:)


Our company is moving some hosting to a dedicated center.

We will be running off a 10MB line upto 100MB pending how our traffic is.

we will be hosting about 4 websites, one with a file download that during about 4-5 days a month will have easily have200 people at once downloading an update.

the peek number or unique the one site gets is about max 3000 a day for about 4-5 days a month, other then that it is lower.... around 500 a day


We need to purchase a new router / firewall for this setup, about 5 computers, 3 front end , 2 hiding in the back with databases.

i figure

router /firewall ---> gigabyte switch ---> servers

Any suggestions? Price around $1500 or lower would be ideal WatchGuard? Cisco?

I'd go with a cisco for about that price, but I am partial to them. What about using a software router with a beefy machine. That will handle WAY more load. I would recomend a solid state hard drive though, or lots of ram.

I would go Cisco too, but the ASA series that would be scaleable and get the firewalling job done is probably going to cost closer to $2000. The reason I say that is because I think you are going to want to vlan your webserver off of your trusted network and allow it to connect to the database. You also probably want packet inspection and QOS, which I don't beleive a Cisco 1841 will do (someone correct me if I am wrong).

So that probably isn't going to work because you are on a budget.

I would spend $400 on a good HP Procurve 24 port 10/100/1000 switch and build a firewall. A good open source firewall/router is http://pfsense.com I recommend it if you can't afford to go Cisco because you should be able to get your 100Mb throughput with a lowend P4/ highend P3 with 384 MB ram and a couple of Intel Server nics (10/100) will work fine. It also allows for 802.1Q and QOS so that you can vlan or add nics etc. Smoothwall/ Ipcop do not allow for vlanning out of the box (I am sure that you could patch the kernel to do it, but if a mistake is made, it could jeopardize the integrity of the firewall)

The cool thing is that a nicer switch will allow you to run 802.1ad so that you can trunk your nics together between the database and the webserver for high throughput.

Finally, I would think with only 200 users over 4-5 days uploading a 1 MB file from your network, that a 10 Mb connection would work fine. You could probably save some money by going with a 5 Mb and acheive acceptiable throughput.

Our main offices suggest Juniper , or even watchguard, watch guard seems to be simple for setting up and powerful, but i dont like the yearly subsciption payments you seem to need.

I have seen some for around $1500, i tried doing pfsense on a smaller box for our office but had some issues with it, and this is going to be hsoting our companies web site and such.... is pfsense really that solid and reliable to put to use in a corprate e-commerce environment ? My boss is a linux freak, or things he is, but i think has alot to learn to have a reliable firewall for protecting customer data....

a router from Cisco isn't better (or worse) than a Linux or *BSD imho. IOS is derived from BSD for example. The hardware is the same too.
What you get from a Cisco or other router is the seamless working together with the rest of all Cisco equip and that's it a readymade box "plug&play". With a Linux/BSD you have to do more work yourself. If the work you have to put in is worth less than the premium a cisco costs over the Free software solution is up to you.
I'm sure you could buy BSD or Linux based solutions for what you need too complete with SLA, onsite support and all. We're not talking CRS-1 class here after all.

OKay, i just wasnt sure, my mind thinks " you get what you pay for" type mentality, i just want to make sure the final result is a solid firewall system to protect a website, and now possibly a database server.

I use a WatchGuard Firebox X8000 with about a half-dozen Dell managed Gbit switches and it works well. The X8000 is way more than your budget/needs, but they are good. The subscription service is really no big deal considering the what you get and the up-front costs in comparison to related products.

Well, you can't just go and buy a PC from dell and make it a router like a Cisco. E.g. you want things like solid state (flash) mass storage, stripped down linux (or rather: specialized router distro), going fanless, etc. Basically remove all possible points of failure.

I would recommend a Juniper SSG5 for your setup. I am probably biased, but I think you would like Juniper's performance, resiliency, and price. The management is also very straightforward; if the CLI scares you, there is a full-featured web-UI that provides the same capabilities as the CLI. You would have to go through a reseller in order to get pricing for one of these, however.

Take a look at the link below for the product information/specifications.
http://www.juniper.net/products_and_services/firewall_slash_ipsec_vpn/ssg_5_slash_ssg_20/


If you choose to go another route, Cisco would be the next best bet.


Let me know if you'd like some more information on the Juniper Products and I will see what I can find out for you.

I like Cisco equipment. As it was mentioned the ASA stuff is very scalable. I have heard good things about Juniper and Foundry. Keep in mind that with the major players, you can often have an IDS system integrated, with additional options like having redundant firewalls.

The best thing about the major players is that you can easily get support for their equipment, and documentation is plenty. You don't have to deal with some jerkoff in a forum telling you to RTFM at 2AM when you are getting hit by a DDoS or trying to make some changes during a maintenance window and the thing pukes.






Or, you can move to a datacenter and not have to deal with any of this. Which begs the question: Why are you hosting this locally?

I have to say that I was wondering the same thing. It might make sense because they worry for you and the prices on dedicated servers are cheap. Relative to the amount of money spent and the life cycle of the equipment.

Not to mention, php hacking is the most common form of website defacement.

I would suggest staying away from watchguard. We had a firebox where I used to work and it was nothing but trouble. Setting it up at first is very easy, but was down hill after that. Eventually scraped it and went with cisco.

Or, you can move to a datacenter and not have to deal with any of this. Which begs the question: Why are you hosting this locally?

We are hosting this within a datacenter, but you need to provide your own firewalls for security.

We ended up getting the WatchGuard X550e.