 |
 |
When it comes to commercial, hardware based firewalls, I along with many others on the list, like the Juniper Netscreen product. They really make sense if you're looking for an all-in-one, unified threat management (UTM) solution, as their product is mature and reasonably priced. Unless your department has other Unix/*BSD to maintain outside of the firewall, and a commitment to keeping such expertise, an appliance is probably a more cost effective and secure solution. Saving a small chunk on hardware upfront may not counter the costs of maintaining a new platform, training and/or hiring other, backup staff that not only have the expertise of your other technology, but additionally a new OS and the firewall itself, etc. With any firewall product, if you don't fully understand it, you potentially jeopardize the security you are trying to achieve. And if you need reliability and performance, you may not save money building it yourself. Forwarnings aside, and *BSD is an expertise your department has and will continue to invest in, a PC-based firewall isn't necessarily a bad choice. Software offers you a lot of flexibility in developing security solutions. You can also achieve the reliability and performance of an appliance if done properly. Hardware-wise, I would look to get a reasonably fast FSB, and PCI bus for both the traffic network cards. Invest in decent network cards with reliable and fast chipsets, to avoid pushing basic ops to the OS/CPU. The management bus/card isn't as critical. Use solid state harddrives to reduce moving parts, and mirror the boot disks for redundancy. I don't think having th fastest CPU is as critical, because they usually come with additional heat and thus reliability concerns. Usually its other components that slow things down anyway. Hope this helps, dpk On Wed, Mar 5, 2008 at 6:42 AM, Eric Weston <[log in to unmask]> wrote: > I'm collecting opinions regarding hardware to use for a firewall. If you > are interested in weighing in on this subject, I'm interested to hear > your ideas. > > The hypothetical firewall is a purpose built OpenBSD box running OpenBSD > Packet Filter (pf), on a box that bridges the outside world to a > protected network of approximately 1000 nodes. The box needs to have a > network interface for administrative access via ssh, and two > high-throughput network interfaces to provide the "bridge" from the > protected network to the internet. > > Given this general scenario, what sort of box might you purchase and/or > assemble for this purpose? What elements would you consider critical? > (architecture, interfaces, harddrive or alternative, CPU, etc..) > > > Thanks, > Eric Weston, Libraries >