Firewall for a web farm

Greetings

Have a small group of servers mostly configured to serve http requests.

I'm looking for recommendations for a firewall to sit in front of them. Traffic peaks at just under 2Mbps so far.

The current firewall appears[1] to be having some difficulty keeping up with the requests under load. Stress tests performed locally confirm the servers are more than adequately specified for the task.

You need to identify how many concurrent sessions are being initiated across your firewall before you make a blind decision. If you just run out and buy a firewall you're gonna likely get yourself into a situation where your session count is the problem and not the bandwidth. Also consider something that is definitely a true security device but it doesn't have to have the complexity that some vendors like to incorporate into the firewall's. Security and the devices themselves do not have to be a stumbling block to good management. I would tell you to review and demo a NetScreen firewall first, then look at a PIX, after that it just goes downhill. Whatever you do, stay away from SonicWALL unless you're a sadist and enjoy terrible products.

William, If you are protecting web servers and your web applications have access to sensitive data then you will want to look at the Covelight Percept product. A good firewall that can handle the traffic is important, but you might need to worry about the traffic that you are allowing in to your web servers. Percept is a passive device and will not impact the performance of your network. Don't be the next headline about sensitive data being compromised through your web application.

------------------------------------------------------------- Covelight Systems

Protecting the privacy, integrity and confidentiality of your critical web-enabled information.

Really? I LOVE mine. I have a bunch of proo 200's and soho3's deployed. There are some issues with those - and sonic is not activley doing fixes/updates for them anymore it seems. But they work well enough.

However, their Gen4 stuff is just the best I have seen.

I have a pro 4060 with the latest sonic enhanced OS which just ROCKS, IMO. Fast, stable, and VERY flexible configuration options. The natting capabilities are just so damn flexible and are just awesome. Vlan support with different firewall policies for each vlan, 802.1p and diffserv, (and the ability to map between the two), ospf...

"Whatever you do, stay away from SonicWALL unless you're a sadist and enjoy terrible products."

Huh? Why and are you talking about? I would really enjoy reading some specifics. Their Gen 4 stuff is just great.

I was one of a few folks who had a 5060 in production, I have customers who have insisted on using the 3060 and 4060 with a combination of configurations such as HA and load balancing T1's. I was able to (I say -was- because I ripped the 5060 out and replaced it with a more stable firewall) lock up the 5060 by connecting to a web server on the same security zone using the public address, and yes the 'SonicWALL way of handling traffic back across to the same security zone is terrible. So now let's talk about HA and routing protocols. HA is not truly HA, they do not maintain session state, and cannot handle upstream routing protocols such as HSRP very well, or I should say barely, and I have seen issues with that, and that again is dependent on the devices doing HSRP. And lastly on my rant is load balancing T1's on top of the cloud based content management. Brings the firewall to it's knees when it fails over to another WAN interface using content filtering and then when the primary T1 comes back up, nada. SonicWALL has a long way to go to catch up and do some real freakin' enterprise level stuff.

Munpe Q wrote: And lastly on my rant is load balancing T1's on top of the cloud

Hmm... my 4060 sure does not have that problem. Pops back from failover to the other interface no problem.

In fact, yesterday we had problems with the pairs coming into the building (some of the local ILECS wiring here is over 100 years old! For real!) and the thing had to failover like 5 or six times. I'm the only one thet noticed. It hadndled it without a single hiccup. That's WITH content filtering.

as far as being able to lock up the 5060 by connecting to a web server on the same security zone using the public address goes, I have had no problems either. I do that all the time, and in fact am dependant on that working well. No problems. There ARE problems if you don't set up the NAT rules to do that correctly, tho. You can't just assume it's gonna route back from the NATTED public address properly - you need to nat back IN, using the sonics LAN address. They have a knowledge base document about that somewhere.

As far as HSRP, since that's a proprietary Cisco thing, whaddya expect? If you want to run cisco propietary stuff, stick with Cisco.

As far as HA goes, I didn't expect that it saved ANY state at all, up or downstream.

I agree. I love the gen 4 stuff.

Yes, these are public facing web servers handling many thousands of connections every day.

All of this I have done as well, and it doesn't work. SonicWALL has been working on us hard to try to get a piece of our firewall sales and the reps have admitted they have a long way to go and have been paraphrased as saying "stick with us because it's going to get better." How about not having a freakin' CLI? Being stuck with a stupid a$$ web ui is not acceptable.

Congratulations on having CF working, I'm happy for you. Dumb.

And as for your comment on translating it back in as the LAN interface, how absolutely retarded is this? Thanks for translating that so that if I wanted to review logs or troubleshoot something I can't do it affectively because everything is translated to the LAN interface, freakin stupid. And yeah, I've read the stupid 'KB' article, and was even sent it from T3 engineers over there that we were working with. Still not impressed. Out of the box, I can do this with a NetScreen without ANY special configurations (ALG handles that for me as it should) and WITHOUT having to translate the address, that's just a function that should be inherent not prohibitive, which the entire SonicOS 'Enhanced' (pfft) is.

"As far as HSRP, since that's a proprietary Cisco thing, whaddya expect? If you want to run cisco propietary stuff, stick with Cisco."

This is just a stupid comment, how are you supposed to control what a colo runs for redundant protocols when deploying SonicWALL? Come on man, you gotta think out of the box. Same problem should be expected using VRRP.

"As far as HA goes, I didn't expect that it saved ANY state at all, up or downstream."

Then it's apparent that it's NEVER occured to you that other vendors can do this on some of the simplest as well as highest end devices, and it's also apparent that you have never considered maintaining session state for simple tasks ie...firewall maintenance without interfering with traffic, zero down time, not the case with SonicWALL.

Basically, everytime I get someone like you trying to get me to like SonicWALL, I can always tell that they never want to do anything interesting with their traffic and are not on a level of true engineering (which would require granular control over the entire box), and which requires more than the average freakin', and might I add horribly performing, WebUI can provide. And as well, the people that choose SonicWALL never do proper due diligence or a serious roundup between devices but rather say, "Oh look I can fill my rack with this crap and not be expected to do much because the crap I chose -can't- do much." Whatever, this crap is the same ol' rhetoric of lazy firewall administrators and retarded resellers who are not considering the proper solution but rather what they can pimp out and push boxes out the door.

wow...hmmm.... Munpe Q, I'm curious, if, in your opinion, SonicWALL's products are so inferior, bad for your network, don't work, etc.... why do you keep using them? Seriously, why?