1

I am searching for a firewall product (appliance or software) for an hosting/housing environment. The biggest problem is that the rules get very complex as more customers are behind the firewall. Some have only one server, others have a whole subnet. Some need NAT, some a VPN endpoint. Some customers want to only allow port http, others ssh as well. So the device needs to be able to support VLANs and it should be possible to group the rules per customer.

Speed is another important point. And being able to manage redundant devices easily.

I am searching for something that doesn't have all the extras like spam filter etc. I was searching a lot on the net but either they had all those extras as well (and with is an overloaded configuration interface) or they missed some of the features I need (e.g. VLAN).

The VPN endpoint is not the an important criteria. We were thinking about a separate machine for it.

John Gardeniers
  • 27,458
  • 12
  • 55
  • 109
Raffael Luthiger
  • 2,001
  • 2
  • 17
  • 26

3 Answers3

2

I think you would have several options, your requirements arent that high. What serious firewall doesn't support VLAN?

We use a HA-setup of Clavister SG32xx, They support grouping of rules, VPN, VLAN and comes in different version depending on licensing (which defines the throughput). The performance ranges from 350Mbit to 1.5Gbit I think.

Their lower range also offers HA but doesn't sync connection-tracking IIRC. It's the SG5x series, with throughput up to 200Mbit. The feature support is technically the same.

You also have products from Checkpoint, Cisco (ASA-series) that might be of interest to you, however we choose Clavister mainly because of the ease of administration aswell as the impression we got from the company that demonstrated the product to us (and supply us with support).

jishi
  • 868
  • 2
  • 11
  • 25
  • Interesting... I never heard of Clavister before. We currently have a Cisco ASA here. But we configure it over CLI because we had some issues with the web interface. And it gets very complex to manage everything over the CLI, that's why we want to replace it. We never looked at Checkpoint till now because we heard that the price tag would be too high. – Raffael Luthiger Mar 14 '10 at 02:14
  • +1 for Cisco ASA. I've never heard of Clavister, so i'd be wary. – Tom O'Connor Mar 14 '10 at 10:20
  • I hear a lot of people having trouble with Cisco, especially when it comes to fixing apparent bugs, aswell as administration. – jishi Mar 14 '10 at 11:40
  • This is the main problem with Cisco. Whenever you have a problem you can be sure that your current support contract is not sufficient and you need to buy a better one. :) – Raffael Luthiger Mar 14 '10 at 15:06
2

Have a look at pfsense. It's supports all the features you just listed, is free, opensource, well documented, and commercial support is available if you need that. It also supports clustering for seemless failover including all active sessions. And runs on any x86 hardware so you can size the hardware to your needs easily.

Community
  • 1
3dinfluence
  • 12,449
  • 2
  • 28
  • 41
  • pfSense is more than capable and it doesn't suffer from vendor imposed limitations. And that comes from someone with a Cisco background. – Luis Ventura Mar 14 '10 at 06:37
  • I already used pfsense once. Somehow I got the impression that the management gets a little complex/unclear when you are having manz rules and you are using grouping. But maybe I have to check out the newest version. – Raffael Luthiger Mar 14 '10 at 14:56
  • Make sure to check the possibilities for HA-setups, and the complexity of those. I think that is one of the areas where proprietary hardware has it's benefits. – jishi Mar 15 '10 at 17:22
  • 1
    I think that's what the proprietary vendors want you to believe. But surprisingly PFsense + CARP make HA easy to setup. they recommend that you use a dedicated network interface for the pfsync between the units but I believe you can use the LAN interfaces or a virtual VLAN interface if you don't have any other choice. There is a very good HA cluster video tutorial found here: http://pfsense.basis06.com/download/tutorials/carp/carp-cluster-new.htm on how to set up a HA cluster. There's also chapter 20 in the pfsense book which covers the topic in depth as well as some howto's on the wiki. – 3dinfluence Mar 15 '10 at 17:47
  • But I would add this. PFsense doesn't support grouping the firewall rules. It lets you move multiple rules around at a time but doesn't allow you to group them. A feature I wish it had as well. So if your managing a large rule sets or lots of virtual interfaces (VLANS) the current interface may be a bit clumsy. – 3dinfluence Mar 15 '10 at 19:00
  • @3dinfluence: I had exactly the same impression about VLANs and large rule sets. I take now jishi's answer as the accepted answer. But pfsense could be a good option too. – Raffael Luthiger Mar 16 '10 at 00:29
1

I recommand the Fortigate serie by Fortinet. We had good experience with them. They support firewalling with groupping, VPN (SSL and ipsec), VLAN, HA. You can do some weighted load-balancing on your hosts, and they also supports VDOM, allowing you to offer virtual appliance and control to your guests and clients.

The licensing model is simple : each model of Fortigate has the same softwares features, only the hardware capabilities and options change. And you don't have to pay a leg and an arm to be able to use VPN, it just works, with any number of clients you need.

edomaur
  • 407
  • 1
  • 6
  • 12
  • We evaluated Fortigate aswell, and got a good impression of the product. We only ruled them out since we didn't get en equally good impression of the sales-company. – jishi Mar 14 '10 at 11:43
  • OK. Good to know. I heard several times of them but never looked into their product that well. I was looking at their FortiWeb products a little because they would be tailor to what we are searching for. But then I don't know how good they are when it is not about "web traffic" (like e.g. RDP traffic etc.) – Raffael Luthiger Mar 14 '10 at 15:03
  • @Raffael : FortiGate are, IMHO, their best products. Fact is that we sell those so I'm probably a bit biased... But we chosed Fortinet for some reasons too :-) – edomaur Mar 14 '10 at 15:21
  • I like my FortiGate as well but I have had so many FTP related issues with their 4.x firmwares that I can't currently recommend them. In fact we will probably replace the box with PFSense once our support contract is up as I'm tried of dealing with their quality control issues. – 3dinfluence Mar 14 '10 at 18:17