[itdiscuss] Firewall & Load Balancing

Lee, Jason jason.lee at nwoods.org
Tue Feb 15 19:21:38 EST 2011 

In the FWIW category... we did load balancing with Two Comcast cable modems and a AT&T T1 for a couple years on our sonicwall gear (a apair of NSA E5500) worked great since we couldn't get a big enough pipe with just one modem.

One odd thing we did have was accessing banking websites there were some issues with sites not responding... possibly because the Load balancing was using both connections in the same session... we now have a bigger pipe and just use the active passive fail over... so we never really dug into the issues to resolve them with those specific sites.

We did a fairly in-depth demo of both Radware and Fatpipe equipment for aggregating multiple wan connections... the reviews are here: http://jasonmlee.net/?s=fatpipe&x=0&y=0  we decided that the juice wasn't worth the squeeze.. especially when you did dual load balancing hardware but had a single point of failure at the firewall.... so we went with a pair of firewalls and it worked pretty well...

Just some thoughts


-jason

-----Original Message-----
From: discuss-bounces at janoah.net [mailto:discuss-bounces at janoah.net] On Behalf Of Bobby Stewart
Sent: Tuesday, February 15, 2011 4:09 PM
To: discuss at itdiscuss.org
Subject: Re: [itdiscuss] Firewall & Load Balancing

I agree, Palo Alto's reporting is the best I've seen to date (not that I've seen every device out there). However, the $4,500 plus maintenance fees is a bit steep for me. If it were more affordable I'd jump at it.

It's for that reason we use the Astaro appliances. Except for the reporting (a huge gap in comparison) the Astaros do most, if not all, of the things listed that the Palo Alto can do.

When I was making our purchase decision I had to factor in the various fees each of the UTM manufacturers charge. For instance, many charge for content filtering on a per user basis. Costs like these can really drive up your costs. Be sure to include the costs for each of the features you wish to include when making your decision.

Bobby Stewart
Network Analyst
Brentwood Baptist Church
Brentwood, TN
www.brentwoodbaptist.com
+1 (615) 324-6149 office
+1 (615) 830-0012 cell

-----Original Message-----
From: discuss-bounces at janoah.net [mailto:discuss-bounces at janoah.net] On Behalf Of Jon Barton
Sent: Tuesday, February 15, 2011 2:12 PM
To: discuss at itdiscuss.org
Subject: Re: [itdiscuss] Firewall & Load Balancing

Palo Alto Networks is the best firewall out there. A Game changer.
(there I said it. I know, fight for your brands).  It is a generation ahead of what I have seen from Juniper, and Cisco. (I'm less familiar with Watchguard and Sonicwall, but they just don't do all of this). 

In a single box it will do:
-Policy Based routing (required for 2 ISP's) -real time Application identification (of over 1000 apps) -User identification, for any MS-AD or LDAP users, plus captive portal for unauthenticated users.
-Security policy based on (any/all of the following AD/LDAP username/group name, application in addition to the traditional src, dst, and port).
-Full IPS, Threat/vulnerability scanning, Malware, virus (subscription
based)
-URL content filtering (subscription based) -The best logging and reporting engine I have seen on any firewall.
-SSL VPN (no extra licensing/cost required).
-SSL decryption to scan for encrypted threats.
There are more features but this is getting long...

-Networld Interop 2008 Best of Show, Grand Prize Winner -Garter Group Magic Quadrant, Visionary technology 2010

Unless your firewall or a common edge router for each ISP does Policy based routing, you will likely run into a problem with asymmetric routing with your plan to load balance your traffic.

My bias toward the product is objective.  I do sell it, I also resell Juniper and Cisco gear.  They just don't have the design or features that the Palo Alto Networks Firewall does.
The list price for their lowest Throughput product (the PA-500) is $4500 plus $720 1 year of Threat subscription and $720 1 year URL Subscription.

Happy to teach you more about the product or do a demo.

Jon Barton
Principal Consultant
Soundmind Network Solutions, LLC
office 770-594-7147
mobile 770-841-1022
jon at soundmind.cc
http://www.linkedin.com/in/jonbartonjr


-----Original Message-----
From: discuss-bounces at janoah.net [mailto:discuss-bounces at janoah.net] On Behalf Of Dustin Drewery
Sent: Tuesday, February 15, 2011 1:48 PM
To: IT Discuss
Subject: [itdiscuss] Firewall & Load Balancing

Got a few questions.. some of them I've asked before but now its all together at once :).  We are currently using pfsense for firewall and basic round robin load balancing between two cable modems.  We are about to sign a contract with AT&T to bring in a 30/30 fiber line for primary use and will drop one of the cable modems.  I need three things here and not sure if I should get 1,2, or 3 appliances to do it smartly.

1. Failover/Load Balancing WAN access.  Cox is now offering us a 50/5 cable package.. I would like to actually utilize that down speed along with our fiber.

2. Firewall.. pfsense has been doing great so far.

3. Content filtering with good logging.  I've been using opendns but we want to see who is trying to access things and quickly identify them.

Pertinent info:

- We generally have < 40 staff on campus during the day.. probably less than
15 what I would call active users (more than just email).

- Accounting (Innact) and ChMS (F1) is all SAAS.

- No VOIP

- Typical servies and events can range from 1200 to 5000 people on campus during any given time and we want to start offering limited guest wifi.
(Have already purchased and installed our Ruckus gear.. no issues there).

- We are rapidly growing and planning on major staff growth over the next 2 years.  Money isn't really a factor as long as it is justified.
(Don't get me wrong on that.. I like free but am willing to spend to get what works best).

I need some quick recommendations!




_______________________________________________
it discuss mailing list: discuss at itdiscuss.org Mailing List:
http://itdiscuss.org/discuss Internet Relay Chat:
irc://irc.freenode.net/citrt

_______________________________________________
it discuss mailing list: discuss at itdiscuss.org Mailing List: http://itdiscuss.org/discuss Internet Relay Chat: irc://irc.freenode.net/citrt

More information about the discuss mailing list