[QUESTION] What do you need hardware firewall for?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

uberguru

Member
Jun 7, 2013
319
18
18
Ok i have asked this question and many people are avoiding to answer so well i have decided to start it as a thread to get some attention and discussion going. Ok let me start with this. When people order dedicated servers nowadays...how many people ask the host for a firewall hardware to be placed with their dedicated servers? Ok before you even try to answer that...lets say every one with 1U rack server start to get firewall hardware so pretty much firewall hardware will start selling like cakes and will be the next big thing in hardware sales? Well let me stop joking around a bit...Have you seen videos upon videos of enterprise datacenters i.e SoftLayer showing their racks and i have never seen a firewall hardware with their setup....at least not that i know of https://www.youtube.com/watch?v=uOMIg9lggiI && https://www.youtube.com/watch?v=kvPKpZtcwDw && https://www.youtube.com/watch?v=fM9ps-Gp70U

So if an enterprise datacenter with enterprise or small/medium/large business customers aren't using hardware firewall then what do you...yes you need hardware firewall for?

Please lets get this conversation going while learning from one another! :)
 
Last edited:

bwillcox

Member
Jan 20, 2013
32
0
6
Tejas
The hardware firewalls in an enterprise environment are useful for filtering traffic ahead of the servers behind it, and also giving you some limited DoS protection, though they can also act as a chokepoint if the volume of traffic exceeds the capacity of the interfaces of the device.

The other thing they can be useful for is acting as an endpoint for VPN connections into your network so you can securely manage your hosts from wherever you happen to be at that time and do not have to expose your administrative interface (I.e. Remote Desktop or ssh) to the big bad internet.

You do want some kind of firewall on your hosts whether you use a hardware appliance like a ASA or Fortigate, a virtualized firewall like pfsense or m0n0wall running under a hypervisor, or even some simple software firewall like the Windows firewall or Iptables on Linux, just so you can control what comes in and goes out of the system and who can access it.

-b-



Sent from my Xoom using Tapatalk HD
 

uberguru

Member
Jun 7, 2013
319
18
18
The hardware firewalls in an enterprise environment are useful for filtering traffic ahead of the servers behind it, and also giving you some limited DoS protection, though they can also act as a chokepoint if the volume of traffic exceeds the capacity of the interfaces of the device.

The other thing they can be useful for is acting as an endpoint for VPN connections into your network so you can securely manage your hosts from wherever you happen to be at that time and do not have to expose your administrative interface (I.e. Remote Desktop or ssh) to the big bad internet.

You do want some kind of firewall on your hosts whether you use a hardware appliance like a ASA or Fortigate, a virtualized firewall like pfsense or m0n0wall running under a hypervisor, or even some simple software firewall like the Windows firewall or Iptables on Linux, just so you can control what comes in and goes out of the system and who can access it.

-b-



Sent from my Xoom using Tapatalk HD
I am in with the software firewall and all those but the hardware firewall..i just don't get it...as of yet
 

Lost-Benji

Member
Jan 21, 2013
424
23
18
The arse end of the planet
I personally am a HW firewall bunny. Some of my reasoning has already been covered above by Mr Wilcox. The other reasons delve a little deeper and it's fort the security aspect, most servers are going to be running platforms that are common and likely still have bugs and vulnerabilities not yet patched or known.
HW options also allow for tailoring the traffic to suit multiple machines sitting behind it, both physical and virtual. Sure, there are softwalls that can do this but where they come down to the pointy end is that they are already on a host system that could be exploited.
There is also the next headache, latency. Softwalls have a bad habit of being bloated and resource hungry and one big trade-off is the latency increase. Don't get me started on the configurations and the unknowns of it being safe and secure. I personally want my servers and systems worrying about their jobs and not slugged down with extra softwall crap.

When I go and run LAN parties, I take a old rack-mounted box that has 2GB RAM, a shitty old SATA HDD on a mainboard that only supports and holds a s775 Pentium D @ 2.66GHz. This bad-boy runs cool and quiet but can flow 50+ Mbit symmetrical while only adding less than a millisecond of latency.

Now, when I refer to HW solutions, I mean physical appliances, not a firewall OS sitting in a VM. When sitting on a VM, the host is always technically open to be compromised.
Hardware is so cheap now and easy to run up something like PFSense (plenty of good freebies out there) on a small 1U box is nothing.

Where it can be an issue is when in Co-Lo setups or hosted racks where you are paying per RU and power is tight (ask Pat about that) then it can be an issue. The beauty is that most racks are way deeper than the servers placed in them and you can always look mounting from the rear of the rack. Other options are systems like the new-kid-on-the-budget-block, the C6100's. Place a HW firewall on one node (overkill really) and you can stay inside your allotted space.

All this being said, I am not a huge promoter of off-the-shelf expensive HW solutions that limit what you can do, cost the world to license and have limitations that are just plain bullshit.

Oh, I forgot the biggest selling point, e-pennis swelling. Walking into you home server farm and looking at a purpose made box with loads of blinking lights is the psychological e-Viagra.



So OP, what SW solutions work for you and why?


P.S These forums are called Serve The Home, many seem to assume this in a full enterprise environment forum.....
 
Last edited:

uberguru

Member
Jun 7, 2013
319
18
18
Well i have been running my websites on a VPS ($50/month) with 24GB RAM, 1TB RAID 1 storage and 4vCORE and i only use configserver firewall and i have been fine for about 5 years now...so i might as well continue along that line or find something software a little stronger/better. I seriously don't see much fancyness to hadrware firewall and i have made my conclusion..NO i do not need one..will NOT get one and that is final with me.

[info]
I am getting ready to go hard that is why i am ready to go colocation route where i will have more than i need. My plan is to get a colo with 3U(1U PDU+1U gigabit sitch+1U supermicro twin)+1amp@230volt+10TB @ 1Gbps uplink in the $80/month and later on after a year or two add 2U to make 5U(1U PDU+(2x)1U gigabit sitch+(2x)1U supermicro twin)+3amp@230volt+(2x)10TB @ 1Gbps uplinks(separate like two different servers entirely) = 20TB @ 2Gbps in the $180/month. already got a quote and no not USA! [NETHERLANDS]
[/info]
[rant]
I really do not see why anyone will be paying recurring monthly bill for more than $250/month on hosting except if they are making like $10,000 or more monthly. With all these twin servers and something called colocation...there are opportunities to cut down cost to the minimum. Even when i start making like $25,000 monthly income from my websites(hopefully ofcourse)..i will still not go more than $500/month and that is the max to the max overkill. The art here is hit and don't get hit...if you can figure out the analogy.
[/rant]

Pretty good feeling knowing you got a decision right(NOT to get hardware firewall) especially one that saves your pocket :)
 
Last edited:

Lost-Benji

Member
Jan 21, 2013
424
23
18
The arse end of the planet
Your not really doing much, just web hosting. Put more needs/uses into the picture and hardware becomes relevant.

As for the rest of your Info/Rant tagged content, why the need for a gigabit switch? I am guessing you are doing some VLANs and routing which could or would be done with hardware devices?
PDU also makes me wonder a little, these items can be mounted in rear of rack and use same space.
 

uberguru

Member
Jun 7, 2013
319
18
18
Your not really doing much, just web hosting. Put more needs/uses into the picture and hardware becomes relevant.

As for the rest of your Info/Rant tagged content, why the need for a gigabit switch? I am guessing you are doing some VLANs and routing which could or would be done with hardware devices?
PDU also makes me wonder a little, these items can be mounted in rear of rack and use same space.
What other needs/uses will make me need a hardware firewall?

I need the Gigabit swicth same reason Patrick needed his Gigabit switches...to connect multiple network ports of the server nodes....each node will be connected with 3 network cables...including the IPMI remote port....x2 and that is 6 network cables..which aren't free if not for my switch. Yes i have been thinking about that PDU being mounted at the rear instead of taking a full 1U space.
 

Thatguy

New Member
Dec 30, 2012
45
0
0
What other needs/uses will make me need a hardware firewall?

I need the Gigabit swicth same reason Patrick needed his Gigabit switches...to connect multiple network ports of the server nodes....each node will be connected with 3 network cables...including the IPMI remote port....x2 and that is 6 network cables..which aren't free if not for my switch. Yes i have been thinking about that PDU being mounted at the rear instead of taking a full 1U space.
HW firewall to me is something from cisco, juniper, etc. Some managed switch that has built in layer3 filtering functionality (or layer7 on the beefier stuff) and it might include a vpn access server, and other goodies.

This gives you one single box to manage and configure, and you can do very specific access control lists. If you only want VPN user A to access subnet C on vlan D, you can do that very easily.

The 1U cisco appliances are great for cisco shops that have a bunch of CCNAs on board and 5K to spend every 3 years replacing hardware.

I personally run a managed switch to handle my vlans, then have my fileserver set up with a trunk port, then run pfsense in a VM and have it handle all my firewalling/vpn/etc. needs. It also does outbound load balancing/pf trickery that afaik, you can't easily/cheaply accomplish in cisco land. Also with a supertwin, you could run a HA/CARP setup for free, instead of needing to buy 2 hardware firewalls. A single managed switch is still a single point of failure, but I've more faith in my switch staying up, than the OS crashing/host rebooting/host needing maintenance.

HW Firewall appliances made a lot more sense back in the days before virtualization, before proper tcp/ip offloading, and before speedy cpus. Now you can do a lot more with a lot less.

A single 12/24 port managed switch will be fine for your needs, and if you want, run a VM and use PF or IPTables if you hate yourself/want layer 7 filtering.

Otherwise just run whatever firewall you want on the individual machines, heck if you went that route, you might not even need a managed switch. Some cruddy piece of crud would work just fine if you had unlimited ips.
 

Patrick

Administrator
Staff member
Dec 21, 2010
12,511
5,792
113
What other needs/uses will make me need a hardware firewall?

I need the Gigabit swicth same reason Patrick needed his Gigabit switches...to connect multiple network ports of the server nodes....each node will be connected with 3 network cables...including the IPMI remote port....x2 and that is 6 network cables..which aren't free if not for my switch. Yes i have been thinking about that PDU being mounted at the rear instead of taking a full 1U space.
So the PDU is more like half depth. I do have spares in that 1U slot on the front side of that rack unit where the C6100 drive trays are.

I don't think you "need" a hardware firewall necessarily. It just made a few things for us much easier keeping those boxes separate and there wasn't a major negative impact by doing so.
 

mrkrad

Well-Known Member
Oct 13, 2012
1,244
52
48
what is a hardware firewall? a control plane and a data plane. A switch a router.

For the most part, NPU's (fancy nic's) like broadcom can do switching, routing, and even firewall (pattern matching)/ flow control - these routers/switches are then configured dynamically by a control plane cpu (pretty weak) that can do certain tasks and slow[or fast] make changes to the rules.

If you look at the control plane cpu's and the dataplane npu's you'll find they all run something like linux or vxworks and the npu's do all the hard ware (up to a limit). Some control plane cpu's can handle a low load (two 10gbe nic's or 8 1gbe) by themselves, but when things need to go faster,they simply tape an NPU which does hardware acceleration (not much different than emulex Blade Engine or solarflare openonload) to handle the business.

This allows the same control plane software to be used over and over again whilst offloading the task of running 100K patterns on to the NPU so you can scale to performance levels unlimited) with the same software.

The lines of software and hardware are very much blurred these days.

Software defined (networking,storage) will blurr the lines even further - ip over infiniband (subnet manager/opensm) is a very old classic SDN reference model if you can't quite wrap your head around it.