[AusNOG] Application Firewall Recommendations

Luke Iggleden luke+ausnog at sisgroup.com.au
Fri Aug 9 14:12:20 EST 2013


Vyatta is fine for the most part. Had some nice bugs which have been 
gotchyas for some deployments we've used.

I would definitely recommend Vyatta for BGP + Routing (packets).

PFSense for stateful though.

-L



On 9/08/13 2:09 PM, Joshua D'Alton wrote:
> I feel gimped for not bringing up Vyatta before, but I think it is more
> of a router than a firewall, but I suppose really what matters is the
> functionality not the pidgeonhole label on the side. Vyatta can be quite
> solid as well, though if you recall some issues not so long ago with
> glovine/SAU vyatta solution, so as David says you really have to be
> careful about CPU usage through bandwidth or complicated features.
> Something to keep in mind.
>
>
> On Fri, Aug 9, 2013 at 1:57 PM, Paul Gear <ausnog at libertysys.com.au
> <mailto:ausnog at libertysys.com.au>> wrote:
>
>     I'm currently working on a project to rebuild our infrastructure
>     with 90% VM-based firewalls.  Our performance requirements are not
>     that demanding (no 10 Gbps) so we're not concerned about that side
>     of things.
>
>     We reviewed pfSense and a few Linux-based firewall appliances, but
>     ended up going with Vyatta, mainly because it's free as in beer
>     ($0), free as in speech (GPL), we think the Junos-like configuration
>     system has more legs for automation than the appliance-style
>     approach that pfSense and the like use.  (We want to be able to push
>     changes to multiple firewalls in parallel in an automated fashion.)
>     And being an old Linux guy, Debian is a lot more comfortable as a
>     base than FreeBSD for me.
>
>     We ran into some show-stopping bugs with pfSense's driver for Intel
>     E1000 NICs (both virtual and physical).  Vyatta has been rock-solid
>     for us so far in the places we've deployed it.
>
>     Paul
>
>
>     On 08/09/2013 10:27 AM, Alex Samad - Yieldbroker wrote:
>>
>>     Hi
>>
>>     So what is the current industry thought on using VM firewalls. And
>>     to take that further what is the thought of using a plan OS for a
>>     firewall, thinking Linux or BSD.
>>
>>     Alex
>>
>>     *From:*AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf
>>     Of *James Braunegg
>>     *Sent:* Thursday, 8 August 2013 9:49 PM
>>     *To:* Michael Andreas Schipp; Ed Hallett
>>     *Cc:* ausnog at lists.ausnog.net <mailto:ausnog at lists.ausnog.net>
>>     *Subject:* Re: [AusNOG] Application Firewall Recommendations
>>
>>     Dear Ed
>>
>>     A10 Networks have the SoftAX Virtual machine which you can run as
>>     a VM – Further WAF information on the A10 Solution can be found
>>     here –
>>
>>     http://www.a10networks.com/resources/files/A10-SB-Web_Application_Firewall_WAF.pdf
>>
>>
>>     Also the new A10 Cloud offering coming soon, will provide WAF as SaaS
>>
>>     Both options I highly recommend
>>
>>     Kindest Regards
>>
>>     *James Braunegg
>>     **P:*  1300 769 972  | *M:*  0488 997 207 | *D:*  (03) 9751 7616
>>
>>     *E:*james.braunegg at micron21.com
>>     <mailto:james.braunegg at micron21.com>  | *ABN:* 12 109 977 666
>>     <tel:12%20109%20977%20666>
>>     *W:* www.micron21.com/tv-hosting
>>     <http://www.micron21.com/tv-hosting> *T:* @micron21
>>
>>
>>     Description: Description: Description: Description: M21.jpg
>>     This message is intended for the addressee named above. It may
>>     contain privileged or confidential information. If you are not the
>>     intended recipient of this message you must not use, copy,
>>     distribute or disclose it to anyone other than the addressee. If
>>     you have received this message in error please return the message
>>     to the sender by replying to it and then delete the message from
>>     your computer.
>>
>>     *From:*AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf
>>     Of *Michael Andreas Schipp
>>     *Sent:* Thursday, August 08, 2013 9:50 AM
>>     *To:* Ed Hallett
>>     *Cc:* ausnog at lists.ausnog.net <mailto:ausnog at lists.ausnog.net>
>>     *Subject:* Re: [AusNOG] Application Firewall Recommendations
>>
>>     Hi Ed,
>>
>>                   If as others have say, you decide to look at WAF and
>>     reverse proxies, I would suggest you to look at the following vendors;
>>
>>                   A10 Networks
>>
>>                   Citrix
>>
>>                   F5
>>
>>     Imperva
>>
>>     Radware
>>
>>     Narrow it down to 2 or 3 and do a PoC (most If not all of us will
>>     be able to offer hardware appliances or VM’s)
>>
>>     I can help in getting anything you may need from the A10
>>     (www.a10networks.com <http://www.a10networks.com>) side, just let
>>     me know.
>>
>>     Thank you,
>>     *
>>     *Michael A Schipp*
>>     *Regional SE Manager ANZ
>>
>>     *A10 Networks*
>>
>>     *From:*AusNOG [mailto:ausnog-bounces at lists.ausnog.net] *On Behalf
>>     Of *Ed Hallett
>>     *Sent:* Tuesday, 6 August 2013 10:12 AM
>>     *To:* ausnog at lists.ausnog.net <mailto:ausnog at lists.ausnog.net>
>>     *Subject:* [AusNOG] Application Firewall Recommendations
>>
>>     Hi people,
>>
>>     Just a simple question, but with a not so simple answer.
>>
>>     We manage considerable clients with ‘cloud’ based servers within
>>     Telstra’s utility hosting.
>>
>>     We used to use TMG as a firewall / gateway / security for clients
>>     who requested these features,  but this is no longer possible.
>>
>>     I need recommendations on application based (non VM) firewalls
>>     which can be installed on server 08 / 12 and capable of the same
>>     feature set as TMG. Not as easy to find now..
>>
>>     So, I ask my esteemed peers for words of wisdom.
>>
>>     Well, words, anyway.
>>
>>     Kind regards,
>>
>>     Ed Hallett
>>
>>
>>
>>     _______________________________________________
>>     AusNOG mailing list
>>     AusNOG at lists.ausnog.net  <mailto:AusNOG at lists.ausnog.net>
>>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>     _______________________________________________
>     AusNOG mailing list
>     AusNOG at lists.ausnog.net <mailto:AusNOG at lists.ausnog.net>
>     http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>




More information about the AusNOG mailing list