.

i think you really need to think long and hard about the future growth of this environment. you've mentioned that at the moment you only have one server, but in the not too distant future it might grow to two. how much further is it likely to grow? or could there be other environments that you may want to bring online in the future that need to interoperate but may still need to be further segregated.

good advice from others contributing to the thread, but i always like to ensure i have lots of spare capacity on the boxes - but that's largely because i've become accustomed to people saying they want one thing one day and it growing into something completely different another.

that said, like with the other vendors out there, there are smaller capacity netscreen boxes out there - an ssg20, for example. in terms of sizing the box - what sort of network connectivity is required? what size internet pipe is it going to be connected to? how many visitors do you envisage?

another way of looking at it is, does it need to be a brand new unit? there are tons of netscreen 25's or 50's out there on the recon market which would be perfectly capable boxes. bear in mind though, that these wont run screenos 6 if i remember correctly. for what your doing though, that wouldn't matter. run 5.4.0r10 and it will be rock solid all year long.

just a few things to think about.

huppy · 7 Jan 2009 at 16:11

I'm ideally looking for one that rackmounts in 1u just for piece of mind (I think) more than anything - the thought of having a smaller non-rackmounted key piece of network hardware loose, lying on things in the datacentre fills me with worry.

- I can see my thought pattern that each time the server's down it's because someone's been a bit clumsy and accidentally knocked the firewall off its perch, and its got unplugged and they don't know where the cables should plug back in.

It's completely irrational and probably sounds ridiculous but I want to rule out as many potential risks as possible - and I'm happy to pay the extra for this piece of mind.

Also, a firewall that can be paired and load-balanced if it requires to be in the future I'm also aiming for - the lower end firewalls, from what I've checked so far, on the whole don't seem to support this. From what I've read the SSG140's do, though have you ever set this up atomiser? This will happen before too long - I guess the question is whether, by the time it does, some better firewall technology will be available which would make it cheaper at and easier at that point to go with the new technology. Only in this case would it be worth not spending so much on the firewall now, if this makes any sense. It's a tricky one but at the moment I think I'm leaning towards an SSG 140.

atomiser · 7 Jan 2009 at 16:29

there's nowt irrational about your thoughts - your definitely on the right track. i've seen exactly what you describe happen before.

yeah the ssg140's can be paired and load balanced. i look after a pair of isg2000's and a pair of ssg140's both in active/passive high-availability setups. this is all covered in the concepts and examples guide and is fairly straightforward to setup.

just double check the tech spec between the two versions to make sure they support what you want before ordering.

huppy · 7 Jan 2009 at 16:50

Cheers atomiser, you've been a fountain of knowledge. Just out of interest, what's your dayjob? - I've gathered by now its network-based but is it specifically internet/datacentre-network-based?

#Chri5# · 7 Jan 2009 at 16:55

SonicWall NSA 2400 supports High Availability as standard. That's running as an Active/Passive setup. There's an optional upgrade (via license key) that enables Active/Passive with Statesync for seemless failover.

Sonic also heavily discount the 2nd firewall unit for HA pairs, though I think you need to buy both at the same time.

atomiser · 7 Jan 2009 at 17:06

#Chri5# said:
SonicWall NSA 2400 supports High Availability as standard. That's running as an Active/Passive setup. There's an optional upgrade (via license key) that enables Active/Passive with Statesync for seemless failover.

Sonic also heavily discount the 2nd firewall unit for HA pairs, though I think you need to buy both at the same time.

hmmm i might take a look at the sonicwall stuff as it looks quite feature rich. if you buy the advanced units (netscreen) i'm not aware of any reduction in cost for the second unit, but the second unit is a fully functional box. how does it work in the world of sonicwall? is the second box just licensed for ha, so for example if you wanted to re-use the two firewalls seperately later on in their lives, could you? or would you have to re-license the second box as a proper one rather than just one half of a ha pair?

to the op - me, i work for a large public sector organisation where i work with all the network guys looking after the firewall/security side of things. in terms of firewalling i look after a reasonable estate of juniper kit, but i also look after stuff like ssl vpn, rsa securid, juniper radius, mcafee epolicy, patching requirements, connectivity to third party networks, blah blah blah.

give me a shout if you need anything else.