What are you using for a firewall?

[Thatguy]

No Offense to Steven, but you are running business, do you really want your sites security/reputation to be at the mercy of an Open Source Community? All of the businesses that I do work for dont use FOSS based UTMs (IPfire, pfsesne, etc.) They use Cisco, Juniper, Fortinet, Arbor Networks SonicWall, because when things go wrong and they eventually will, you have a support contract, and someone to call that can fix the issue.

LOL. That's hilarious. I can name two decent sized local biz's (One of which being a major University) that swear by FOSS. Are you a PHB?

The reason you need a software contract, is because they lock you out of your own appliance, and make things so absurdly complex and not user friendly, that you'd be crazy to buy one of their magic black boxes without an agreement.

Have you ever admin'd a FW? It's really not that difficult, and software such as OpenBSD (or Free) and PF are rock solid, and bullet proof. You aren't going to have a remote kernel exploit, or ssh backdoors to worry about (Thanks Barracuda!) Running Open/FreeBSD with CARP is silly easy to admin and debug, what with the system being well documented and open source. It is highly unlikely in a standard use case that you're going to run into some obscure bug that requires custom code to fix, and most of the time the pf devs are pretty good about getting odd issues sorted.

Having personally admin'd Fortitrash, I couldn't recommend it to anyone with a straight face.

If you are having to log into your router/fw on a regular basis, you're doing it wrong.

At home, I'm lazy and currently run a peplink balance 580. I've spun up a pfsense 2.x vm and plan on migrating to that for my Multi-wan setup.

 

[Mike]

I guess it's a matter of taste but if you really want to be secure transparency and cutting edge are your best bet in my opinion. The barracuda boxes are a fine example of that. It's not a secret that a lot of these appliances have bits and pieces from all over with a fancy gui to make sure the average joe can config it.
Also, these open source communities ofcourse mostly depend on the knowledge of many, but are not built on amateurs per se. It's stupid to think that open source cannot be commercial or supported for that matter.

 

[hagak]

Yeah many many companies rely on FOSS. Apache web servers I believe are still the number one used web server, hmmm companies are not shy about relying on its security. OpenBSD is a rock solid and secure OS platform, many of the commercial firewalls are based on it.

 

[Patrick]

No Offense to Steven, but you are running business, do you really want your sites security/reputation to be at the mercy of an Open Source Community? All of the businesses that I do work for dont use FOSS based UTMs (IPfire, pfsesne, etc.) They use Cisco, Juniper, Fortinet, Arbor Networks SonicWall, because when things go wrong and they eventually will, you have a support contract, and someone to call that can fix the issue.

Great points. That was certainly a consideration, even though the rest of the software stack is all FOSS except vBulletin. Also these UTM appliances are great because they are fairly low in terms of power consumption.

I actually had a call with the Dell/ Sonicwall guys, and went over to the Fortinet offices to chat with them about sizing. Basically the Dell Sonicwall recommendation was a NSA 2400 or NSA 3500 and the Fortinet recommendation was the Fortigate 100d, maybe a Fortigate 60c (the Fortigate 60d is announced but when I called, they could not get me a pair so paper launch.) I also have the Fortinet Fortigate 60c sitting next to me right here that I bought for deploying in the DC.

The sizing for these boxes is basically due to the idea that whatever is out there should be able to handle 6,000 new connections/ sec, which is a figure for a hot reddit link. Given, STH has seen one of those back in 2011 but the site at that point couldn't cope. The Fortinet Fortigate 60c does 3,000 new connections/ sec which is realistically what the site would see at most since, let's face it, there is no content around mainstream news.

Now the other side, cost...

Cost wise, even using ebay deals, with 1 year of support and two boxes in HA here is the breakdown:
2x Fortinet Fortigate 60C was going to be around $1,000.
2x Fortinet Fortigate 100d was around $3,200
2x Sonicwall NSA 2400 was about $2,700
2x Sonicwall NSA 3500 was about $4,000

Just as an idea, I have been watching ebay for weeks and there is an element to this which is timing since I've already invested in the servers and switches for the site meanwhile Amazon costs are continuing to rise sharply.

The other benefit from pfsense is that it is not a UTM. Seems like a bad distinction at first, but those boxes are sold on the performance of things like e-mail scanning, virus scanning, content filtering, branch office VPN and etc. All of those features decrease performance so would likely not be turned on. After all, there will not be several office workers sitting behind the firewall. The marketing feature set also means that there are some drawbacks. One is that if you want a load balancer, you need a different appliance that generally costs more.

Not to say that the answer one day will not be moving to a UTM solution, I would want to go that route. But with my $300 and $30/mo project looking at going to 10x those figures, I did have to make some budget trade-offs. We'll see how it goes. If it is looking not so good, the Fortinet units will go in.

 

[MiniKnight]

Came here looking for information on the Fortinet 60D: http://forums.servethehome.com/showthread.php?1177-Fortinet-60C-Experiences

What are all you using to secure? Different home work and datacenter? BYO?

Curious to see. Was thinking pfsense or vayatta or buying a Fortinet 60D.

From P's post above the fortinet 60d isn't out yet.

P I think this is a tough call. On one hand you have no budget. I surmise the site makes $250-500 max in monthly ad revenue. $200+ in colocation costs plus a huge hardware outlay and you are clearly making an investment. Budget constraints are life. Glad to see your frugal application of the budget.

Nitro's comments are well taken. He seems to be an expert in this area. If you pulled off pfSense and it worked, maybe using a s1200 centerton atom, you would have a great opportunity for the site. Personal feel for this is that pfS is mature enough that it is a valid experiment. I would just have a back-up use case for the atom machines in an emergency if Murphy's tech gods force you to make that change.

Also, where do you get the cash to buy all this stuff? It aint from the site. Nice that you are committing to the future of the site.

 

[Aluminum]

I use pfsense myself, don't have any control on work stuff but we probably have at least of just about everything (we're huge). Pfsense can scale pretty high, and has commercial support options.

I don't like closed source/black box security appliances in principle, see the recent barracuda backdoor problem for an example of why.

It boils down to this:

"Use my product, its great, trust me! BTW don't open the case or warranty void/lawsuit/etc."

"Use my product, its great, here look inside and check for yourself! Not my fault if you don't know what to look for, but hire someone who does if you want."

 

[dswartz]

+1 for sophos utm 9 (formerly astaro security gateway). It is also acting as smtp proxy in front of my internal postfix MTA.

 

[Jeggs101]

+1 for sophos utm 9 (formerly astaro security gateway). It is also acting as smtp proxy in front of my internal postfix MTA.

Thought about this while fishing. VM is great, but what if the physical servers are down? You can migrate the VM but you need a physical WAN connection.

 

[Mike]

something along the lines of vrrp or a slave with the WAN connection on a VLAN.