Decent Datacenter Firewall Advice needed pls

rec0d3

rec0d3

Limp Gawd
Joined
Jun 28, 2017
Messages
374
What's a good firewall to be used within a datacenter? I have four servers at the moment and I'd like to add some sort of appliance. Best advice please. Minimal cost as well haha. Thanks!
 
No specific recommendations.
Current bandwidth?
Projected bandwidth?
Do you need VPN? (A lot of firewall appliances can serve as a VPN server)
Any need for web filtering?
Any need for public access? (web server, etc)
Some appliances can be a DHCP server and/or Time server.

Be sure to check service/maintenance agreement costs before buying.
 
I don't know how much bandwitdh your external WAN is, but with only 4 servers, you may want to just put them behind a pfsense. Inexpensive desktops can handle gigabit throughput easily.
 
As others have said more information is needed to make a complete recommendation. That said, Fortinet would be a solid vendor as they have a product lineup that spans from ultra small to carrier sized and allow you to license the feature set you need. When comparing enterprise quality vendors they will generally be the lowest cost vendor at all feature/performance levels.
 
I would consider Sophos if you don't see your footprint growing too much. If you do think it's going to grow then Palo or Checkpoint would the two I consider. Like others have said, without additional detail it's hard to recommend. All three of these could be overkill. If anything you should right size the appliance for your workload today and for future.
 
Very well. I will add more detail here.

I am just hosting a bunch of servers. 4 to be exact. All virtualizor. I decided to host some friends who all pay in to host all of this. It's well covered in terms of funds. We found a decent datacenter who was cool to hook us up even with unlimited bandwidth. So, we utilize it! We need more security though. A firewall would be great. I'd rather not go virtual. Right now, iDrac is exposed, etc. I am going to turn it off.

So, all virtualizor for VPS'. In two vps' there is cPanel. One Plesk server. Few file sharing server. Etc.

All my ips are in blocks. I have a few blocks of /28.

Believe I have around 50 something total? Give or take.

Edit: I would like VPN access to firewall. Web filtering is not required.

Hit me. Be kind. Thank you.
 
Are you looking for any proactive or next gen FW blocking or just strickly basic in and out rules with VPN? Are you tenchincal and comfortable with Linux? PFSense would be good. If not PALO ALTO allows you to manage nats rules, and subscriptions like VPN, you can buy individually. What throughput do you need to manage as that's going to dictate what size box you need to buy. Look at the pa 220 or an 820 for other connections besides copper.
 
Your description so far leaves out the most critical factor. What kind of bandwidth? Most, if not all, business class firewalls include VPN in the basic bundle. It really boils down to what features at what speed. If your expecting 1Gbps with full blown dpi and tls decrypt expect to spend a lot. If your talking <400Mbps the cost go down dramatically. I will add that if aren't going to do tls decrypt just go buy some cheap consumer class firewall from BestBuy. You will be wasting your money otherwise and you'll get the same protection, none. These days almost everthing is encrypted and if you're not inspecting the data you're basically wasting your time.
 
Microsoft can sell you life time virus tech support and firewall to stop the hackers in netstat for 500 dollar ma'am.
 
Do you need a NGFW? If so there are annual subscription prices for AV/IPS/Threat, etc but they are much better than just a stateful inspection firewall. That being said, most modern firewalls these days offer the option. If you want a real Enterprise firewall, then Palo Alto, CheckPoint, Cisco Firepower (yuck) and Fortinet are the main options. One tier down is Meraki, Sonicwall, Watchguard & Sophos. Something down from there outside of a NGFW is pfSense or an older Cisco ASA.

Any of them work; all of them work. It depends on the features you want. They all support some kind of VPN Client. If minimal cost if what you are after, and depending on whether you even know anything about firewalls, I'd say Sonicwall might be a good fit. 'Just don't buy the bottom model of any product.
 
Valnar said:
NGFW is pfSense
Click to expand...

I was under the impression that pfSense can be used as an NGFW, but you'll need to be sourcing paid signature updates for the various modules responsible for the functionality needed.

Another one I'd add to the list would be Untangle, but that's perhaps a step too far toward the SOHO space -- at the same time, it's probably the easiest to manage.
 
IdiotInCharge said:
I was under the impression that pfSense can be used as an NGFW, but you'll need to be sourcing paid signature updates for the various modules responsible for the functionality needed.

Another one I'd add to the list would be Untangle, but that's perhaps a step too far toward the SOHO space -- at the same time, it's probably the easiest to manage.
Click to expand...

I run pfSense at home and I wouldn't call it a NGFW, especially after working with all the firewalls I mentioned.
 
Based on the way the question is phrased, I would suggest that you choose a firewall that is simple and straight-forward to implement and manage, and cheap. You and your buddies with 4 servers are gonna choke when you get pricing on a Palo Alto or Check Point appliance with support (even a small one)...and you need support, or you can't get patches etc. If I were doing this right now, I'd build a 2u computer with at least 3 interfaces (inside, outside, OOB) and run OPNsense on it. You can build the hardware for this box for super cheap, and end up with an easy to maintain box that is fully featured and simple to use. There is plenty of on-line documentation and help in various forums, and best of all, the developers there have a solid history of releasing reliable, not-buggy distros.

Good luck!
 
Valnar said:
I run pfSense at home and I wouldn't call it a NGFW, especially after working with all the firewalls I mentioned.
Click to expand...

Yeah, that's definitely more according to the theoretical definition; obviously if pfSense meets that, it's mostly by checking boxes rather than delivering.

But at the same time, that base functionality, properly configured and kitted, may be enough.

I'd definitely want something more fit to purpose if enterprise assets are involved too.
 
The cheapest would be used Cisco ASA. Forigate steps it up to AV/antimalware protection, web filtering etc... and is fairly affordable. And if you can afford it Palo's are great but annual subscription will cost you. All of them do VPN
 
You must log in or register to reply here.
Back
Top